Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10-03-2023 07:55
Static task
static1
Behavioral task
behavioral1
Sample
done.js
Resource
win7-20230220-en
General
-
Target
done.js
-
Size
3.0MB
-
MD5
a2b15f7f09bb920f99300225c14be950
-
SHA1
5afaa8c209fcbaade7c7cfe4a9f031c1c3cfab5a
-
SHA256
3159c56b3356b34ef102b3163864b9be2c73ad0600d283c757bbe68a9b2001e1
-
SHA512
8dc9b46f18416f7059bc4bbd3603ded4d5e7e6ac7ff7b0d5a485ec9c38fef572311ac12fef945ae5e6c4b36249c5b7a2653a8fd578997c898cbab3d2b936e9a6
-
SSDEEP
12288:W6E6Fw4dpkVmV7uVszfjvWaam7o+RRaxl6/ZWi2nn1Dx7DqI8MAwshf5/zeihN5n:9
Malware Config
Extracted
vjw0rm
http://84.21.172.33:8895
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1424 wscript.exe 7 904 wscript.exe 9 1424 wscript.exe 11 1424 wscript.exe 15 1424 wscript.exe 16 1424 wscript.exe 19 1424 wscript.exe 22 1424 wscript.exe 23 1424 wscript.exe 25 1424 wscript.exe 28 1424 wscript.exe 31 1424 wscript.exe 33 1424 wscript.exe 36 1424 wscript.exe 38 1424 wscript.exe 39 1424 wscript.exe 42 1424 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sQJrklLhcT.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sQJrklLhcT.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 904 wrote to memory of 1424 904 wscript.exe wscript.exe PID 904 wrote to memory of 1424 904 wscript.exe wscript.exe PID 904 wrote to memory of 1424 904 wscript.exe wscript.exe PID 904 wrote to memory of 1920 904 wscript.exe schtasks.exe PID 904 wrote to memory of 1920 904 wscript.exe schtasks.exe PID 904 wrote to memory of 1920 904 wscript.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\done.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sQJrklLhcT.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\done.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\sQJrklLhcT.jsFilesize
346KB
MD54083302483805e12c18b4af0fea38f90
SHA139cf040ed83a60b03b589f8fb4a0a7eb4e7ed94a
SHA2564466a41c5a4186418db1344742285a9c0fa2535b7190993e9b071a273e800800
SHA5124f8759dec93ff19dc14ae02bea6e8c9592da20569f62e1a34b435d353b3f1f7b19cd02d1296fd9ac75833a5a1dfdcc713c4cbdba0098e85a6ef5ee6544b818fa