Analysis
-
max time kernel
4294363s -
max time network
318s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
19-03-2022 17:05
Static task
static1
Behavioral task
behavioral1
Sample
14516968b1e01bd308c319bde2d4cdba32bf37f07d9e5f003ebc5b1bb1059d71.js
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
14516968b1e01bd308c319bde2d4cdba32bf37f07d9e5f003ebc5b1bb1059d71.js
Resource
win10v2004-20220310-en
General
-
Target
14516968b1e01bd308c319bde2d4cdba32bf37f07d9e5f003ebc5b1bb1059d71.js
-
Size
11KB
-
MD5
69f29cd9961eea44bdf9ac54d34dc1c4
-
SHA1
8b603318d383c298e6613fda82f15fa88cc25fa8
-
SHA256
14516968b1e01bd308c319bde2d4cdba32bf37f07d9e5f003ebc5b1bb1059d71
-
SHA512
ed7b5708c0be99b93225e47ded369195ccef8ee8da4a8b7d775ed195be6a4d5f2c6385ef2f625bb3230e4a9369c339261a22d8799fdf55bced1c78bfe9b54d50
Malware Config
Extracted
vjw0rm
http://zeegod.duckdns.org:9001
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 5 1072 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\14516968b1e01bd308c319bde2d4cdba32bf37f07d9e5f003ebc5b1bb1059d71.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\14516968b1e01bd308c319bde2d4cdba32bf37f07d9e5f003ebc5b1bb1059d71.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\LMOXHX511V = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\14516968b1e01bd308c319bde2d4cdba32bf37f07d9e5f003ebc5b1bb1059d71.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1072 wrote to memory of 412 1072 wscript.exe wscript.exe PID 1072 wrote to memory of 412 1072 wscript.exe wscript.exe PID 1072 wrote to memory of 412 1072 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\14516968b1e01bd308c319bde2d4cdba32bf37f07d9e5f003ebc5b1bb1059d71.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\XaoShGXEdx.js"2⤵PID:412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\XaoShGXEdx.jsMD5
14742214ca98f7af7f89d7f7a4f4fc83
SHA1001da8065d28762e93641630125121f14aedceb0
SHA256863db6134cb55a376494668bc17b6a70e905eccb98c340af8a85cb29af76c15c
SHA5120da618574424c1c24afbc317232b74ea9f37313aea1bbbfd517d089d4088489e3747a0f43e5167dfd8a7f78252bb9a4512050829fec62ce6747e0fac7c8e8f67