Analysis
-
max time kernel
148s -
max time network
171s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22-06-2022 15:03
Static task
static1
Behavioral task
behavioral1
Sample
Orders Docs.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Orders Docs.js
Resource
win10v2004-20220414-en
General
-
Target
Orders Docs.js
-
Size
164KB
-
MD5
18b9c0bc1c0ee305564334c961f1f17c
-
SHA1
09ce3403cbb2b5f489529e96997ccffa4db044b1
-
SHA256
9cafe3e7e089f96852a245f8d24f2c4bc67888e381a3d15607859cdbb7b62897
-
SHA512
f8a7f77a8912eb17bccd619b711f981875e219db3acdd126d129ad82fe31f6528bac6e034e064094ad526fb7d81e7c7cf0546e52c84f7620a17fc47042e06eed
Malware Config
Extracted
vjw0rm
http://45.138.16.233:1985
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1732 wscript.exe 7 1968 wscript.exe 9 1732 wscript.exe 12 1732 wscript.exe 15 1732 wscript.exe 17 1732 wscript.exe 19 1732 wscript.exe 22 1732 wscript.exe 24 1732 wscript.exe 26 1732 wscript.exe 28 1732 wscript.exe 30 1732 wscript.exe 32 1732 wscript.exe 36 1732 wscript.exe 38 1732 wscript.exe 39 1732 wscript.exe 43 1732 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zBqCgJmfsW.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zBqCgJmfsW.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\zBqCgJmfsW.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1968 wrote to memory of 1732 1968 wscript.exe wscript.exe PID 1968 wrote to memory of 1732 1968 wscript.exe wscript.exe PID 1968 wrote to memory of 1732 1968 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Orders Docs.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zBqCgJmfsW.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\zBqCgJmfsW.jsFilesize
58KB
MD546decbbc9c580ef37eee8298670b825d
SHA1a7f8cd3734601d45b5f04c3e7e05a5d2d05e39b2
SHA2561e278d7d84f7e150e1e65b61004d3bf15b58b69b90d92c0ee082b02ec7779509
SHA5121ef94c8f8e0b739ef5073cdd201c7f16c48bfe5a69b666c8f7e611e74e097c2cff8cf5c3a622e7864c231a31b3976480df5e854ff8bb8d00aa30f1e92be4d29b
-
memory/1732-55-0x0000000000000000-mapping.dmp
-
memory/1968-54-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmpFilesize
8KB