Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
08-02-2023 11:48
Static task
static1
Behavioral task
behavioral1
Sample
1ZWAJSAR001.js
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
1ZWAJSAR001.js
Resource
win10v2004-20220812-en
General
-
Target
1ZWAJSAR001.js
-
Size
300.0MB
-
MD5
16f64a9f1e8298c60d410e649d4f9af6
-
SHA1
4ecbd826dd26c8cb1c83e90b260fabc01fb292b3
-
SHA256
07832ced9085948c808f5d084569f19e7ac6d7ac033d9fe307557b2d62276c43
-
SHA512
99bf973c22c46827ab153f13365cdffeb47a15f300693f5cbf3faaff71a7043e5a7a1c083c2ce2b02cfb085ba3bd77c8c43f6d0fbbfb9cab74e990318f8cde2b
-
SSDEEP
192:KERPOQ5/EwSCSgCoR57ATri9xKrw/SDLaMTiye22k8T4Z1FOJ0ow4:KsOA/EwO4lT9xKrw6DLaM5iTTXaE
Malware Config
Extracted
vjw0rm
http://sgdghhdh62.duckdns.org:8050
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 3 1320 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ZWAJSAR001.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ZWAJSAR001.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\TLMDOPHRA6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1ZWAJSAR001.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1320 wrote to memory of 1496 1320 wscript.exe schtasks.exe PID 1320 wrote to memory of 1496 1320 wscript.exe schtasks.exe PID 1320 wrote to memory of 1496 1320 wscript.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\1ZWAJSAR001.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\1ZWAJSAR001.js2⤵
- Creates scheduled task(s)