Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
19-07-2022 18:07
Static task
static1
Behavioral task
behavioral1
Sample
stLbWbDhor_p0wer.js
Resource
win7-20220715-en
General
-
Target
stLbWbDhor_p0wer.js
-
Size
6KB
-
MD5
fcd73eadcaf23aa849c386ab29645ee0
-
SHA1
6c22a65b42240b3b7aee87839e307c0bd7f44e03
-
SHA256
289560b71f8a92b09ec3ba851c74411dfc4ad7a2d33434e272e5aa06f53495d4
-
SHA512
e1819a2c2c9b49a872fd22abb869c6d0d806c32669544f623e2c95407ba6003e75ef444b4ebbed25cea52b7b73ea045ee17cced6a470faf6ee2602048c60ef94
Malware Config
Extracted
vjw0rm
http://198.23.212.140:63006
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 3 1908 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stLbWbDhor_p0wer.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stLbWbDhor_p0wer.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1908 wrote to memory of 1732 1908 wscript.exe wscript.exe PID 1908 wrote to memory of 1732 1908 wscript.exe wscript.exe PID 1908 wrote to memory of 1732 1908 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\stLbWbDhor_p0wer.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sYxElHPDqQ.js"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\sYxElHPDqQ.jsFilesize
490B
MD55d759c556897dfdaeca83ab056a7b8cc
SHA162ee293ca3230797f20fb7766a0cf96e8b0715c3
SHA256e2911b2f3795d6a447466da5679b52ee4c1d6433ca2800fea82cd592f8246e98
SHA512a1d68d9cce47aa6a4340950f35c0570cdea2ec12f123b7e11f02bbb60fdc7d6be528038a7cb8c4b4331c9d214ce53d93c3c9825f2c24fa52a72bd9a692f282c7
-
memory/1732-55-0x0000000000000000-mapping.dmp
-
memory/1908-54-0x000007FEFB6E1000-0x000007FEFB6E3000-memory.dmpFilesize
8KB