Analysis
-
max time kernel
51s -
max time network
60s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27-01-2022 17:38
Static task
static1
Behavioral task
behavioral1
Sample
YSOKNUOW.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
YSOKNUOW.js
Resource
win10-en-20211208
General
-
Target
YSOKNUOW.js
-
Size
13KB
-
MD5
bda43336bf6249a4e667d207d62cc910
-
SHA1
9dc42b7d9dfd2b3f5a22e71abb0106fdc736bf4a
-
SHA256
9b1f2d3e06f9a6299287c531f007e1f2a38fd1d5af3481e7f6be24475495567d
-
SHA512
af80aa64ca5d29d5f1839b38330a158507faac2ec305242d94d4c041da65c8b8a8ed8c927e1cd6e1383f1fe1335a814c6d28b1bbc366e3de3d9898478edd1650
Malware Config
Extracted
vjw0rm
http://jdfodl45.duckdns.org:9032
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1888 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YSOKNUOW.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YSOKNUOW.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\ABR5SI7DKX = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\YSOKNUOW.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1888 wrote to memory of 828 1888 wscript.exe schtasks.exe PID 1888 wrote to memory of 828 1888 wscript.exe schtasks.exe PID 1888 wrote to memory of 828 1888 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\YSOKNUOW.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\YSOKNUOW.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1888-60-0x000007FEFC511000-0x000007FEFC513000-memory.dmpFilesize
8KB