Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10/10/2022, 09:16
Static task
static1
Behavioral task
behavioral1
Sample
scan002548.pdf.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
scan002548.pdf.js
Resource
win10v2004-20220812-en
General
-
Target
scan002548.pdf.js
-
Size
16KB
-
MD5
4580dbb222f08f1c08a6e79a1e12f3aa
-
SHA1
d363d4d19625e3931bbda3a9ca7b776485768a50
-
SHA256
b921ff143f8ca087ff5300fc4bbfe2380d4b8f33d05120d2aec85faebce907f8
-
SHA512
f4d9bd04313ea69bf9bc4b07c8c11f1938629c099168c3ab6cf23ce188e2157bfd48f3abf0ab2656e9469792e7d066f24aa8ed6f487bf8db9711f62ce98313b0
-
SSDEEP
384:XFHo+Kdxqm4y1eJcztRyKQbiWMzCKQzhvzS2aGapj:XBobnxeIRyrMzqxPapj
Malware Config
Extracted
vjw0rm
http://whiteking.giize.com:6565
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 7 1496 wscript.exe 8 784 wscript.exe 10 1496 wscript.exe 14 1496 wscript.exe 18 1496 wscript.exe 21 1496 wscript.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scan002548.pdf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scan002548.pdf.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NbcMSbvqgG.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NbcMSbvqgG.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\PTGGDQ1TZR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\scan002548.pdf.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 784 wrote to memory of 1496 784 wscript.exe 26 PID 784 wrote to memory of 1496 784 wscript.exe 26 PID 784 wrote to memory of 1496 784 wscript.exe 26
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\scan002548.pdf.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NbcMSbvqgG.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1496
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD538ab62fc6688bab6d4a1b275969e147d
SHA1dfc02f21a6ec8b17e8e10f26de161ed06ac3bcb7
SHA2563a46e2e43ceb2f2edb5ccebef9bddc9dc79d8fcbf6e266bffa8be503618b33b3
SHA512276744bff93bd1f5bd970a640ca09a27b938daff4a71bda9623870b5ae8d033d2105fe3ccffeac2ccf1cd123b9febedd8d1e78140f988abc979f96c79161530d