Analysis
-
max time kernel
1777s -
max time network
1780s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2023 18:01
Static task
static1
Behavioral task
behavioral1
Sample
908734b8110bcf4d13e860d05aa0c374f056c027e6a7c594ecff219679f58de8.js
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
908734b8110bcf4d13e860d05aa0c374f056c027e6a7c594ecff219679f58de8.js
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
908734b8110bcf4d13e860d05aa0c374f056c027e6a7c594ecff219679f58de8.js
-
Size
9.0MB
-
MD5
c80a36f6be68badf2169f87ef5284b46
-
SHA1
8eb62c3901b392b7c608c8849af3f49881eec24e
-
SHA256
908734b8110bcf4d13e860d05aa0c374f056c027e6a7c594ecff219679f58de8
-
SHA512
41cff549582af5b3c469655d0a738a88c7f55077d2e2fea20a1d0be92b848f008165d9886fe922e643c503cb3ac4a07f1800f68682ef4fa49aaa3612a7b622c7
-
SSDEEP
192:KZVh7E1mH9k2J2ZafWdfH1P2P1IFpLk8vII:MVm1mH9u1+qTtgI
Malware Config
Extracted
vjw0rm
http://demon666.duckdns.org:9011
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 8 2776 wscript.exe 56 2776 wscript.exe 57 2776 wscript.exe 66 2776 wscript.exe 68 2776 wscript.exe 70 2776 wscript.exe 71 2776 wscript.exe 72 2776 wscript.exe 74 2776 wscript.exe 75 2776 wscript.exe 77 2776 wscript.exe 78 2776 wscript.exe 80 2776 wscript.exe 81 2776 wscript.exe 83 2776 wscript.exe 84 2776 wscript.exe 85 2776 wscript.exe 87 2776 wscript.exe 88 2776 wscript.exe 95 2776 wscript.exe 96 2776 wscript.exe 102 2776 wscript.exe 105 2776 wscript.exe 111 2776 wscript.exe 112 2776 wscript.exe 113 2776 wscript.exe 114 2776 wscript.exe 115 2776 wscript.exe 116 2776 wscript.exe 117 2776 wscript.exe 118 2776 wscript.exe 119 2776 wscript.exe 120 2776 wscript.exe 121 2776 wscript.exe 122 2776 wscript.exe 123 2776 wscript.exe 124 2776 wscript.exe 125 2776 wscript.exe 126 2776 wscript.exe 127 2776 wscript.exe 128 2776 wscript.exe 129 2776 wscript.exe 130 2776 wscript.exe 131 2776 wscript.exe 132 2776 wscript.exe 133 2776 wscript.exe 134 2776 wscript.exe 135 2776 wscript.exe 136 2776 wscript.exe 137 2776 wscript.exe 138 2776 wscript.exe 139 2776 wscript.exe 140 2776 wscript.exe 141 2776 wscript.exe 142 2776 wscript.exe 143 2776 wscript.exe 144 2776 wscript.exe 145 2776 wscript.exe 146 2776 wscript.exe 147 2776 wscript.exe 148 2776 wscript.exe 149 2776 wscript.exe 150 2776 wscript.exe 151 2776 wscript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\908734b8110bcf4d13e860d05aa0c374f056c027e6a7c594ecff219679f58de8.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WQ38R62NDG = "\"C:\\Users\\Admin\\AppData\\Roaming\\908734b8110bcf4d13e860d05aa0c374f056c027e6a7c594ecff219679f58de8.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.