Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25/08/2022, 17:42
Static task
static1
Behavioral task
behavioral1
Sample
proceso-0088-002022-685642634.pdf.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
proceso-0088-002022-685642634.pdf.js
Resource
win10v2004-20220812-en
General
-
Target
proceso-0088-002022-685642634.pdf.js
-
Size
23KB
-
MD5
53619d08eda46fc81c624d24411609e4
-
SHA1
1cca486239c40245198974697afabc4609ea12da
-
SHA256
5cb896f3395e99416d3b91fef16bb735b5bb649f86dd0d94f6191ea3369cf596
-
SHA512
9cd39fb0aac85cc74928b65ba1c8669df07d0bad8998794a90fd1e21c003dcc394ba346208157715acf7b3487d3347a7a1dacf7e6af027ea98d6a02b15bbfb56
-
SSDEEP
384:jpLqUVwuBf5oocGTQ1MyKsijegDvgKmyl5NetPPg8nlPL1i0U9RJ/XSvBafZUR8A:dLqQvBf5oPGTyMRsije4vgKPcPPg4PLP
Malware Config
Extracted
vjw0rm
http://194.5.98.48:4456
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 1708 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proceso-0088-002022-685642634.pdf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proceso-0088-002022-685642634.pdf.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\1ET4SWR6G7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\proceso-0088-002022-685642634.pdf.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1708 wrote to memory of 1188 1708 wscript.exe 26 PID 1708 wrote to memory of 1188 1708 wscript.exe 26 PID 1708 wrote to memory of 1188 1708 wscript.exe 26
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\proceso-0088-002022-685642634.pdf.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SKVvqgvCri.js"2⤵PID:1188
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5632e1d5b2d29cef6f5df8691f556d83a
SHA1c8779f384f25f04906274424479c1adfebb367f7
SHA2568b6c82d207009ca49d2e7d588708e856a4e874cfe9318b74c4cd81998ff2b54d
SHA5129e690d94e5461fa3b230b0b123fc092142d2d1af2d3795ba6b5c4e5671dcf4c3cf005a472fc828307fc6e41996d517806f3a950c5f8b0ced3a78d2fd41390c68