Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23-02-2023 09:28
Static task
static1
Behavioral task
behavioral1
Sample
1ZXSAOPKH09SA_PAYMENT-COPY.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
1ZXSAOPKH09SA_PAYMENT-COPY.js
Resource
win10v2004-20230220-en
General
-
Target
1ZXSAOPKH09SA_PAYMENT-COPY.js
-
Size
9.0MB
-
MD5
2e2078339793c66d19efb2c4b642ccb1
-
SHA1
714ae2b2c1ac173e5539c95d4594c0d3ed4aa438
-
SHA256
15473e094a9ec464cce7a31879bc27eec654a43ea27239bd7f56afa333a59a7c
-
SHA512
e184bf67a29fcc8b01afb9d225b57fc33e3b3cc905c01f585a5a417b6c106d8f2aeaf3133cd4b2f3c7aa5dec517096356e46f3ee2f05953fdd0c6af63191ac44
-
SSDEEP
96:BZH1uy6XIUoN2lcJc9l8SVinV2F2uFInZW6cNxTGji578Gji5rmjiQD0wGji57ty:BZVh7yeSQnV2F2AIZW3NxT78i0w7t
Malware Config
Extracted
vjw0rm
http://jamnnd.duckdns.org:8024
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 4 1132 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ZXSAOPKH09SA_PAYMENT-COPY.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ZXSAOPKH09SA_PAYMENT-COPY.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\W56OZZRQKW = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1ZXSAOPKH09SA_PAYMENT-COPY.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1132 wrote to memory of 1196 1132 wscript.exe schtasks.exe PID 1132 wrote to memory of 1196 1132 wscript.exe schtasks.exe PID 1132 wrote to memory of 1196 1132 wscript.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\1ZXSAOPKH09SA_PAYMENT-COPY.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\1ZXSAOPKH09SA_PAYMENT-COPY.js2⤵
- Creates scheduled task(s)
PID:1196
-