Analysis
-
max time kernel
152s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-06-2022 10:49
Static task
static1
Behavioral task
behavioral1
Sample
PO00498221.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO00498221.js
Resource
win10v2004-20220414-en
General
-
Target
PO00498221.js
-
Size
47KB
-
MD5
84b89a74efeee5ada47c8873f1716071
-
SHA1
79aeef590dfb5ffd6e0c7a3b17db18e27ad883fb
-
SHA256
2fcb91ed942cf840ed6e2c38005f26b5bdd3d69488a018e2c23c546a66423638
-
SHA512
a0569e8cba284e88f144ea722dc0eae54ce8385eaa666a5bc7c732e870938cd3614a3c12da5717593489b6e6b17f9bb8bdf7668cae49ebcf4f9842f20192760c
Malware Config
Signatures
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 34 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1704 wscript.exe 7 948 wscript.exe 8 1704 wscript.exe 12 1704 wscript.exe 14 948 wscript.exe 16 1704 wscript.exe 18 1704 wscript.exe 19 1704 wscript.exe 22 948 wscript.exe 24 1704 wscript.exe 25 948 wscript.exe 26 948 wscript.exe 28 1704 wscript.exe 29 948 wscript.exe 31 1704 wscript.exe 33 948 wscript.exe 34 948 wscript.exe 35 1704 wscript.exe 37 948 wscript.exe 38 1704 wscript.exe 40 948 wscript.exe 41 948 wscript.exe 42 1704 wscript.exe 45 948 wscript.exe 46 948 wscript.exe 48 1704 wscript.exe 49 948 wscript.exe 50 1704 wscript.exe 52 948 wscript.exe 53 948 wscript.exe 54 1704 wscript.exe 57 948 wscript.exe 58 948 wscript.exe 59 1704 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ejike.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spHAeMTgHF.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spHAeMTgHF.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ejike.vbs wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\ejike = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ejike.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ejike = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ejike.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\spHAeMTgHF.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1616 wrote to memory of 1704 1616 wscript.exe wscript.exe PID 1616 wrote to memory of 1704 1616 wscript.exe wscript.exe PID 1616 wrote to memory of 1704 1616 wscript.exe wscript.exe PID 1616 wrote to memory of 948 1616 wscript.exe wscript.exe PID 1616 wrote to memory of 948 1616 wscript.exe wscript.exe PID 1616 wrote to memory of 948 1616 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO00498221.js1⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\spHAeMTgHF.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1704 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\ejike.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ejike.vbsFilesize
13KB
MD57cc6dd150c0252491d11af69da01800a
SHA1f38f64d89c21347049d3651c07532f5ec8741459
SHA25652044f4d57cc20e56a0087b0f3b516567b23debfc250a8f54f9b4c853da0fd38
SHA512fffc47c9dd97688b400cc8bb6db9b073a713705f54a0db11243bfe062850d26ed030028792a279e2226761c50cac7dd8c468f2e7908f844fd70afbcf579649b8
-
C:\Users\Admin\AppData\Roaming\spHAeMTgHF.jsFilesize
9KB
MD5c576dc63c42e5e08a7fb375c7a0791bc
SHA122009107c606ac099b157e38653d5c325c9b0c8b
SHA256f3afa68cd5ba1c5466c1215913fb9bacca94d40c07c758e93fafc495af15ba9f
SHA512185bd10e42bb15312cd8af5a1b5e6aee3d1a85744607117161566ad67fc4108d959f9fa05b8ccd27e218de03272945aafa2127be3631014f7c164a80b631ab48
-
memory/948-56-0x0000000000000000-mapping.dmp
-
memory/1616-54-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmpFilesize
8KB
-
memory/1704-55-0x0000000000000000-mapping.dmp