Analysis
-
max time kernel
137s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 07:20
Static task
static1
Behavioral task
behavioral1
Sample
0d83155e7cb3df97f1b07f18528d3f955b07b7f79d3d4942a1ec22607e08936a.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0d83155e7cb3df97f1b07f18528d3f955b07b7f79d3d4942a1ec22607e08936a.js
Resource
win10v2004-20230220-en
General
-
Target
0d83155e7cb3df97f1b07f18528d3f955b07b7f79d3d4942a1ec22607e08936a.js
-
Size
9.0MB
-
MD5
ac20d33a1161d432ff3da4edd95d9ec1
-
SHA1
0987458070aea7ee90101b31f59621bbdd123718
-
SHA256
0d83155e7cb3df97f1b07f18528d3f955b07b7f79d3d4942a1ec22607e08936a
-
SHA512
18b528853ca23a801b653335e384d8cf66a0473c98eff4ea1e31ab5c7edb36f59cc6df8ce2f59ce137ab4d3ca559f9c64085fe20d6879c33bb9f501993abb483
-
SSDEEP
192:CZVh7E1Uy2h2ZgKnzDyIlvwEvhlgpZ8QvwYd:0Vm1Uiz2swcgpCowYd
Malware Config
Extracted
vjw0rm
http://demon666.duckdns.org:9011
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 4 1368 wscript.exe -
Drops startup file 1 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0d83155e7cb3df97f1b07f18528d3f955b07b7f79d3d4942a1ec22607e08936a.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\WQ38R62NDG = "\"C:\\Users\\Admin\\AppData\\Roaming\\0d83155e7cb3df97f1b07f18528d3f955b07b7f79d3d4942a1ec22607e08936a.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.