Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 06:39
Static task
static1
Behavioral task
behavioral1
Sample
New-Order.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
New-Order.js
Resource
win10v2004-20220414-en
General
-
Target
New-Order.js
-
Size
90KB
-
MD5
887c83e306335e36f6e81cdd30f527e2
-
SHA1
3ec7601bb106ba9bb4639e75b9466adaf52e5607
-
SHA256
365fb34e5d2f5f4a143599765d0ac0f34dc1b6cddf857c6cf8f87f17d7408f1b
-
SHA512
3dddd2b196538e2c684435e7f451b236c21b4e042716d4dc6cc791b64d77fd7395b11a4f45a69203e31f95b6f5e32bd86d8e533b66b2eed86e12e89b4907a814
Malware Config
Signatures
-
Blocklisted process makes network request 38 IoCs
Processes:
wscript.exewscript.exeflow pid process 5 4496 wscript.exe 6 1356 wscript.exe 11 4496 wscript.exe 12 1356 wscript.exe 14 4496 wscript.exe 20 1356 wscript.exe 21 4496 wscript.exe 27 1356 wscript.exe 32 4496 wscript.exe 35 4496 wscript.exe 36 1356 wscript.exe 40 4496 wscript.exe 41 1356 wscript.exe 50 4496 wscript.exe 53 1356 wscript.exe 55 4496 wscript.exe 58 1356 wscript.exe 59 4496 wscript.exe 60 4496 wscript.exe 61 1356 wscript.exe 62 4496 wscript.exe 63 1356 wscript.exe 66 4496 wscript.exe 67 1356 wscript.exe 68 4496 wscript.exe 69 1356 wscript.exe 70 4496 wscript.exe 71 4496 wscript.exe 72 1356 wscript.exe 73 4496 wscript.exe 74 1356 wscript.exe 75 4496 wscript.exe 76 1356 wscript.exe 77 4496 wscript.exe 78 1356 wscript.exe 79 4496 wscript.exe 80 4496 wscript.exe 81 1356 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kay.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kay.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvvsJzsPhE.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvvsJzsPhE.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\cvvsJzsPhE.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kay = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kay.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kay = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kay.vbs\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 940 wrote to memory of 1356 940 wscript.exe wscript.exe PID 940 wrote to memory of 1356 940 wscript.exe wscript.exe PID 940 wrote to memory of 4496 940 wscript.exe wscript.exe PID 940 wrote to memory of 4496 940 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\New-Order.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\cvvsJzsPhE.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\kay.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kay.vbsFilesize
13KB
MD5176af413683987deea53dbad395c8027
SHA1f3b812fb7332428198a741ab6dd87512de3d90b7
SHA25654c8679f246a73a270a028047bd7a6e99ef4b8ca4c1fedaa3ef8f721c374ae8b
SHA51299afe74936a00618b1380c7ee0a64c31adf8948286576c0c14f6c63d00ca9160d66c95b5a2fe99855d6bbf03412180e0f01e9e817caa24f74449dad513808dd9
-
C:\Users\Admin\AppData\Roaming\cvvsJzsPhE.jsFilesize
24KB
MD5169755648aaba2c23fb1b231a712c8a1
SHA131cfa09f2acd9b2df004f6934ffcd5bc8919d5b6
SHA2569610c1b7745f4e5ba3f0034cf634ee5b00ea01a9dcaecc23853ed064296d1eda
SHA51208c4aa0a41c50673ceeaf7f47b6c0615421e275907551841d229818d6d40d3a15eab2be21da602036ad34ebd8a7adec968fb41c0cd2fe5c5dfe5e7b9f4330c11
-
memory/1356-130-0x0000000000000000-mapping.dmp
-
memory/4496-131-0x0000000000000000-mapping.dmp