Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-02-2023 23:56
Static task
static1
Behavioral task
behavioral1
Sample
insurance.es.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
insurance.es.js
Resource
win10v2004-20230220-en
General
-
Target
insurance.es.js
-
Size
97KB
-
MD5
42d23b699c6dfbca209876a0f9a92bf9
-
SHA1
df5f64e32bdc861bf3799dd679356e167fec48fb
-
SHA256
d844fae5cdc61338bf5ec8f08804c844b50446dbaebf996643227e2c2967283f
-
SHA512
8734b15942ffc5981d1b7da0d83560f51292cddab496cd62963dc70bdafeccb9a3e3008e452e12872ef443d0711451c22db5ab75390c915febc351b1067b5c53
-
SSDEEP
192:nluzi75WbAZvu1hdh12cB5kw94tMa3dZYkVdPrv1kHWuuIVLk5/lWWWnazp6Lzj7:cz5KIy24jHuHWZqWWdLHKSq5dWBV
Malware Config
Extracted
vjw0rm
http://198.12.123.17:6040
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 3 1040 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\insurance.es.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\insurance.es.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\XGV00ZIC2Q = "'C:\\Users\\Admin\\AppData\\Local\\Temp\\insurance.es.js'" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1040 wrote to memory of 320 1040 wscript.exe schtasks.exe PID 1040 wrote to memory of 320 1040 wscript.exe schtasks.exe PID 1040 wrote to memory of 320 1040 wscript.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\insurance.es.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\insurance.es.js2⤵
- Creates scheduled task(s)
PID:320
-