Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 10:48
Static task
static1
Behavioral task
behavioral1
Sample
File 3.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
File 3.js
Resource
win10v2004-20220414-en
General
-
Target
File 3.js
-
Size
29KB
-
MD5
ab13afc905659d77f0f29094be1a0374
-
SHA1
f1104c4b561e7a13caaff3023638e1fd50e10830
-
SHA256
70c2cfb9f3c784bbae7c67daa88805b6989beb2a502ef7574c08e62fccd794d0
-
SHA512
9a1d213aaa741c8950e71b21445bb062a505a123cd4c17746ef43d3454cb999b2c2614ac5ff6826c3269110016be88d44c1532462c0caef1fe994184f65cf91d
Malware Config
Extracted
vjw0rm
http://104.168.7.110:7974
Signatures
-
Blocklisted process makes network request 14 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1208 wscript.exe 7 1900 wscript.exe 8 1208 wscript.exe 10 1208 wscript.exe 13 1208 wscript.exe 15 1208 wscript.exe 17 1208 wscript.exe 20 1208 wscript.exe 22 1208 wscript.exe 24 1208 wscript.exe 27 1208 wscript.exe 29 1208 wscript.exe 31 1208 wscript.exe 34 1208 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jDamYSjgcH.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jDamYSjgcH.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\jDamYSjgcH.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1900 wrote to memory of 1208 1900 wscript.exe wscript.exe PID 1900 wrote to memory of 1208 1900 wscript.exe wscript.exe PID 1900 wrote to memory of 1208 1900 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\File 3.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jDamYSjgcH.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\jDamYSjgcH.jsFilesize
10KB
MD55fec9251c205111e712d51790d02fad7
SHA1be7523fc11376392b8af5aa77d5cb7937f2e0dac
SHA256c35aee064709247cfd030eb2ce85e3eaad52b9b0cb6f75e027b3ee9008950242
SHA512a3d3284785258186c13e5a43569fc59d90c0c9541a55e6ce8a3d4d8984afcd46967ed6edf1be17efd005614fc098ce314dda57352bbc83f847dafb40dc9dd8f1
-
memory/1208-55-0x0000000000000000-mapping.dmp
-
memory/1900-54-0x000007FEFC061000-0x000007FEFC063000-memory.dmpFilesize
8KB