Overview

overview

10

Static

static

PO_20230025-03662.js

windows7_x64

10

PO_20230025-03662.js

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    23-06-2022 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO_20230025-03662.js

  • Size

    633KB

  • MD5

    9659595bb96500ea6ac6892bcb450d03

  • SHA1

    db8e3c13226387bbdd7703abd60baf6e78851789

  • SHA256

    dee7026593429404b9cc00a28b12202ecf60049be57f5bf9a0b7dae383055e06

  • SHA512

    e6da4a8e7d5e99813d581bb18eee55c9aa629a974412887b1f412f6b860283be68f3d47b16d11ee738c2b8e7500b33c42e24f6d20cfb4175598e0c9c99e3a48c

Score
10/10
vjw0rmxloadervs8gloaderpersistenceratsuricatatrojanworm

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

vs8g

Decoy

xEVEsySadSMf8UUC

H8ZbYtGKWPCfp91+uS3TFo/F7tYacwDqHw==

L/St5UjIhTMzEHsb

8h8tDvq0nl8JCWoagxa0MVyvnA==

7bml44z9jZsZx8Co2T8=

EwH88ZtcOu8ehs2P2o6wv78FEe4+xRQ=

bTn3LpE1HfpPAXI=

nYxT+9GLhS1d3zzGJuTDlgpT

HxonIwh8TesenMCo2T8=

Ki83MiehhC9e1i7YQ/Wd32JsGcun

wHcUByFRMuEGh8Co2T8=

86tqpg/Jy60eFmMRPefDlgpT

grSUYa5yahUf8UUC

HVviVsk7Cb6Elc571pnSWCJ93G17PkiI

6LJ1qBPUtGNIl8Co2T8=

AYuWD33xt44VxsCo2T8=

/smXvLMh868VzQqs99/DlgpT

1kEMNVtaMw6KmN+YANYm+kA=

daarti3nbFVKnsCo2T8=

0EJM6cFFHvawA2U=

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 4 IoCs
    rat
  • Blocklisted process makes network request 16 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\PO_20230025-03662.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\KmBIsnwxko.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:2044
      • C:\Users\Admin\AppData\Local\Temp\bin.exe
        "C:\Users\Admin\AppData\Local\Temp\bin.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:952
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"
        3⤵
          PID:1512
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:308

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\bin.exe
        Filesize

        174KB

        MD5

        3ae87cd93196b3f86a2e1cfa3e6c9133

        SHA1

        64b444869181c8893d695072239bc48681ea10cd

        SHA256

        0a1b761095e129d76033c7bde535ca8f0517b4ddaaeda3981b5d8f998f8cf407

        SHA512

        1e1490502069ff5328939cc30a8e1aa74089e9cf918a27c0ce831c877035fe578811fcb970859c88437724c65383e86f055eedad4c14e3699d4270d280b865e8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\bin.exe
        Filesize

        174KB

        MD5

        3ae87cd93196b3f86a2e1cfa3e6c9133

        SHA1

        64b444869181c8893d695072239bc48681ea10cd

        SHA256

        0a1b761095e129d76033c7bde535ca8f0517b4ddaaeda3981b5d8f998f8cf407

        SHA512

        1e1490502069ff5328939cc30a8e1aa74089e9cf918a27c0ce831c877035fe578811fcb970859c88437724c65383e86f055eedad4c14e3699d4270d280b865e8

        Download Submit
      • C:\Users\Admin\AppData\Roaming\KmBIsnwxko.js
        Filesize

        117KB

        MD5

        0e20eafe54da8cd708fe740ffca1a02d

        SHA1

        c8b05acaf83fd25bc55e0ab01b7df98593c7a5f5

        SHA256

        c0f92a810bb3470ce1fd1e6b532ed371c2bc8d397beb6a29e2ddd68a5ef287b6

        SHA512

        f8a614ddadfb3e350df15884e976dfcfd94af55b614506a351ab02395c52b20c15b7ffd93e2aefedc1a89b17ed4af84256f4920fae6f4cf19862208e612515f4

        Download Submit
      • memory/952-57-0x0000000000000000-mapping.dmp
        Download
      • memory/952-60-0x0000000000780000-0x0000000000A83000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/952-61-0x0000000000390000-0x00000000003A1000-memory.dmp
        Filesize

        68KB

        Download
      • memory/1372-71-0x0000000004C70000-0x0000000004D45000-memory.dmp
        Filesize

        852KB

        Download
      • memory/1372-73-0x0000000004C70000-0x0000000004D45000-memory.dmp
        Filesize

        852KB

        Download
      • memory/1372-62-0x0000000007060000-0x00000000071AF000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1492-64-0x0000000076011000-0x0000000076013000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1492-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1492-66-0x0000000000080000-0x00000000000AC000-memory.dmp
        Filesize

        176KB

        Download
      • memory/1492-72-0x0000000000080000-0x00000000000AC000-memory.dmp
        Filesize

        176KB

        Download
      • memory/1492-65-0x0000000000860000-0x000000000087F000-memory.dmp
        Filesize

        124KB

        Download
      • memory/1492-69-0x0000000001F50000-0x0000000002253000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1492-70-0x0000000001D40000-0x0000000001DD0000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1512-68-0x0000000000000000-mapping.dmp
        Download
      • memory/1928-54-0x000007FEFC061000-0x000007FEFC063000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2044-55-0x0000000000000000-mapping.dmp
        Download