Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 10:42
Static task
static1
Behavioral task
behavioral1
Sample
File 1.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
File 1.js
Resource
win10v2004-20220414-en
General
-
Target
File 1.js
-
Size
29KB
-
MD5
5b249001231021d53f6e80d07e4e5f5b
-
SHA1
1266796493db1d6e635684d96c61c92a4f7dc93e
-
SHA256
34d8e5b4d562e391ef5aa0e06738593ea6d1f28710bf3d8c091ac706614cc2f2
-
SHA512
d8200f7ac947d92493e17284bc249230181e1dc1bf4192da3b33e37e05faed356dd4dc6bda234128db75a866ccce67c28b5cc3beef4a19b001dab8c4faa7c29f
Malware Config
Extracted
vjw0rm
http://104.168.7.110:7974
Signatures
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exewscript.exeflow pid process 5 3256 wscript.exe 7 3404 wscript.exe 14 3404 wscript.exe 22 3404 wscript.exe 32 3404 wscript.exe 33 3404 wscript.exe 36 3404 wscript.exe 37 3404 wscript.exe 40 3404 wscript.exe 41 3404 wscript.exe 44 3404 wscript.exe 45 3404 wscript.exe 46 3404 wscript.exe 47 3404 wscript.exe 48 3404 wscript.exe 49 3404 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AoKCPOUwzd.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AoKCPOUwzd.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\AoKCPOUwzd.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 3256 wrote to memory of 3404 3256 wscript.exe wscript.exe PID 3256 wrote to memory of 3404 3256 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\File 1.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AoKCPOUwzd.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AoKCPOUwzd.jsFilesize
10KB
MD506857086cf6f496de378970a7e5176e3
SHA1a9e42c3d319914af6965e4ecf2fc20f69e0d7b9b
SHA25600f358e945dd63c7084ec39a494a992ee74c381ba5f14181dec44a6a2e60f6da
SHA51294179fc54083f63ef49af7cd44566f3edd0a524d68f8343630fc3974bf80bbd0957910feea14ee8e08de36c91d5998c1543ed023f0d47262c3f128af2d9a22b7
-
memory/3404-130-0x0000000000000000-mapping.dmp