Analysis
-
max time kernel
148s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 10:42
Static task
static1
Behavioral task
behavioral1
Sample
File 1.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
File 1.js
Resource
win10v2004-20220414-en
General
-
Target
File 1.js
-
Size
29KB
-
MD5
5b249001231021d53f6e80d07e4e5f5b
-
SHA1
1266796493db1d6e635684d96c61c92a4f7dc93e
-
SHA256
34d8e5b4d562e391ef5aa0e06738593ea6d1f28710bf3d8c091ac706614cc2f2
-
SHA512
d8200f7ac947d92493e17284bc249230181e1dc1bf4192da3b33e37e05faed356dd4dc6bda234128db75a866ccce67c28b5cc3beef4a19b001dab8c4faa7c29f
Malware Config
Extracted
vjw0rm
http://104.168.7.110:7974
Signatures
-
Blocklisted process makes network request 10 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1380 wscript.exe 7 776 wscript.exe 11 1380 wscript.exe 13 1380 wscript.exe 16 1380 wscript.exe 17 1380 wscript.exe 21 1380 wscript.exe 23 1380 wscript.exe 25 1380 wscript.exe 27 1380 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AoKCPOUwzd.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AoKCPOUwzd.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\AoKCPOUwzd.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 776 wrote to memory of 1380 776 wscript.exe wscript.exe PID 776 wrote to memory of 1380 776 wscript.exe wscript.exe PID 776 wrote to memory of 1380 776 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\File 1.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AoKCPOUwzd.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AoKCPOUwzd.jsFilesize
10KB
MD506857086cf6f496de378970a7e5176e3
SHA1a9e42c3d319914af6965e4ecf2fc20f69e0d7b9b
SHA25600f358e945dd63c7084ec39a494a992ee74c381ba5f14181dec44a6a2e60f6da
SHA51294179fc54083f63ef49af7cd44566f3edd0a524d68f8343630fc3974bf80bbd0957910feea14ee8e08de36c91d5998c1543ed023f0d47262c3f128af2d9a22b7
-
memory/776-54-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmpFilesize
8KB
-
memory/1380-55-0x0000000000000000-mapping.dmp