Analysis
-
max time kernel
4294201s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
19-03-2022 16:55
Static task
static1
Behavioral task
behavioral1
Sample
order_receipt.js
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
order_receipt.js
Resource
win10v2004-20220310-en
General
-
Target
order_receipt.js
-
Size
11KB
-
MD5
69f29cd9961eea44bdf9ac54d34dc1c4
-
SHA1
8b603318d383c298e6613fda82f15fa88cc25fa8
-
SHA256
14516968b1e01bd308c319bde2d4cdba32bf37f07d9e5f003ebc5b1bb1059d71
-
SHA512
ed7b5708c0be99b93225e47ded369195ccef8ee8da4a8b7d775ed195be6a4d5f2c6385ef2f625bb3230e4a9369c339261a22d8799fdf55bced1c78bfe9b54d50
Malware Config
Extracted
vjw0rm
http://zeegod.duckdns.org:9001
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 852 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\order_receipt.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\order_receipt.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\LMOXHX511V = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\order_receipt.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 852 wrote to memory of 1176 852 wscript.exe wscript.exe PID 852 wrote to memory of 1176 852 wscript.exe wscript.exe PID 852 wrote to memory of 1176 852 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\order_receipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\XaoShGXEdx.js"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\XaoShGXEdx.jsMD5
14742214ca98f7af7f89d7f7a4f4fc83
SHA1001da8065d28762e93641630125121f14aedceb0
SHA256863db6134cb55a376494668bc17b6a70e905eccb98c340af8a85cb29af76c15c
SHA5120da618574424c1c24afbc317232b74ea9f37313aea1bbbfd517d089d4088489e3747a0f43e5167dfd8a7f78252bb9a4512050829fec62ce6747e0fac7c8e8f67