Analysis
-
max time kernel
115s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23-02-2023 16:06
Static task
static1
Behavioral task
behavioral1
Sample
temp.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
temp.js
Resource
win10-20230220-en
Behavioral task
behavioral3
Sample
temp.js
Resource
win10v2004-20230221-en
General
-
Target
temp.js
-
Size
6KB
-
MD5
71838ec02373c35bc9217ab58cd6b6a1
-
SHA1
68ed796c91ff5d04da869c6b6dd0e0bfda0a769c
-
SHA256
1939367b5a1548e8af432cdbf026980006ddf37325482602303ddfaf27690b31
-
SHA512
f36709240f111bf08ef43208899cd4b451fc951525543e125294ae17b77e3d15fd363669d0a2cab73f696f2a1de1e8f89ee105546ca4cbde402d445d2348ce5d
-
SSDEEP
192:MZVhB3qeNJ82T2ZvfLaTRDLiUFOvewELaZL+URZn7iixK23WR8IKrzv:2VHa+JafGRDGUFOvewEyL+URl7i9TK7H
Malware Config
Extracted
vjw0rm
http://js9300.duckdns.org:9300
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 4 864 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\FTQMIP0ARG = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\temp.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 864 wrote to memory of 520 864 wscript.exe schtasks.exe PID 864 wrote to memory of 520 864 wscript.exe schtasks.exe PID 864 wrote to memory of 520 864 wscript.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\temp.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\temp.js2⤵
- Creates scheduled task(s)
PID:520
-