Analysis
-
max time kernel
149s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 06:28
Static task
static1
Behavioral task
behavioral1
Sample
Maersk Sets Documents.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Maersk Sets Documents.js
Resource
win10v2004-20220414-en
General
-
Target
Maersk Sets Documents.js
-
Size
47KB
-
MD5
3391e6b60c013e63bb73c91cd77ea05b
-
SHA1
8e7197b5dc1c99d6579f0a002aa7a4e0fa16de8a
-
SHA256
7b3187751d1b85e101baf35c73d93c77006cf7a6729ba1b57a702884a0a5c17d
-
SHA512
c025c5f85219083aabe69474fbbf1415d445fa27c8c19640ccf971be3178741fcc8623f114008c99005a36e4848950fd8a11515bf2f31f79a3168ee3bb95fb33
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exewscript.exeflow pid process 13 2376 wscript.exe 14 2596 wscript.exe 30 2596 wscript.exe 32 2376 wscript.exe 33 2376 wscript.exe 38 2376 wscript.exe 43 2596 wscript.exe 46 2376 wscript.exe 53 2376 wscript.exe 58 2376 wscript.exe 59 2596 wscript.exe 62 2376 wscript.exe 63 2376 wscript.exe 66 2376 wscript.exe 69 2596 wscript.exe 72 2596 wscript.exe 73 2376 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\quFMSWkFxm.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\quFMSWkFxm.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\test.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\test.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\quFMSWkFxm.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 3520 wrote to memory of 2376 3520 wscript.exe wscript.exe PID 3520 wrote to memory of 2376 3520 wscript.exe wscript.exe PID 3520 wrote to memory of 2596 3520 wscript.exe wscript.exe PID 3520 wrote to memory of 2596 3520 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Maersk Sets Documents.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\quFMSWkFxm.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\test.vbsFilesize
13KB
MD5fcab27f1e1e9316c441368eb38fea59c
SHA137e0c7c153b5983cb175a1bcfbe2fc7960606568
SHA2567a535dd7f5f8dc5193c7184ea0278f862e06485c369821747af71b174000fdb6
SHA512ed83503d8af7abf3f342719539f6f305a9fc34d45b4fe7c5dcfd68855dc76e76fe5cbed111303d3f7c1e4171cef779ace81d2e0d810ef02dd0b7c8ec6955894c
-
C:\Users\Admin\AppData\Roaming\quFMSWkFxm.jsFilesize
9KB
MD5c16ce4cee2d0306bfdb474bcd0dac7d2
SHA1a006c5c9b53faa68e7fee669b9b1526d8e36e36f
SHA256c70607ee78ed62e79ac29ecc0218f77bc6800b0ff03c807d6c10d869b46a3c5e
SHA512e3290deb093c90b42225a31fc21cdddcdab65206f7ae19910ca264c36125b91bf027baa6b22dfaab893c169e0b59e2432e4aa9f58e59c947f97ba882b036b19f
-
memory/2376-130-0x0000000000000000-mapping.dmp
-
memory/2596-131-0x0000000000000000-mapping.dmp