Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 02:06
Static task
static1
Behavioral task
behavioral1
Sample
HOH76746.js
Resource
win7-20240903-en
General
-
Target
HOH76746.js
-
Size
1.7MB
-
MD5
e261e68bcae0c10642170416082702b7
-
SHA1
6c9b48b65090ec13326a07bef72b1c3995f72513
-
SHA256
f126bcd906ba8815594cd987e4ba8852bccd58d813ac415a626e66ab5a395db2
-
SHA512
05979d43fee175648476accc5562a02c9736337e21ca850ce893791365f5b54f55f9b6813cc0a20d2781ba09c16b6425ee01cb853ab546e049bc1e7e03dd8818
-
SSDEEP
24576:aMfvBNjtnVwqiZeU0YQrSPznMfvBNjtnVwqiZeU0YQrSPzK:JrWXOrWXW
Malware Config
Signatures
-
Vjw0rm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OrmKzxDqEk.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OrmKzxDqEk.js wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 4876 250million.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0HKX5ALWLG = "\"C:\\Users\\Admin\\AppData\\Roaming\\OrmKzxDqEk.js\"" wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 250million.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1680 wrote to memory of 4292 1680 wscript.exe 83 PID 1680 wrote to memory of 4292 1680 wscript.exe 83 PID 1680 wrote to memory of 4876 1680 wscript.exe 84 PID 1680 wrote to memory of 4876 1680 wscript.exe 84 PID 1680 wrote to memory of 4876 1680 wscript.exe 84
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\HOH76746.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\OrmKzxDqEk.js"2⤵
- Drops startup file
- Adds Run key to start application
PID:4292
-
-
C:\Users\Admin\AppData\Roaming\250million.exe"C:\Users\Admin\AppData\Roaming\250million.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
457KB
MD5d9569e6f7afd3afb9debc99245595adb
SHA1b3e25ed7212be6a1fb0567a14fe9385941086794
SHA256e3f38af5cd488978bbc4156eb62e881c04df48055f5e6819eabcca429c9051d7
SHA512f195cebe98d30bb2a0ca7c07cd984a22cd201288d75e15f000ff41d901f09f825a591d71e4799ab320892b8625a62196e792ce57eb618ef6b3ceb826a8bb9a21
-
Filesize
14KB
MD54ddac2fa49c2f9f17a5faad271025659
SHA1575f942637af4b6e75eba0d046acd7ab67914714
SHA256810c2f963f1741e83aae85cd7e93a99435557f230966cb6632ca405e9482df34
SHA512d26169bd1430337a6dc27b2a75238108701c670bafb52b44f9d07ef70e3dd0b0d385009d7317e06ab159e6be0b41c1c6e356a82e8cb9c88ebd68fbcb77a2bd2f