Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2022 18:07
Static task
static1
Behavioral task
behavioral1
Sample
stLbWbDhor_p0wer.js
Resource
win7-20220715-en
General
-
Target
stLbWbDhor_p0wer.js
-
Size
6KB
-
MD5
fcd73eadcaf23aa849c386ab29645ee0
-
SHA1
6c22a65b42240b3b7aee87839e307c0bd7f44e03
-
SHA256
289560b71f8a92b09ec3ba851c74411dfc4ad7a2d33434e272e5aa06f53495d4
-
SHA512
e1819a2c2c9b49a872fd22abb869c6d0d806c32669544f623e2c95407ba6003e75ef444b4ebbed25cea52b7b73ea045ee17cced6a470faf6ee2602048c60ef94
Malware Config
Extracted
vjw0rm
http://198.23.212.140:63006
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 6 4644 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stLbWbDhor_p0wer.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stLbWbDhor_p0wer.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 4644 wrote to memory of 4584 4644 wscript.exe wscript.exe PID 4644 wrote to memory of 4584 4644 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\stLbWbDhor_p0wer.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sYxElHPDqQ.js"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\sYxElHPDqQ.jsFilesize
490B
MD55d759c556897dfdaeca83ab056a7b8cc
SHA162ee293ca3230797f20fb7766a0cf96e8b0715c3
SHA256e2911b2f3795d6a447466da5679b52ee4c1d6433ca2800fea82cd592f8246e98
SHA512a1d68d9cce47aa6a4340950f35c0570cdea2ec12f123b7e11f02bbb60fdc7d6be528038a7cb8c4b4331c9d214ce53d93c3c9825f2c24fa52a72bd9a692f282c7
-
memory/4584-130-0x0000000000000000-mapping.dmp