Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2023 07:55
Static task
static1
Behavioral task
behavioral1
Sample
done.js
Resource
win7-20230220-en
General
-
Target
done.js
-
Size
3.0MB
-
MD5
a2b15f7f09bb920f99300225c14be950
-
SHA1
5afaa8c209fcbaade7c7cfe4a9f031c1c3cfab5a
-
SHA256
3159c56b3356b34ef102b3163864b9be2c73ad0600d283c757bbe68a9b2001e1
-
SHA512
8dc9b46f18416f7059bc4bbd3603ded4d5e7e6ac7ff7b0d5a485ec9c38fef572311ac12fef945ae5e6c4b36249c5b7a2653a8fd578997c898cbab3d2b936e9a6
-
SSDEEP
12288:W6E6Fw4dpkVmV7uVszfjvWaam7o+RRaxl6/ZWi2nn1Dx7DqI8MAwshf5/zeihN5n:9
Malware Config
Extracted
vjw0rm
http://84.21.172.33:8895
Signatures
-
Blocklisted process makes network request 14 IoCs
Processes:
wscript.exewscript.exeflow pid process 17 4548 wscript.exe 20 1800 wscript.exe 30 1800 wscript.exe 45 1800 wscript.exe 63 1800 wscript.exe 65 1800 wscript.exe 70 1800 wscript.exe 86 1800 wscript.exe 93 1800 wscript.exe 94 1800 wscript.exe 95 1800 wscript.exe 96 1800 wscript.exe 97 1800 wscript.exe 98 1800 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sQJrklLhcT.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sQJrklLhcT.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 4548 wrote to memory of 1800 4548 wscript.exe wscript.exe PID 4548 wrote to memory of 1800 4548 wscript.exe wscript.exe PID 4548 wrote to memory of 2532 4548 wscript.exe schtasks.exe PID 4548 wrote to memory of 2532 4548 wscript.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\done.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sQJrklLhcT.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1800 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\done.js2⤵
- Creates scheduled task(s)
PID:2532
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\sQJrklLhcT.jsFilesize
346KB
MD54083302483805e12c18b4af0fea38f90
SHA139cf040ed83a60b03b589f8fb4a0a7eb4e7ed94a
SHA2564466a41c5a4186418db1344742285a9c0fa2535b7190993e9b071a273e800800
SHA5124f8759dec93ff19dc14ae02bea6e8c9592da20569f62e1a34b435d353b3f1f7b19cd02d1296fd9ac75833a5a1dfdcc713c4cbdba0098e85a6ef5ee6544b818fa