Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2022, 01:56
Static task
static1
Behavioral task
behavioral1
Sample
cLAskPOVmATadexax2223.js
Resource
win7-20220812-en
General
-
Target
cLAskPOVmATadexax2223.js
-
Size
22KB
-
MD5
4d13e3eb8679c9a8a1a95ee8c363e707
-
SHA1
2762322525e6205038d8514deaab9bd24ac2a9e9
-
SHA256
036046d5ad198798908412fb75cb37ddc9dba5bbf7397b397a7d75ab3e7f7956
-
SHA512
5ee2bf606ecd1b9bfe646338bd083e2caaf9b681ebee84c158ec2c2711401dc23c4f34567bb56ae2708eabfe9c2d3f2b97a39b5b3a9b241774983cdd5738993b
Malware Config
Extracted
vjw0rm
http://185.157.162.75:2223
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 4208 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLAskPOVmATadexax2223.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLAskPOVmATadexax2223.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4208 wrote to memory of 456 4208 wscript.exe 83 PID 4208 wrote to memory of 456 4208 wscript.exe 83
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\cLAskPOVmATadexax2223.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tekCJjaePX.js"2⤵PID:456
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD503e3c601fbb227e986a13bd98d98493a
SHA1fe2f78aa29c17ad88506ce667b493bc507fe1884
SHA2566b641a01433c2ce557e6682bdc431f1558499520132336317c8ff6aed54614e0
SHA5129ccfb7edeffdf67555a9475960c365dce0a99caa58ead2422354c5c201e0b7cc7fa22b2975b97cf75273be2bce2ce66013db4617d9cc29ca2a1d5fd1b20e0870