Analysis
-
max time kernel
147s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-06-2022 08:58
Static task
static1
Behavioral task
behavioral1
Sample
PO docs.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO docs.js
Resource
win10v2004-20220414-en
General
-
Target
PO docs.js
-
Size
167KB
-
MD5
ce75410067a95c5ceccf08f7487cf247
-
SHA1
e38edaf16c0b2e994fc65e5228912428c6fdffa3
-
SHA256
f356566e43a72607bcb73734f5c3dd4b03117f42a03e0534b327e2fb4b3d7132
-
SHA512
719977b1962ea8799e3cdb1b933efa6547dcc1a215ec97a544f522e903e6904df2e688463799dbf70ae89fb9a6ee485ab09b40fed342824c530513f34000b95c
Malware Config
Extracted
vjw0rm
http://45.138.16.233:1985
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1060 wscript.exe 7 1968 wscript.exe 8 1060 wscript.exe 10 1060 wscript.exe 14 1060 wscript.exe 15 1060 wscript.exe 17 1060 wscript.exe 20 1060 wscript.exe 22 1060 wscript.exe 24 1060 wscript.exe 27 1060 wscript.exe 29 1060 wscript.exe 30 1060 wscript.exe 33 1060 wscript.exe 35 1060 wscript.exe 36 1060 wscript.exe 39 1060 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aBjrxgvXiK.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aBjrxgvXiK.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\aBjrxgvXiK.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1968 wrote to memory of 1060 1968 wscript.exe wscript.exe PID 1968 wrote to memory of 1060 1968 wscript.exe wscript.exe PID 1968 wrote to memory of 1060 1968 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PO docs.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\aBjrxgvXiK.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\aBjrxgvXiK.jsFilesize
59KB
MD5e3091e4a999ec41da7d4d2ebadb7c8ef
SHA1aecd036bbce0311cccdf65b0dea0400b772f1fa8
SHA256dd87b61a5fba9e7e4af3fb26b117c7d7d2b5915f6e4e8d5b77b2b3eda23cc7da
SHA51232628e545c43f6f8c9258ee17f4551732cddb8fa599fa510a849cce2f74abf5d89eeadd4b3db669d8786d23aeb44c82e773fafe5b31d8c23a1d845293d01f61e
-
memory/1060-55-0x0000000000000000-mapping.dmp
-
memory/1968-54-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmpFilesize
8KB