Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 10:48
Static task
static1
Behavioral task
behavioral1
Sample
File 3.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
File 3.js
Resource
win10v2004-20220414-en
General
-
Target
File 3.js
-
Size
29KB
-
MD5
ab13afc905659d77f0f29094be1a0374
-
SHA1
f1104c4b561e7a13caaff3023638e1fd50e10830
-
SHA256
70c2cfb9f3c784bbae7c67daa88805b6989beb2a502ef7574c08e62fccd794d0
-
SHA512
9a1d213aaa741c8950e71b21445bb062a505a123cd4c17746ef43d3454cb999b2c2614ac5ff6826c3269110016be88d44c1532462c0caef1fe994184f65cf91d
Malware Config
Extracted
vjw0rm
http://104.168.7.110:7974
Signatures
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exewscript.exeflow pid process 4 2004 wscript.exe 6 2060 wscript.exe 11 2060 wscript.exe 13 2060 wscript.exe 21 2060 wscript.exe 30 2060 wscript.exe 32 2060 wscript.exe 40 2060 wscript.exe 41 2060 wscript.exe 42 2060 wscript.exe 45 2060 wscript.exe 46 2060 wscript.exe 47 2060 wscript.exe 48 2060 wscript.exe 49 2060 wscript.exe 50 2060 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jDamYSjgcH.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jDamYSjgcH.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\jDamYSjgcH.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 2004 wrote to memory of 2060 2004 wscript.exe wscript.exe PID 2004 wrote to memory of 2060 2004 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\File 3.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jDamYSjgcH.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\jDamYSjgcH.jsFilesize
10KB
MD55fec9251c205111e712d51790d02fad7
SHA1be7523fc11376392b8af5aa77d5cb7937f2e0dac
SHA256c35aee064709247cfd030eb2ce85e3eaad52b9b0cb6f75e027b3ee9008950242
SHA512a3d3284785258186c13e5a43569fc59d90c0c9541a55e6ce8a3d4d8984afcd46967ed6edf1be17efd005614fc098ce314dda57352bbc83f847dafb40dc9dd8f1
-
memory/2060-130-0x0000000000000000-mapping.dmp