Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2022, 06:29
Static task
static1
Behavioral task
behavioral1
Sample
irNWRQGlUq_ned7070vjw0m.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
irNWRQGlUq_ned7070vjw0m.js
Resource
win10v2004-20220812-en
General
-
Target
irNWRQGlUq_ned7070vjw0m.js
-
Size
13KB
-
MD5
debf7829f2c506abd5871f323a289062
-
SHA1
737e77bdcce38f483e78af1268c2b648b9fab469
-
SHA256
bcb25042af4894ddf1c1cd08f5c7a8a0f1c926e9122169b441e5182ca6424330
-
SHA512
1e77b80c64ad0a555eb3bb0d655e897a00469b1eb238cff2bacd4fa6922a39fda32020b6c19d155f7244de01d8793bc9f6167e158465d3388010e721e93e6e64
Malware Config
Extracted
vjw0rm
http://185.157.162.75:7070
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 3100 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\irNWRQGlUq_ned7070vjw0m.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\irNWRQGlUq_ned7070vjw0m.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2VDZRWDULI = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\irNWRQGlUq_ned7070vjw0m.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 488 schtasks.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3100 wrote to memory of 1492 3100 wscript.exe 81 PID 3100 wrote to memory of 1492 3100 wscript.exe 81 PID 3100 wrote to memory of 488 3100 wscript.exe 82 PID 3100 wrote to memory of 488 3100 wscript.exe 82
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\irNWRQGlUq_ned7070vjw0m.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DdvHbzgOOu.js"2⤵PID:1492
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\irNWRQGlUq_ned7070vjw0m.js2⤵
- Creates scheduled task(s)
PID:488
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD504061d4008e6b4a69043fb096e6885ac
SHA13f5173c3d152b1503c7f1be11d05f9dc9a67b434
SHA2569218ad83bc4db36160c1a0e76168f63ffb64c1e480af59dce5c76e9b9561a37d
SHA51237af42458de31311c322ea0b7088c01148663414633d5842185f149844f874fe85379f4e440376be781097285e50398ab61241b390cc7c68542d1fa4fb31da81