Overview

overview

10

Static

static

PROCUREMENT_001.js

windows7_x64

10

PROCUREMENT_001.js

windows10-2004_x64

10

Analysis

  • max time kernel
    168s
  • max time network
    176s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-06-2022 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PROCUREMENT_001.js

  • Size

    396KB

  • MD5

    ead2e4417e0ba32a086cbd96ffde7ce5

  • SHA1

    0f47a3ec2a02054f1d54815544feaac77fb32793

  • SHA256

    cbc74da583fc123ca5783a7c977f382af7a71a227888d95a9b8203bd0a2adf62

  • SHA512

    e26c09f7e4318f62cc1e0f4f84e77cf28e6a3d68a0dfb20f84e8b849bc65bf06a4aca46c446c7ae7ea831b9ff047aa32fe6bb82b946e149d68bfa3df3f0efae4

Score
10/10
vjw0rmxloaderr4wfloaderpersistenceratsuricatatrojanworm

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

r4wf

Decoy

eQLhwti8E4CX1m8bp0WK2Q==

axoAyf6nwR9Y43o1nFx+930=

vf9fMlHrgdcI

TRQU8PPgFWegAcLFsjQ5TUX2

CFXUiz7SjsLqcQ==

XKeIL6Nmg+8pokY+wjaooasXRQIt

NLSkgIdanO/4SNPAdlKUrIms7Q==

TTKhgqyuCnCmH7yGa12g8HXrnY/nKGI=

5X0d70pNfaYGRgI=

fXXOk9C1+U9bhkIBIqn8

dN7HmMiv/TtAgyP2tYrEG2Yq4Yw=

HRqUgbJeorn4Zg==

MZ7Sh6xm71vhCNLW

7iFsO188fKYGRgI=

o9VC9kgPVXmCz2gBIqn8

B0y+iMbD+lzhCNLW

ciUeBS0WbdHuVGH+xJU=

Q3334PeyxydNmzoBIqn8

kgHx3RbrgdcI

WQjgo8h9g6YGRgI=

Extracted

Family

vjw0rm

C2

http://franmhort.duia.ro:8152

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 4 IoCs
    rat
  • Blocklisted process makes network request 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\PROCUREMENT_001.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TKlRbFxljO.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:1528
      • C:\Users\Admin\AppData\Local\Temp\greatk.exe
        "C:\Users\Admin\AppData\Local\Temp\greatk.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:860
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\greatk.exe"
        3⤵
          PID:1704

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\greatk.exe
      Filesize

      174KB

      MD5

      4e4fe9a1e4568efac0293fcaf431f2da

      SHA1

      c17588029ab95904ab548b5c8fb4dc626e1d8d12

      SHA256

      929b0c7d953ee579a49a6d4a9456a1a45a9f4e81933adf6a07b34d6669f096b6

      SHA512

      7a323280ef25c208fbe726e5ba21200ec9af976f30da3ea330387afe95c41ad082404d4cd811672f0b7e9764759c8cc7b1b2252da242ff8253e429bb2cc7a461

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\greatk.exe
      Filesize

      174KB

      MD5

      4e4fe9a1e4568efac0293fcaf431f2da

      SHA1

      c17588029ab95904ab548b5c8fb4dc626e1d8d12

      SHA256

      929b0c7d953ee579a49a6d4a9456a1a45a9f4e81933adf6a07b34d6669f096b6

      SHA512

      7a323280ef25c208fbe726e5ba21200ec9af976f30da3ea330387afe95c41ad082404d4cd811672f0b7e9764759c8cc7b1b2252da242ff8253e429bb2cc7a461

      Download Submit
    • C:\Users\Admin\AppData\Roaming\TKlRbFxljO.js
      Filesize

      30KB

      MD5

      e80c5a9f243cd8589446c7531265ad1c

      SHA1

      83fa6c700a036754f8f506ce7eea111cbb70fed8

      SHA256

      81c5757f8a810180b55725f2778493af9ca1f25a87c7f9154646ceeac628cd37

      SHA512

      24e26cba2e7076f2208306b93eadb61782d08029bda21433c682ba88333ab28225388a6823e7b566e5b18ce0b0a91dad20d64be59a03d5f22491a0a7496544ba

      Download Submit
    • memory/532-54-0x000007FEFB6E1000-0x000007FEFB6E3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/860-57-0x0000000000000000-mapping.dmp
      Download
    • memory/860-60-0x0000000000790000-0x0000000000A93000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/860-61-0x00000000001C0000-0x00000000001D1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1312-71-0x0000000006530000-0x00000000065E6000-memory.dmp
      Filesize

      728KB

      Download
    • memory/1312-62-0x0000000004C70000-0x0000000004E09000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1312-73-0x0000000006530000-0x00000000065E6000-memory.dmp
      Filesize

      728KB

      Download
    • memory/1528-55-0x0000000000000000-mapping.dmp
      Download
    • memory/1704-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1740-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1740-68-0x0000000000090000-0x00000000000BC000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1740-69-0x0000000002250000-0x0000000002553000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1740-70-0x0000000000A60000-0x0000000000AF0000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1740-67-0x00000000009B0000-0x00000000009C4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1740-72-0x0000000000090000-0x00000000000BC000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1740-64-0x0000000075711000-0x0000000075713000-memory.dmp
      Filesize

      8KB

      Download