Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/08/2022, 01:56
Static task
static1
Behavioral task
behavioral1
Sample
cLAskPOVmATadexax2223.js
Resource
win7-20220812-en
General
-
Target
cLAskPOVmATadexax2223.js
-
Size
22KB
-
MD5
4d13e3eb8679c9a8a1a95ee8c363e707
-
SHA1
2762322525e6205038d8514deaab9bd24ac2a9e9
-
SHA256
036046d5ad198798908412fb75cb37ddc9dba5bbf7397b397a7d75ab3e7f7956
-
SHA512
5ee2bf606ecd1b9bfe646338bd083e2caaf9b681ebee84c158ec2c2711401dc23c4f34567bb56ae2708eabfe9c2d3f2b97a39b5b3a9b241774983cdd5738993b
Malware Config
Extracted
vjw0rm
http://185.157.162.75:2223
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 1692 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLAskPOVmATadexax2223.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLAskPOVmATadexax2223.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1692 wrote to memory of 1864 1692 wscript.exe 27 PID 1692 wrote to memory of 1864 1692 wscript.exe 27 PID 1692 wrote to memory of 1864 1692 wscript.exe 27
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\cLAskPOVmATadexax2223.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tekCJjaePX.js"2⤵PID:1864
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD503e3c601fbb227e986a13bd98d98493a
SHA1fe2f78aa29c17ad88506ce667b493bc507fe1884
SHA2566b641a01433c2ce557e6682bdc431f1558499520132336317c8ff6aed54614e0
SHA5129ccfb7edeffdf67555a9475960c365dce0a99caa58ead2422354c5c201e0b7cc7fa22b2975b97cf75273be2bce2ce66013db4617d9cc29ca2a1d5fd1b20e0870