Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-04-2023 18:42
Static task
static1
Behavioral task
behavioral1
Sample
vicom-040623.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
vicom-040623.js
Resource
win10v2004-20230220-en
General
-
Target
vicom-040623.js
-
Size
3KB
-
MD5
dee56e30a88b69d7f96c6018d4ca0fd1
-
SHA1
bab144a082113b9b4f1b958a7c4a14dc1562eb47
-
SHA256
5f75796aef27eae56a003ff8f88d6056915da8c83ac37e4556a685984d1cf23e
-
SHA512
a010b4dd37ccb65b45d192936142f0f2114c7ad63dd415c212daad83f658ea77a17e5ddbc5dfea8cbf73f3efd40861f5b5de115ea4b15ce0f50f852d6104fed8
Malware Config
Extracted
vjw0rm
http://198.12.123.17:8902
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
wscript.exeflow pid process 3 2016 wscript.exe 5 2016 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vicom-040623.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vicom-040623.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\PN5T0ZPOXT = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\vicom-040623.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 2016 wrote to memory of 1900 2016 wscript.exe schtasks.exe PID 2016 wrote to memory of 1900 2016 wscript.exe schtasks.exe PID 2016 wrote to memory of 1900 2016 wscript.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\vicom-040623.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\vicom-040623.js2⤵
- Creates scheduled task(s)