Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 06:29
Static task
static1
Behavioral task
behavioral1
Sample
Maersk Sets Documents.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Maersk Sets Documents.js
Resource
win10v2004-20220414-en
General
-
Target
Maersk Sets Documents.js
-
Size
47KB
-
MD5
3391e6b60c013e63bb73c91cd77ea05b
-
SHA1
8e7197b5dc1c99d6579f0a002aa7a4e0fa16de8a
-
SHA256
7b3187751d1b85e101baf35c73d93c77006cf7a6729ba1b57a702884a0a5c17d
-
SHA512
c025c5f85219083aabe69474fbbf1415d445fa27c8c19640ccf971be3178741fcc8623f114008c99005a36e4848950fd8a11515bf2f31f79a3168ee3bb95fb33
Malware Config
Signatures
-
Blocklisted process makes network request 36 IoCs
Processes:
wscript.exewscript.exeflow pid process 7 4584 wscript.exe 8 4672 wscript.exe 15 4672 wscript.exe 16 4584 wscript.exe 23 4672 wscript.exe 24 4584 wscript.exe 25 4672 wscript.exe 33 4584 wscript.exe 34 4672 wscript.exe 36 4672 wscript.exe 37 4584 wscript.exe 43 4672 wscript.exe 44 4584 wscript.exe 45 4672 wscript.exe 46 4584 wscript.exe 48 4672 wscript.exe 49 4584 wscript.exe 50 4672 wscript.exe 51 4672 wscript.exe 52 4584 wscript.exe 53 4672 wscript.exe 54 4584 wscript.exe 56 4672 wscript.exe 57 4584 wscript.exe 58 4672 wscript.exe 59 4584 wscript.exe 60 4672 wscript.exe 61 4672 wscript.exe 62 4584 wscript.exe 63 4672 wscript.exe 64 4584 wscript.exe 65 4672 wscript.exe 66 4584 wscript.exe 67 4672 wscript.exe 68 4584 wscript.exe 69 4672 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\quFMSWkFxm.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\quFMSWkFxm.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\quFMSWkFxm.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\test.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\test.vbs\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 4644 wrote to memory of 4584 4644 wscript.exe wscript.exe PID 4644 wrote to memory of 4584 4644 wscript.exe wscript.exe PID 4644 wrote to memory of 4672 4644 wscript.exe wscript.exe PID 4644 wrote to memory of 4672 4644 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Maersk Sets Documents.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\quFMSWkFxm.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\test.vbsFilesize
13KB
MD5fcab27f1e1e9316c441368eb38fea59c
SHA137e0c7c153b5983cb175a1bcfbe2fc7960606568
SHA2567a535dd7f5f8dc5193c7184ea0278f862e06485c369821747af71b174000fdb6
SHA512ed83503d8af7abf3f342719539f6f305a9fc34d45b4fe7c5dcfd68855dc76e76fe5cbed111303d3f7c1e4171cef779ace81d2e0d810ef02dd0b7c8ec6955894c
-
C:\Users\Admin\AppData\Roaming\quFMSWkFxm.jsFilesize
9KB
MD5c16ce4cee2d0306bfdb474bcd0dac7d2
SHA1a006c5c9b53faa68e7fee669b9b1526d8e36e36f
SHA256c70607ee78ed62e79ac29ecc0218f77bc6800b0ff03c807d6c10d869b46a3c5e
SHA512e3290deb093c90b42225a31fc21cdddcdab65206f7ae19910ca264c36125b91bf027baa6b22dfaab893c169e0b59e2432e4aa9f58e59c947f97ba882b036b19f
-
memory/4584-130-0x0000000000000000-mapping.dmp
-
memory/4672-132-0x0000000000000000-mapping.dmp