Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 20:10

General

  • Target

    Order 2021-600918.js

  • Size

    311KB

  • MD5

    f875ce20d9473d5dd74d2e0382fb32ba

  • SHA1

    a9b75554d7cb9eae3f06c2b9f3b7cf60617b32d8

  • SHA256

    b71e66c2f3dd88356df6c1bb0cab806156e91bed324c376b45cae58ce051ceff

  • SHA512

    1eccb095f0bd41fb28879a726d8257b3a30cc487efa33fe24f2be2899596ee99bc54179d7003493aec50e55f6e6beac77616a9a8d9c3d80e4cb4a0244c33c4fe

  • SSDEEP

    6144:X/Rfo2A0XbJtYp+JPNqRvhQoACsix01v8sPgMBZe9c/slHWiqIWvfQwc:mkFtYwPNqRGrCG9rYML/FjvI

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

wqos

Decoy

nobis.one

firecrestfineart.com

zhongqiaolw.com

healthcaremovement.com

amothersloveliberates.com

maskscafe.com

dkukkmk.icu

realmindofmitch.com

cranes-crossing.com

deeplyrootedplants.com

doodlesbakery.com

xiaomagu.com

lactase-enzym.com

comprartecnologia.com

making-my-new-normal.com

ruksamin.com

inforko.com

2mblueprint.com

pinkfang.com

100daysofbush.com

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Vjw0rm family
  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader family
  • Xloader payload 3 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1284
    • C:\Windows\system32\wscript.exe
      wscript.exe "C:\Users\Admin\AppData\Local\Temp\Order 2021-600918.js"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zIMOUAQYhg.js"
        3⤵
        • Drops startup file
        • Adds Run key to start application
        PID:2160
      • C:\Users\Admin\AppData\Local\Temp\bin.exe
        "C:\Users\Admin\AppData\Local\Temp\bin.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Windows\SysWOW64\wininit.exe
          "C:\Windows\SysWOW64\wininit.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bin.exe

    Filesize

    160KB

    MD5

    63f3a93c472be113725e951e40696642

    SHA1

    15477f7333a4ad56227bc61049c5eb5451ac73c7

    SHA256

    92e653a855a5495cc862ed79ee39aa6620b9b0b08948e89f866b07debba1b2f8

    SHA512

    c155c01b90f80ab7125138e79a03a07b3699a00d1953653a00ac2f29d06d496bc9633119f3885f36f615313630cd1283822b12f38d7446a698b430584e238549

  • C:\Users\Admin\AppData\Roaming\zIMOUAQYhg.js

    Filesize

    9KB

    MD5

    797f97b46b0f42d7a26810b7b2e04cc9

    SHA1

    141b0a609e3fe9e4695ad0dfd905be24414287ab

    SHA256

    2a15292e70c7b6edbfb44ae1347debf9ab31bb3296b7cd3619fda0f9abf0d89d

    SHA512

    c5173a980edc2230d9673e2c5729b6829c4130e80a14eb7efd7f0e41bc5a3f01b559fb67b5be191e0a309f0b04abf2c52b632e873307471569a07f995774a27d

  • memory/1284-22-0x0000000007B80000-0x0000000007D05000-memory.dmp

    Filesize

    1.5MB

  • memory/1284-11-0x00000000067D0000-0x0000000006888000-memory.dmp

    Filesize

    736KB

  • memory/1284-15-0x00000000067D0000-0x0000000006888000-memory.dmp

    Filesize

    736KB

  • memory/1284-16-0x0000000007B80000-0x0000000007D05000-memory.dmp

    Filesize

    1.5MB

  • memory/2224-19-0x00000000006A0000-0x00000000006BA000-memory.dmp

    Filesize

    104KB

  • memory/2224-21-0x0000000000080000-0x00000000000A8000-memory.dmp

    Filesize

    160KB

  • memory/2224-18-0x00000000006A0000-0x00000000006BA000-memory.dmp

    Filesize

    104KB

  • memory/2944-14-0x0000000000BA0000-0x0000000000BC8000-memory.dmp

    Filesize

    160KB

  • memory/2944-17-0x0000000000BBD000-0x0000000000BBE000-memory.dmp

    Filesize

    4KB

  • memory/2944-9-0x00000000007F0000-0x0000000000AF3000-memory.dmp

    Filesize

    3.0MB

  • memory/2944-10-0x00000000000A0000-0x00000000000B0000-memory.dmp

    Filesize

    64KB

  • memory/2944-12-0x0000000000BBD000-0x0000000000BBE000-memory.dmp

    Filesize

    4KB