Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 08:58
Static task
static1
Behavioral task
behavioral1
Sample
PO docs.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO docs.js
Resource
win10v2004-20220414-en
General
-
Target
PO docs.js
-
Size
167KB
-
MD5
ce75410067a95c5ceccf08f7487cf247
-
SHA1
e38edaf16c0b2e994fc65e5228912428c6fdffa3
-
SHA256
f356566e43a72607bcb73734f5c3dd4b03117f42a03e0534b327e2fb4b3d7132
-
SHA512
719977b1962ea8799e3cdb1b933efa6547dcc1a215ec97a544f522e903e6904df2e688463799dbf70ae89fb9a6ee485ab09b40fed342824c530513f34000b95c
Malware Config
Extracted
vjw0rm
http://45.138.16.233:1985
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exewscript.exeflow pid process 5 2796 wscript.exe 7 4956 wscript.exe 13 4956 wscript.exe 15 4956 wscript.exe 19 4956 wscript.exe 28 4956 wscript.exe 34 4956 wscript.exe 43 4956 wscript.exe 46 4956 wscript.exe 49 4956 wscript.exe 50 4956 wscript.exe 51 4956 wscript.exe 52 4956 wscript.exe 54 4956 wscript.exe 55 4956 wscript.exe 56 4956 wscript.exe 57 4956 wscript.exe 58 4956 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aBjrxgvXiK.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aBjrxgvXiK.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\aBjrxgvXiK.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 2796 wrote to memory of 4956 2796 wscript.exe wscript.exe PID 2796 wrote to memory of 4956 2796 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PO docs.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\aBjrxgvXiK.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\aBjrxgvXiK.jsFilesize
59KB
MD5e3091e4a999ec41da7d4d2ebadb7c8ef
SHA1aecd036bbce0311cccdf65b0dea0400b772f1fa8
SHA256dd87b61a5fba9e7e4af3fb26b117c7d7d2b5915f6e4e8d5b77b2b3eda23cc7da
SHA51232628e545c43f6f8c9258ee17f4551732cddb8fa599fa510a849cce2f74abf5d89eeadd4b3db669d8786d23aeb44c82e773fafe5b31d8c23a1d845293d01f61e
-
memory/4956-130-0x0000000000000000-mapping.dmp