Analysis
-
max time kernel
154s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-06-2022 06:28
Static task
static1
Behavioral task
behavioral1
Sample
Maersk Sets Documents.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Maersk Sets Documents.js
Resource
win10v2004-20220414-en
General
-
Target
Maersk Sets Documents.js
-
Size
47KB
-
MD5
3391e6b60c013e63bb73c91cd77ea05b
-
SHA1
8e7197b5dc1c99d6579f0a002aa7a4e0fa16de8a
-
SHA256
7b3187751d1b85e101baf35c73d93c77006cf7a6729ba1b57a702884a0a5c17d
-
SHA512
c025c5f85219083aabe69474fbbf1415d445fa27c8c19640ccf971be3178741fcc8623f114008c99005a36e4848950fd8a11515bf2f31f79a3168ee3bb95fb33
Malware Config
Signatures
-
Blocklisted process makes network request 26 IoCs
Processes:
wscript.exewscript.exeflow pid process 10 1744 wscript.exe 9 948 wscript.exe 12 948 wscript.exe 13 1744 wscript.exe 15 948 wscript.exe 17 1744 wscript.exe 20 948 wscript.exe 21 1744 wscript.exe 23 948 wscript.exe 24 1744 wscript.exe 26 948 wscript.exe 28 1744 wscript.exe 30 948 wscript.exe 32 948 wscript.exe 34 1744 wscript.exe 36 948 wscript.exe 38 1744 wscript.exe 40 948 wscript.exe 41 1744 wscript.exe 42 948 wscript.exe 45 948 wscript.exe 47 1744 wscript.exe 49 948 wscript.exe 51 1744 wscript.exe 52 948 wscript.exe 54 1744 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\quFMSWkFxm.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\quFMSWkFxm.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\test.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\test.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\quFMSWkFxm.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 288 wrote to memory of 1744 288 wscript.exe wscript.exe PID 288 wrote to memory of 1744 288 wscript.exe wscript.exe PID 288 wrote to memory of 1744 288 wscript.exe wscript.exe PID 288 wrote to memory of 948 288 wscript.exe wscript.exe PID 288 wrote to memory of 948 288 wscript.exe wscript.exe PID 288 wrote to memory of 948 288 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Maersk Sets Documents.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\quFMSWkFxm.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\test.vbsFilesize
13KB
MD5fcab27f1e1e9316c441368eb38fea59c
SHA137e0c7c153b5983cb175a1bcfbe2fc7960606568
SHA2567a535dd7f5f8dc5193c7184ea0278f862e06485c369821747af71b174000fdb6
SHA512ed83503d8af7abf3f342719539f6f305a9fc34d45b4fe7c5dcfd68855dc76e76fe5cbed111303d3f7c1e4171cef779ace81d2e0d810ef02dd0b7c8ec6955894c
-
C:\Users\Admin\AppData\Roaming\quFMSWkFxm.jsFilesize
9KB
MD5c16ce4cee2d0306bfdb474bcd0dac7d2
SHA1a006c5c9b53faa68e7fee669b9b1526d8e36e36f
SHA256c70607ee78ed62e79ac29ecc0218f77bc6800b0ff03c807d6c10d869b46a3c5e
SHA512e3290deb093c90b42225a31fc21cdddcdab65206f7ae19910ca264c36125b91bf027baa6b22dfaab893c169e0b59e2432e4aa9f58e59c947f97ba882b036b19f
-
memory/288-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmpFilesize
8KB
-
memory/948-56-0x0000000000000000-mapping.dmp
-
memory/1744-55-0x0000000000000000-mapping.dmp