Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17-12-2021 08:53
Static task
static1
Behavioral task
behavioral1
Sample
UW802KASIOPSDUW.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
UW802KASIOPSDUW.js
Resource
win10-en-20211208
General
-
Target
UW802KASIOPSDUW.js
-
Size
54KB
-
MD5
299e8af9cce953ee2750818f7cea2563
-
SHA1
a00478a0927d2b61d1693b6002e6c1a88abe8252
-
SHA256
e051971136e18efd26174bd5641abfd2c687865c6790c9a9ea1582288b8f956b
-
SHA512
226d841bcb3d598f961dbeaa19d57290fabcadf679210ed7ade3e8e5d805664e22c2ce16c9d252d67e8a5cc05c7b1f494c121c555f0c0ab5a6c4da8d3c315340
Malware Config
Extracted
vjw0rm
http://decebermoney.duckdns.org:8020
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1448 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UW802KASIOPSDUW.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UW802KASIOPSDUW.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\E80VDBUI3I = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\UW802KASIOPSDUW.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1448 wrote to memory of 1624 1448 wscript.exe schtasks.exe PID 1448 wrote to memory of 1624 1448 wscript.exe schtasks.exe PID 1448 wrote to memory of 1624 1448 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\UW802KASIOPSDUW.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\UW802KASIOPSDUW.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1624-55-0x0000000000000000-mapping.dmp