Analysis
-
max time kernel
4294211s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
18-03-2022 19:11
Static task
static1
Behavioral task
behavioral1
Sample
Order receipt #FRI-1605398-SCA.js
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
Order receipt #FRI-1605398-SCA.js
Resource
win10v2004-en-20220113
General
-
Target
Order receipt #FRI-1605398-SCA.js
-
Size
65KB
-
MD5
ff61c1c6da0d2cda1e41e2871eb1160d
-
SHA1
2bd6450b5c6b0bf1404c596e6b97cda3b73bc1bb
-
SHA256
d7ef41fdbc0215ff6a62eaf607d75a8d5eb29cb505b367c5e285de5283c8b324
-
SHA512
03d753802d5a3832b932340e311e1e33a5f5f2ffa4113f0767eca58324a533505a91b39479db10a842d66a1eb88c53db6946581ab033c112447efd88f1da4a69
Malware Config
Extracted
vjw0rm
http://shizzlenjworm.duckdns.org:1605
Signatures
-
Blocklisted process makes network request 19 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 1068 wscript.exe 9 1608 wscript.exe 10 1068 wscript.exe 12 1068 wscript.exe 15 1068 wscript.exe 16 1068 wscript.exe 18 1068 wscript.exe 21 1068 wscript.exe 23 1068 wscript.exe 24 1068 wscript.exe 27 1068 wscript.exe 29 1068 wscript.exe 31 1068 wscript.exe 33 1068 wscript.exe 35 1068 wscript.exe 37 1068 wscript.exe 39 1068 wscript.exe 41 1068 wscript.exe 43 1068 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdmhaxiiDw.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdmhaxiiDw.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order receipt #FRI-1605398-SCA.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order receipt #FRI-1605398-SCA.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\fdmhaxiiDw.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1608 wrote to memory of 1068 1608 wscript.exe wscript.exe PID 1608 wrote to memory of 1068 1608 wscript.exe wscript.exe PID 1608 wrote to memory of 1068 1608 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Order receipt #FRI-1605398-SCA.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fdmhaxiiDw.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\fdmhaxiiDw.jsMD5
b1dc63a5f5b0b666d5fd1222c6f4c61d
SHA12bf40939b3130290f1fca605f0e345db2e6825f0
SHA25652249591a3dce5c98c073eef7761ce4e727c57c246e5b3fe578bfa9b633b1e6e
SHA5124eda9e99f75d4d8a1d46137a5219ebf59ab00dbb7d49bbf21841f39fda9cbfca4a82c0c4da97e7471fd9a5b69ae8deb81a5bde0cc0e3001e7ac03a654679e186
-
memory/1608-54-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmpFilesize
8KB