Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23-12-2021 08:27
Static task
static1
Behavioral task
behavioral1
Sample
UPS 1ZF1939R0198605672.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
UPS 1ZF1939R0198605672.js
Resource
win10-en-20211208
General
-
Target
UPS 1ZF1939R0198605672.js
-
Size
85KB
-
MD5
cecc5ef246b78035fd37775f6a09424e
-
SHA1
a7f6ca9e2ecea0a8a7dacabbdaecfe3659497f6e
-
SHA256
3455386680d2443e47c0931ec1ffc3f1db1f1744dd0b35d66d6a8d66f976e7d4
-
SHA512
df92e9c94c02bc6cf2c8d7701a5bbfd637a0516fe5c8f209f416e290e4d5fcc6aa37e0cd50e8044db74599c16380f49138b451516f98ce0bf5f990e553dc83b1
Malware Config
Extracted
vjw0rm
http://spdxx.ddns.net:5050
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
wscript.exewscript.exeflow pid process 10 2656 wscript.exe 11 1832 wscript.exe 29 1832 wscript.exe 31 1832 wscript.exe 35 1832 wscript.exe 36 1832 wscript.exe 37 1832 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wQtCVbovFT.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wQtCVbovFT.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPS 1ZF1939R0198605672.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPS 1ZF1939R0198605672.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\R4J2SBXQ4G = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\UPS 1ZF1939R0198605672.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\wQtCVbovFT.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 2656 wrote to memory of 1832 2656 wscript.exe wscript.exe PID 2656 wrote to memory of 1832 2656 wscript.exe wscript.exe PID 2656 wrote to memory of 804 2656 wscript.exe schtasks.exe PID 2656 wrote to memory of 804 2656 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\UPS 1ZF1939R0198605672.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\wQtCVbovFT.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\UPS 1ZF1939R0198605672.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\wQtCVbovFT.jsMD5
3eafd1013a7470f51158442dacc7479d
SHA1d31e8864e972f7866b2551ae64d4165fbda7e6cd
SHA256130f520fe9f2e01ec06f61e2390ae8babaa3b616be04be6c676284d963e334b2
SHA5129cbce6303ca77d6b4da1de93ecb5b7ec78cce368b31da494cf165ebfc13d5db72f732925ce7fc3f8af6ba5d2dca01cb86b40d225db2c91bedfcf65a561386b0b
-
memory/804-117-0x0000000000000000-mapping.dmp
-
memory/1832-115-0x0000000000000000-mapping.dmp