Analysis
-
max time kernel
519s -
max time network
536s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
13-06-2022 03:29
Static task
static1
Behavioral task
behavioral1
Sample
NEW-PO.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NEW-PO.js
Resource
win10-20220414-en
General
-
Target
NEW-PO.js
-
Size
100KB
-
MD5
485e3fa1027dc300cbcf48fea637dd57
-
SHA1
589ff4d6aae5af14bc251db32ec6e239f63dcdc5
-
SHA256
9446c38b335edc7d0dbfa754ad0a8f1a41de185f83722b43816b739c3ceb74f4
-
SHA512
257b334e96bc4dc1fcd184e5d77f97bec8fffec3f76b4b8038c9f8b148a4e400dcfe2c7907720863cd3dc160ef048db3ef224646db5b27b3b4f98113c067e888
Malware Config
Extracted
vjw0rm
http://franmhort.duia.ro:8152
Signatures
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 64 IoCs
Processes:
wscript.exewscript.exeflow pid process 3 4644 wscript.exe 4 2372 wscript.exe 5 2372 wscript.exe 6 2372 wscript.exe 8 2372 wscript.exe 9 2372 wscript.exe 13 2372 wscript.exe 14 2372 wscript.exe 15 2372 wscript.exe 16 2372 wscript.exe 17 2372 wscript.exe 18 2372 wscript.exe 19 2372 wscript.exe 20 2372 wscript.exe 21 2372 wscript.exe 22 2372 wscript.exe 23 2372 wscript.exe 24 2372 wscript.exe 25 2372 wscript.exe 26 2372 wscript.exe 27 2372 wscript.exe 28 2372 wscript.exe 29 2372 wscript.exe 30 2372 wscript.exe 31 2372 wscript.exe 32 2372 wscript.exe 33 2372 wscript.exe 34 2372 wscript.exe 35 2372 wscript.exe 36 2372 wscript.exe 37 2372 wscript.exe 38 2372 wscript.exe 39 2372 wscript.exe 40 2372 wscript.exe 41 2372 wscript.exe 42 2372 wscript.exe 43 2372 wscript.exe 44 2372 wscript.exe 45 2372 wscript.exe 46 2372 wscript.exe 47 2372 wscript.exe 52 2372 wscript.exe 53 2372 wscript.exe 54 2372 wscript.exe 55 2372 wscript.exe 56 2372 wscript.exe 57 2372 wscript.exe 58 2372 wscript.exe 59 2372 wscript.exe 62 2372 wscript.exe 63 2372 wscript.exe 64 2372 wscript.exe 65 2372 wscript.exe 66 2372 wscript.exe 67 2372 wscript.exe 68 2372 wscript.exe 69 2372 wscript.exe 70 2372 wscript.exe 71 2372 wscript.exe 72 2372 wscript.exe 73 2372 wscript.exe 74 2372 wscript.exe 75 2372 wscript.exe 76 2372 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hworm.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hworm.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gQZvgHUtLG.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gQZvgHUtLG.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Windows\CurrentVersion\Run\hworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hworm.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hworm.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\gQZvgHUtLG.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 4404 wrote to memory of 2372 4404 wscript.exe wscript.exe PID 4404 wrote to memory of 2372 4404 wscript.exe wscript.exe PID 4404 wrote to memory of 4644 4404 wscript.exe wscript.exe PID 4404 wrote to memory of 4644 4404 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\NEW-PO.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\hworm.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\gQZvgHUtLG.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hworm.vbsFilesize
13KB
MD54b685bd75281e7d4fd5d5c6ea517f7b4
SHA1737c0d37815c7c22b036c1edba100a95a67ae671
SHA256185182f369edcb96118a91dcad39eb5b63239112ed6963a8c274178bf1b55394
SHA512dec575589bc3fb8ba72fd7e7d83f20baad4d3fef7da54fe9203444c0c4a8ac39f1608c11a1427071b8af9554067bdd24810beeca8d924b6df871bfd9d1687487
-
C:\Users\Admin\AppData\Roaming\gQZvgHUtLG.jsFilesize
27KB
MD5d0180262c99e4a8b9bcae252950d3b53
SHA16039d0a418ea7afdb2d64c7621107510459d970a
SHA2563fcc843e8735f172c8746f473f042cc7bf796cad0b25f4d2e210251e206f9b43
SHA512fbe38862a7cefd617033f65ea91b889b49245e9643ba35ebd4123f31e1236dc0f3cea0aca8e828534e48c62554de0f69b8a1733bfceb3c411f93f96ad2f59581
-
memory/2372-117-0x0000000000000000-mapping.dmp
-
memory/4644-118-0x0000000000000000-mapping.dmp