Analysis
-
max time kernel
151s -
max time network
204s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 06:39
Static task
static1
Behavioral task
behavioral1
Sample
New-Order.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
New-Order.js
Resource
win10v2004-20220414-en
General
-
Target
New-Order.js
-
Size
90KB
-
MD5
887c83e306335e36f6e81cdd30f527e2
-
SHA1
3ec7601bb106ba9bb4639e75b9466adaf52e5607
-
SHA256
365fb34e5d2f5f4a143599765d0ac0f34dc1b6cddf857c6cf8f87f17d7408f1b
-
SHA512
3dddd2b196538e2c684435e7f451b236c21b4e042716d4dc6cc791b64d77fd7395b11a4f45a69203e31f95b6f5e32bd86d8e533b66b2eed86e12e89b4907a814
Malware Config
Signatures
-
Blocklisted process makes network request 46 IoCs
Processes:
wscript.exewscript.exeflow pid process 7 2032 wscript.exe 8 1992 wscript.exe 9 1992 wscript.exe 10 2032 wscript.exe 12 1992 wscript.exe 13 1992 wscript.exe 14 2032 wscript.exe 16 1992 wscript.exe 18 1992 wscript.exe 20 2032 wscript.exe 22 1992 wscript.exe 23 1992 wscript.exe 24 2032 wscript.exe 26 1992 wscript.exe 27 1992 wscript.exe 28 2032 wscript.exe 31 1992 wscript.exe 32 1992 wscript.exe 34 2032 wscript.exe 36 1992 wscript.exe 37 1992 wscript.exe 38 2032 wscript.exe 40 1992 wscript.exe 41 1992 wscript.exe 42 2032 wscript.exe 45 1992 wscript.exe 46 1992 wscript.exe 48 2032 wscript.exe 50 1992 wscript.exe 51 1992 wscript.exe 52 2032 wscript.exe 54 1992 wscript.exe 55 1992 wscript.exe 56 2032 wscript.exe 58 1992 wscript.exe 60 1992 wscript.exe 62 2032 wscript.exe 64 1992 wscript.exe 65 1992 wscript.exe 66 2032 wscript.exe 67 1992 wscript.exe 69 1992 wscript.exe 70 2032 wscript.exe 72 1992 wscript.exe 74 1992 wscript.exe 76 2032 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kay.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kay.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvvsJzsPhE.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvvsJzsPhE.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\kay = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kay.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kay = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kay.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\cvvsJzsPhE.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1516 wrote to memory of 2032 1516 wscript.exe wscript.exe PID 1516 wrote to memory of 2032 1516 wscript.exe wscript.exe PID 1516 wrote to memory of 2032 1516 wscript.exe wscript.exe PID 1516 wrote to memory of 1992 1516 wscript.exe wscript.exe PID 1516 wrote to memory of 1992 1516 wscript.exe wscript.exe PID 1516 wrote to memory of 1992 1516 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\New-Order.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\cvvsJzsPhE.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\kay.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kay.vbsFilesize
13KB
MD5176af413683987deea53dbad395c8027
SHA1f3b812fb7332428198a741ab6dd87512de3d90b7
SHA25654c8679f246a73a270a028047bd7a6e99ef4b8ca4c1fedaa3ef8f721c374ae8b
SHA51299afe74936a00618b1380c7ee0a64c31adf8948286576c0c14f6c63d00ca9160d66c95b5a2fe99855d6bbf03412180e0f01e9e817caa24f74449dad513808dd9
-
C:\Users\Admin\AppData\Roaming\cvvsJzsPhE.jsFilesize
24KB
MD5169755648aaba2c23fb1b231a712c8a1
SHA131cfa09f2acd9b2df004f6934ffcd5bc8919d5b6
SHA2569610c1b7745f4e5ba3f0034cf634ee5b00ea01a9dcaecc23853ed064296d1eda
SHA51208c4aa0a41c50673ceeaf7f47b6c0615421e275907551841d229818d6d40d3a15eab2be21da602036ad34ebd8a7adec968fb41c0cd2fe5c5dfe5e7b9f4330c11
-
memory/1516-54-0x000007FEFB801000-0x000007FEFB803000-memory.dmpFilesize
8KB
-
memory/1992-56-0x0000000000000000-mapping.dmp
-
memory/2032-55-0x0000000000000000-mapping.dmp