Analysis
-
max time kernel
110s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10/10/2022, 11:23
Static task
static1
Behavioral task
behavioral1
Sample
PROD 10 OUTUBRO 22- combustiveis Liquidos.xls.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PROD 10 OUTUBRO 22- combustiveis Liquidos.xls.js
Resource
win10v2004-20220812-en
General
-
Target
PROD 10 OUTUBRO 22- combustiveis Liquidos.xls.js
-
Size
16KB
-
MD5
4580dbb222f08f1c08a6e79a1e12f3aa
-
SHA1
d363d4d19625e3931bbda3a9ca7b776485768a50
-
SHA256
b921ff143f8ca087ff5300fc4bbfe2380d4b8f33d05120d2aec85faebce907f8
-
SHA512
f4d9bd04313ea69bf9bc4b07c8c11f1938629c099168c3ab6cf23ce188e2157bfd48f3abf0ab2656e9469792e7d066f24aa8ed6f487bf8db9711f62ce98313b0
-
SSDEEP
384:XFHo+Kdxqm4y1eJcztRyKQbiWMzCKQzhvzS2aGapj:XBobnxeIRyrMzqxPapj
Malware Config
Extracted
vjw0rm
http://whiteking.giize.com:6565
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 7 1860 wscript.exe 8 1612 wscript.exe 12 1860 wscript.exe 15 1860 wscript.exe 18 1860 wscript.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROD 10 OUTUBRO 22- combustiveis Liquidos.xls.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROD 10 OUTUBRO 22- combustiveis Liquidos.xls.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NbcMSbvqgG.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NbcMSbvqgG.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\PTGGDQ1TZR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\PROD 10 OUTUBRO 22- combustiveis Liquidos.xls.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1612 wrote to memory of 1860 1612 wscript.exe 26 PID 1612 wrote to memory of 1860 1612 wscript.exe 26 PID 1612 wrote to memory of 1860 1612 wscript.exe 26
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PROD 10 OUTUBRO 22- combustiveis Liquidos.xls.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NbcMSbvqgG.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1860
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD538ab62fc6688bab6d4a1b275969e147d
SHA1dfc02f21a6ec8b17e8e10f26de161ed06ac3bcb7
SHA2563a46e2e43ceb2f2edb5ccebef9bddc9dc79d8fcbf6e266bffa8be503618b33b3
SHA512276744bff93bd1f5bd970a640ca09a27b938daff4a71bda9623870b5ae8d033d2105fe3ccffeac2ccf1cd123b9febedd8d1e78140f988abc979f96c79161530d