Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
18-03-2022 19:11
Static task
static1
Behavioral task
behavioral1
Sample
Order receipt #FRI-1605398-SCA.js
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
Order receipt #FRI-1605398-SCA.js
Resource
win10v2004-en-20220113
General
-
Target
Order receipt #FRI-1605398-SCA.js
-
Size
65KB
-
MD5
ff61c1c6da0d2cda1e41e2871eb1160d
-
SHA1
2bd6450b5c6b0bf1404c596e6b97cda3b73bc1bb
-
SHA256
d7ef41fdbc0215ff6a62eaf607d75a8d5eb29cb505b367c5e285de5283c8b324
-
SHA512
03d753802d5a3832b932340e311e1e33a5f5f2ffa4113f0767eca58324a533505a91b39479db10a842d66a1eb88c53db6946581ab033c112447efd88f1da4a69
Malware Config
Extracted
vjw0rm
http://shizzlenjworm.duckdns.org:1605
Signatures
-
Blocklisted process makes network request 11 IoCs
Processes:
wscript.exewscript.exeflow pid process 7 2564 wscript.exe 8 3416 wscript.exe 19 3416 wscript.exe 37 3416 wscript.exe 42 3416 wscript.exe 46 3416 wscript.exe 47 3416 wscript.exe 48 3416 wscript.exe 49 3416 wscript.exe 53 3416 wscript.exe 54 3416 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order receipt #FRI-1605398-SCA.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order receipt #FRI-1605398-SCA.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdmhaxiiDw.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdmhaxiiDw.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\fdmhaxiiDw.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 2564 wrote to memory of 3416 2564 wscript.exe wscript.exe PID 2564 wrote to memory of 3416 2564 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Order receipt #FRI-1605398-SCA.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fdmhaxiiDw.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3416
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\fdmhaxiiDw.jsMD5
b1dc63a5f5b0b666d5fd1222c6f4c61d
SHA12bf40939b3130290f1fca605f0e345db2e6825f0
SHA25652249591a3dce5c98c073eef7761ce4e727c57c246e5b3fe578bfa9b633b1e6e
SHA5124eda9e99f75d4d8a1d46137a5219ebf59ab00dbb7d49bbf21841f39fda9cbfca4a82c0c4da97e7471fd9a5b69ae8deb81a5bde0cc0e3001e7ac03a654679e186