Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25-01-2022 15:12
Static task
static1
Behavioral task
behavioral1
Sample
RY003.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
RY003.js
Resource
win10-en-20211208
General
-
Target
RY003.js
-
Size
14KB
-
MD5
d8f874bd74588107bfd3f3acc68991d8
-
SHA1
5ac811daadc0c9f7bd0b0fc53fe03f17585dc1c4
-
SHA256
3dc741895be0ad6dd1f03d38488bbdf1d5f48517cb51de782639c4036c46d128
-
SHA512
8e8027a0cd90ddf18db59946f4786d651b300bae29a0494ecf0e4b56910d92feab1ac9f38f687d793e5fa54ee00fedcdfae2d1655d96f5845605984e9b0714e4
Malware Config
Extracted
vjw0rm
http://moneyworm6.duckdns.org:1996
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 844 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RY003.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RY003.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\BVQOUV4OK4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RY003.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 844 wrote to memory of 852 844 wscript.exe schtasks.exe PID 844 wrote to memory of 852 844 wscript.exe schtasks.exe PID 844 wrote to memory of 852 844 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\RY003.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\RY003.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/844-61-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmpFilesize
8KB