Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-11-2022 06:41
Static task
static1
Behavioral task
behavioral1
Sample
wynwormi (1).js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
wynwormi (1).js
Resource
win10v2004-20220812-en
General
-
Target
wynwormi (1).js
-
Size
6KB
-
MD5
7edcf771a2b13ab36e1e785d750d2748
-
SHA1
f5e52a0b4e4d8ea14d63f55a15996ecc5043e3b3
-
SHA256
0eda80c7f56ee8ebbefcaebaf92f9bd4374249076cce2db1361b8292c7537ff2
-
SHA512
7bb655b07088512dd721221924b4055c6891c58b3e66432b6744eff773d10d73d75229bee205820393fb557aa1e92648cfc9f777f8e1eb55067484cec0132625
-
SSDEEP
192:3sIwVBBUBALLDz4kFFZAAb02nSOBzwk2sTRvBz7v/jvBD8WqkMjLRvBzwV:8IEBBaOFXZKgpQ2V
Malware Config
Extracted
vjw0rm
http://45.139.105.174:6605
Extracted
wshrat
http://45.139.105.174:7670
Signatures
-
Blocklisted process makes network request 11 IoCs
flow pid Process 3 1980 wscript.exe 6 1620 wscript.exe 7 1620 wscript.exe 8 1620 wscript.exe 10 1620 wscript.exe 11 1620 wscript.exe 13 1620 wscript.exe 14 1620 wscript.exe 15 1620 wscript.exe 16 1620 wscript.exe 18 1620 wscript.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZX6S7BKN8U.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZX6S7BKN8U.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynwormi (1).js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynwormi (1).js wscript.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZX6S7BKN8U = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ZX6S7BKN8U.js\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZX6S7BKN8U = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ZX6S7BKN8U.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\YQUCHB7BKJ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\wynwormi (1).js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZX6S7BKN8U = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ZX6S7BKN8U.js\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZX6S7BKN8U = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ZX6S7BKN8U.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 7 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 8 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 10 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 11 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 15 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 16 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 6 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript HTTP User-Agent header 7 WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1980 wrote to memory of 688 1980 wscript.exe 31 PID 1980 wrote to memory of 688 1980 wscript.exe 31 PID 1980 wrote to memory of 688 1980 wscript.exe 31 PID 688 wrote to memory of 1620 688 WScript.exe 32 PID 688 wrote to memory of 1620 688 WScript.exe 32 PID 688 wrote to memory of 1620 688 WScript.exe 32
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\wynwormi (1).js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZX6S7BKN8U.js"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ZX6S7BKN8U.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1620
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD53d8c14e2a64c3fca48e9b06ee1ae3350
SHA1e5eb776289ddb44203c564cda9c2c00f1485b079
SHA256ed912ccf4f283846786993b1866a0ab07d70d11c9e88c2174fd2986130dda059
SHA512f2759ffcbfd99bf6921aab0afe7e2506a898e17a3c7f700e392da816556e8e74242a2355830af0e1b0851cfa2443e502db6f9221ee6f3ec28ef4d13d5e900a26
-
Filesize
25KB
MD53d8c14e2a64c3fca48e9b06ee1ae3350
SHA1e5eb776289ddb44203c564cda9c2c00f1485b079
SHA256ed912ccf4f283846786993b1866a0ab07d70d11c9e88c2174fd2986130dda059
SHA512f2759ffcbfd99bf6921aab0afe7e2506a898e17a3c7f700e392da816556e8e74242a2355830af0e1b0851cfa2443e502db6f9221ee6f3ec28ef4d13d5e900a26
-
Filesize
25KB
MD53d8c14e2a64c3fca48e9b06ee1ae3350
SHA1e5eb776289ddb44203c564cda9c2c00f1485b079
SHA256ed912ccf4f283846786993b1866a0ab07d70d11c9e88c2174fd2986130dda059
SHA512f2759ffcbfd99bf6921aab0afe7e2506a898e17a3c7f700e392da816556e8e74242a2355830af0e1b0851cfa2443e502db6f9221ee6f3ec28ef4d13d5e900a26