Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/09/2022, 09:26

General

  • Target

    Order_PO62525112155.js

  • Size

    348KB

  • MD5

    baa9ab709a99c55195c2fe2d337ea9e6

  • SHA1

    42959e7df94322d5aae1218db8dd24448ee8b3e6

  • SHA256

    b5fe0b324c6401f3b25e3dc121d159b663cfd2e58dfe161fddfdef7e107f4f80

  • SHA512

    b0195c452dc4112e037f6737f57f04df6a6dad553932b7241300115a11a732438d8de6158673ea06d7e8b7bb81394018f90119494eb6750c7a1e6a1c68eed390

  • SSDEEP

    6144:amMlxZnzblW5d1qLE/yNo3YuKsYN7NssdJm2JZ7k29RypsQo1o0t+f:amM3Jz3VeYuKPHs+Jzi29RWsQo8f

Malware Config

Extracted

Family

formbook

Campaign

douy

Decoy

q/gE5cI3rDQ=

mWCSTU/0Qg0y2LI=

Ozoj90916XZyH/FO1eCN0FbH3B8AxgG7Ew==

g5GYftfE/MwWgYzxjKuH

vYfWrnDlWBLBYqeE

Ovww28VyrH1wHcha2A==

lqgaxrprk2qvYslb2g==

oELEK3LYUxWCa7iY1pVWxhBaQQ==

8Qp7H/31ZmEJzbA=

v1ZJvbrbN8Csuid/4vRrXKLjDoB3PQa5

ZCbNYcXjHpvlbrKO

9LL1wbJRw4QPGFwyQxePqS2ZaO3T1Q==

H9oCe3eR/b6yh8lO07snFpmfgI0=

+9aXS875O7eqViZPlo47yhxnSw==

eTqN+HUSjk3lbrKO

xDCvt/BcVjCQ

+5yHTtcBR9bcr/Ok2xfBCw==

up7eiFXqd0blbrKO

tIDEiHde4YZeHcha2A==

CNDqbko6tnpqHcha2A==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Order_PO62525112155.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\spFEowQViP.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:4676
    • C:\Users\Admin\AppData\Local\Temp\binx.exe
      "C:\Users\Admin\AppData\Local\Temp\binx.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Windows\SysWOW64\cscript.exe
        "C:\Windows\SysWOW64\cscript.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3932
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          4⤵
            PID:2116
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:2712

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\binx.exe

              Filesize

              185KB

              MD5

              21718633ba6c7c6e83147a334dd6266c

              SHA1

              5459c562ed6c407ce38b860ce4e594e9c3744235

              SHA256

              43917a72ddc8088875ae0d248876d31f6dffd5ad4bb18a25ae5cadf2a7010bf6

              SHA512

              8c37c1eda02435ad02a411a57efc035cdd69cb43a0b5da6f21b470ac56e9ea2eba041587b8c41bd6539a0905603990d2939104dafc029af6fe35bbd6a22d836a

            • C:\Users\Admin\AppData\Local\Temp\binx.exe

              Filesize

              185KB

              MD5

              21718633ba6c7c6e83147a334dd6266c

              SHA1

              5459c562ed6c407ce38b860ce4e594e9c3744235

              SHA256

              43917a72ddc8088875ae0d248876d31f6dffd5ad4bb18a25ae5cadf2a7010bf6

              SHA512

              8c37c1eda02435ad02a411a57efc035cdd69cb43a0b5da6f21b470ac56e9ea2eba041587b8c41bd6539a0905603990d2939104dafc029af6fe35bbd6a22d836a

            • C:\Users\Admin\AppData\Roaming\spFEowQViP.js

              Filesize

              7KB

              MD5

              4326214270abe9617a275433b8c6e10b

              SHA1

              f7f175d352a1b08c702101ef47d46cf5f79e1bf3

              SHA256

              b06c913e4c3d3e5476ff270359cfd431ae6cedb6088e7ce6dd78eb01f5e2603f

              SHA512

              b576ada7cfb97f367f1e3480a9fb02b630584ac7f5826c6a21f75046961cb724e6733a53b96cd24843bc06edbb25fbc5585e1164f1cf34ec5533a1c8e0490ac8

            • memory/1600-141-0x0000000001170000-0x0000000001180000-memory.dmp

              Filesize

              64KB

            • memory/1600-137-0x00000000005A0000-0x00000000005CF000-memory.dmp

              Filesize

              188KB

            • memory/1600-138-0x00000000011F0000-0x000000000153A000-memory.dmp

              Filesize

              3.3MB

            • memory/1600-139-0x00000000007F0000-0x0000000000800000-memory.dmp

              Filesize

              64KB

            • memory/1600-143-0x00000000005A0000-0x00000000005CF000-memory.dmp

              Filesize

              188KB

            • memory/2712-142-0x0000000002D40000-0x0000000002EA7000-memory.dmp

              Filesize

              1.4MB

            • memory/2712-140-0x0000000002C60000-0x0000000002D3F000-memory.dmp

              Filesize

              892KB

            • memory/2712-149-0x0000000003180000-0x000000000323A000-memory.dmp

              Filesize

              744KB

            • memory/2712-151-0x0000000003180000-0x000000000323A000-memory.dmp

              Filesize

              744KB

            • memory/3932-146-0x0000000000400000-0x000000000042D000-memory.dmp

              Filesize

              180KB

            • memory/3932-145-0x0000000000D10000-0x0000000000D37000-memory.dmp

              Filesize

              156KB

            • memory/3932-147-0x00000000026C0000-0x0000000002A0A000-memory.dmp

              Filesize

              3.3MB

            • memory/3932-148-0x0000000002350000-0x00000000023DF000-memory.dmp

              Filesize

              572KB

            • memory/3932-150-0x0000000000400000-0x000000000042D000-memory.dmp

              Filesize

              180KB