Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 02:15
Static task
static1
Behavioral task
behavioral1
Sample
Orders #062122.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Orders #062122.js
Resource
win10v2004-20220414-en
General
-
Target
Orders #062122.js
-
Size
84KB
-
MD5
45ed25eaa020cbb7cc9dc25b8a657e4f
-
SHA1
10f9b2dd8b4fb03858ac6e557c3f3b969573448a
-
SHA256
50e4af1a3329295449f1d94adc7a6e1e3ae47cf0021a5767adb9e689ace290c1
-
SHA512
471cf270dec755160eb8031c6e56f5bc1f48784235499c7a8e93c67c76f501be9a03379aba0d7c1010a2cf7800f079f5af8e81af9cdd43f3fedae9ab0122ccba
Malware Config
Extracted
vjw0rm
http://45.138.16.233:1985
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exewscript.exeflow pid process 5 3316 wscript.exe 7 1352 wscript.exe 11 1352 wscript.exe 16 1352 wscript.exe 23 1352 wscript.exe 27 1352 wscript.exe 38 1352 wscript.exe 42 1352 wscript.exe 45 1352 wscript.exe 46 1352 wscript.exe 48 1352 wscript.exe 49 1352 wscript.exe 50 1352 wscript.exe 51 1352 wscript.exe 52 1352 wscript.exe 53 1352 wscript.exe 54 1352 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lkbpJPNZnd.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lkbpJPNZnd.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\lkbpJPNZnd.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 3316 wrote to memory of 1352 3316 wscript.exe wscript.exe PID 3316 wrote to memory of 1352 3316 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Orders #062122.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lkbpJPNZnd.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\lkbpJPNZnd.jsFilesize
29KB
MD5f4311f7cd0642e63969f77f7336cd6b5
SHA11c66b2dc78f2532465079101a34ef09e13e89f17
SHA2565aed2e8abc98d0f70077618da5c0062d94dc5c6f6de0271c51681866fb0feeb3
SHA512e25928ec4bc827e53244edaf7aa913e81ec383735a8fe8ba1a5036c1545b6d0b91c8ecb68ba483258ce65eaee339d59b4ae3bb893adb60ff0e0b4b0b656bdc38
-
memory/1352-130-0x0000000000000000-mapping.dmp