Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23-02-2023 09:31
Static task
static1
Behavioral task
behavioral1
Sample
T817630494847_Payment_receipt_Pdf.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
T817630494847_Payment_receipt_Pdf.js
Resource
win10v2004-20230220-en
General
-
Target
T817630494847_Payment_receipt_Pdf.js
-
Size
2.0MB
-
MD5
f8a9117d4c4217fd4cbab1da6d3359b6
-
SHA1
f3ea387aeaf9e587d135d797e0468904328c291a
-
SHA256
db99c6255bfd1d06c6a103e4602715c069039c140389d33d2909912e1b58158d
-
SHA512
232eb1d882feac675994d192436254521b42a2b1d2ae32f6c5cd8618ae29d619a26ad9672f6644a62abfd484a1b0e76f69003d40f79a14cc200be4b124d0bea6
-
SSDEEP
192:aZVhB3qe3Ju2l2ZUCz1ZNWDl01tHY8T0:cVHaLRZcmXpg
Malware Config
Extracted
vjw0rm
http://js9300.duckdns.org:9300
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 4 1996 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T817630494847_Payment_receipt_Pdf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T817630494847_Payment_receipt_Pdf.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\FTQMIP0ARG = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\T817630494847_Payment_receipt_Pdf.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1996 wrote to memory of 1760 1996 wscript.exe schtasks.exe PID 1996 wrote to memory of 1760 1996 wscript.exe schtasks.exe PID 1996 wrote to memory of 1760 1996 wscript.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\T817630494847_Payment_receipt_Pdf.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\T817630494847_Payment_receipt_Pdf.js2⤵
- Creates scheduled task(s)
PID:1760
-