Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/09/2022, 11:59

General

  • Target

    Bill_for_September.js

  • Size

    117KB

  • MD5

    0d4ce6bd62a6939871782dbf6dc33905

  • SHA1

    c59f4f36d9b46b8e4c131401fa4054f50450e245

  • SHA256

    4fcdcb3039331525724bfeb0cbc97bd0893de48d4aa4ca95e282f0a8f2a1a5ab

  • SHA512

    07b7f3d7cb81a48c90f21bfdf22b0f6cb3941631ab14d05004b813f031d0c5b41538818e4b8c15b83081f48f522adce9b3e01d9f43cf3d202d142f0ea806aff1

  • SSDEEP

    1536:LfgQ2U241TiKP3/qopoIo8kQjZs1BGMLOivlSPPQh7l1GCVbabMOijrkJpQt:BVxiufpoTnBzK7cvhaoNr1t

Malware Config

Extracted

Family

formbook

Campaign

te2r

Decoy

Fd9/7zupFcFsmNMDWQ==

7VlRReDWtbu4LUTd5fNe/zPDyw==

jQgurOY8oCSzrjSP+2/F1jU=

xTMzpNwUaiHAy4+Anaz1

RcLapxVS9iOZhw==

lfLSnVItJp+5ImXLvcrLFTUXRmDxTnik

vj9fMOxFLjrOtdhP1GZo0KXIQ388

/91mgBbtxFIxtQk=

4FZ0aRyH/rEdFibAy+VjQyWIUIZaHBQ=

ScHdt3/t4FIxtQk=

/M9svqdL9iOZhw==

iFX1abANxkj893bVWA==

KzjvVANMpiTBmg==

aEKKEue7E9JtmNMDWQ==

+Mdhw6992svnUbzeo5y0zSn+B2co

albc98wrE0xtKjOoOOQ=

DV6CgU6omcjeZ6bJEG/F1jU=

NH981rm1JdyUNRd1

yi0xIqrxV83bmNMDWQ==

v8l52aXp4VIxtQk=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 16 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Bill_for_September.js
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OKbZTSiYGW.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:3300
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\fqobbsahk.txt"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5076
      • C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe
        C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:432
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5068
        • C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe
          C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3472

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe

          Filesize

          6KB

          MD5

          ca997af70e0e7ba134bd85015d945684

          SHA1

          0d2972cf028063d8086fc6207537d8d1796993b7

          SHA256

          74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec

          SHA512

          836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

        • C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe

          Filesize

          6KB

          MD5

          ca997af70e0e7ba134bd85015d945684

          SHA1

          0d2972cf028063d8086fc6207537d8d1796993b7

          SHA256

          74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec

          SHA512

          836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

        • C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe

          Filesize

          6KB

          MD5

          ca997af70e0e7ba134bd85015d945684

          SHA1

          0d2972cf028063d8086fc6207537d8d1796993b7

          SHA256

          74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec

          SHA512

          836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

        • C:\Users\Admin\AppData\Roaming\OKbZTSiYGW.js

          Filesize

          6KB

          MD5

          cd1e26090eca7148fb0bf3d0a9070791

          SHA1

          745715f115adbc17ee4f903908cedbf5f33fe305

          SHA256

          5ccd5f609f1f1c47e835968018ad8efc7dc25c6ab5c6b8212a279ddd494b7196

          SHA512

          12b6a39cd7e3495c562e8c5a73aeba37e7055d5c4049a1a976a9945609ae7452d0ceb70e9c95432151104cd39991dadc36978ac87c1b09cb09cb53d17f014bdc

        • C:\Users\Admin\AppData\Roaming\fqobbsahk.txt

          Filesize

          51KB

          MD5

          f3fec1cda20623152eadff01fa271dd9

          SHA1

          24b5b9e16d17fa7828b0f2edeaa5aab8ac8bacfb

          SHA256

          eb5605cc851a689a83c9555f48465ea5d13af94ea8db927e6f8ba32640462efc

          SHA512

          5895e77dedd7756e98f4484b0ea0bdba348211349eb6483ca002d60d293e58f253028a4b07f6deab2d902cbbcc502cf75ac812ec38c30fd05d7e74d1cc5a8a2f

        • memory/432-151-0x0000000000230000-0x0000000000238000-memory.dmp

          Filesize

          32KB

        • memory/432-154-0x00000000094E0000-0x0000000009502000-memory.dmp

          Filesize

          136KB

        • memory/3472-171-0x0000000000401000-0x000000000042F000-memory.dmp

          Filesize

          184KB

        • memory/3472-170-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/3472-172-0x00000000018C0000-0x0000000001C0A000-memory.dmp

          Filesize

          3.3MB

        • memory/3472-167-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/5068-157-0x0000000005800000-0x0000000005E28000-memory.dmp

          Filesize

          6.2MB

        • memory/5068-156-0x0000000002C70000-0x0000000002CA6000-memory.dmp

          Filesize

          216KB

        • memory/5068-159-0x0000000005F10000-0x0000000005F76000-memory.dmp

          Filesize

          408KB

        • memory/5068-160-0x00000000065A0000-0x00000000065BE000-memory.dmp

          Filesize

          120KB

        • memory/5068-161-0x0000000007DF0000-0x000000000846A000-memory.dmp

          Filesize

          6.5MB

        • memory/5068-162-0x0000000006A90000-0x0000000006AAA000-memory.dmp

          Filesize

          104KB

        • memory/5068-158-0x0000000005E30000-0x0000000005E96000-memory.dmp

          Filesize

          408KB

        • memory/5076-164-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

          Filesize

          16.0MB

        • memory/5076-163-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

          Filesize

          16.0MB

        • memory/5076-153-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

          Filesize

          16.0MB

        • memory/5076-152-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

          Filesize

          16.0MB

        • memory/5076-145-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

          Filesize

          16.0MB

        • memory/5076-173-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

          Filesize

          16.0MB

        • memory/5076-174-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

          Filesize

          16.0MB