Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2022, 17:42
Static task
static1
Behavioral task
behavioral1
Sample
proceso-0088-002022-685642634.pdf.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
proceso-0088-002022-685642634.pdf.js
Resource
win10v2004-20220812-en
General
-
Target
proceso-0088-002022-685642634.pdf.js
-
Size
23KB
-
MD5
53619d08eda46fc81c624d24411609e4
-
SHA1
1cca486239c40245198974697afabc4609ea12da
-
SHA256
5cb896f3395e99416d3b91fef16bb735b5bb649f86dd0d94f6191ea3369cf596
-
SHA512
9cd39fb0aac85cc74928b65ba1c8669df07d0bad8998794a90fd1e21c003dcc394ba346208157715acf7b3487d3347a7a1dacf7e6af027ea98d6a02b15bbfb56
-
SSDEEP
384:jpLqUVwuBf5oocGTQ1MyKsijegDvgKmyl5NetPPg8nlPL1i0U9RJ/XSvBafZUR8A:dLqQvBf5oPGTyMRsije4vgKPcPPg4PLP
Malware Config
Extracted
vjw0rm
http://194.5.98.48:4456
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 4940 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proceso-0088-002022-685642634.pdf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proceso-0088-002022-685642634.pdf.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1ET4SWR6G7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\proceso-0088-002022-685642634.pdf.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4940 wrote to memory of 5064 4940 wscript.exe 83 PID 4940 wrote to memory of 5064 4940 wscript.exe 83
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\proceso-0088-002022-685642634.pdf.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SKVvqgvCri.js"2⤵PID:5064
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5632e1d5b2d29cef6f5df8691f556d83a
SHA1c8779f384f25f04906274424479c1adfebb367f7
SHA2568b6c82d207009ca49d2e7d588708e856a4e874cfe9318b74c4cd81998ff2b54d
SHA5129e690d94e5461fa3b230b0b123fc092142d2d1af2d3795ba6b5c4e5671dcf4c3cf005a472fc828307fc6e41996d517806f3a950c5f8b0ced3a78d2fd41390c68