Analysis
-
max time kernel
167s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 07:03
Static task
static1
Behavioral task
behavioral1
Sample
PO scan copy.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO scan copy.js
Resource
win10v2004-20220414-en
General
-
Target
PO scan copy.js
-
Size
90KB
-
MD5
38e8ff0f57ff64b5511dd56676b1053a
-
SHA1
fbae99edd1a3acdb9ceacef8a0da3e0dc51ecca9
-
SHA256
d4525203fe3f04c24c96df5d52770f3a99357bd244006abd28d782ddcdffbd29
-
SHA512
a020891cae1fb9b8a30e6d16dc564c127d50f1ffc656838dea55aeef323571a03706d883e7fc31d9695c9f6c644b4bfa9d81bc5cedadd20426839f627a34a4a6
Malware Config
Signatures
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 42 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1524 wscript.exe 7 1368 wscript.exe 8 1368 wscript.exe 9 1524 wscript.exe 11 1368 wscript.exe 13 1368 wscript.exe 14 1524 wscript.exe 17 1368 wscript.exe 18 1368 wscript.exe 19 1524 wscript.exe 21 1368 wscript.exe 22 1524 wscript.exe 24 1368 wscript.exe 25 1368 wscript.exe 27 1524 wscript.exe 29 1368 wscript.exe 30 1524 wscript.exe 32 1368 wscript.exe 33 1368 wscript.exe 34 1524 wscript.exe 36 1368 wscript.exe 37 1368 wscript.exe 39 1524 wscript.exe 41 1368 wscript.exe 43 1524 wscript.exe 44 1368 wscript.exe 45 1368 wscript.exe 46 1524 wscript.exe 48 1368 wscript.exe 49 1368 wscript.exe 51 1524 wscript.exe 53 1368 wscript.exe 55 1524 wscript.exe 56 1368 wscript.exe 57 1368 wscript.exe 58 1524 wscript.exe 60 1368 wscript.exe 61 1368 wscript.exe 62 1524 wscript.exe 65 1368 wscript.exe 67 1524 wscript.exe 68 1368 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YEZiWznaVZ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YEZiWznaVZ.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\test.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\YEZiWznaVZ.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\test.vbs\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1972 wrote to memory of 1524 1972 wscript.exe wscript.exe PID 1972 wrote to memory of 1524 1972 wscript.exe wscript.exe PID 1972 wrote to memory of 1524 1972 wscript.exe wscript.exe PID 1972 wrote to memory of 1368 1972 wscript.exe wscript.exe PID 1972 wrote to memory of 1368 1972 wscript.exe wscript.exe PID 1972 wrote to memory of 1368 1972 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PO scan copy.js"1⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YEZiWznaVZ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1524 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1368
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\test.vbsFilesize
13KB
MD56496e81b6236c0bca1386f8b70e56259
SHA19098ac9c420f0addc7fd57af1767c461358dcb13
SHA256b6f6b2a90f44fa6f4ebe6ecc62dbb59d2c9f622966c5a6af2eee09829c44e4aa
SHA51239de83482ee0ec69981278c133939a87e528a5db1294aeea2abf5b548a6377ff271d3a5fa1cca0375366b8b1316203a09dae51c1f7d736133109f74e463d018e
-
C:\Users\Admin\AppData\Roaming\YEZiWznaVZ.jsFilesize
24KB
MD5663359be3238fc99a235e3c09b123038
SHA14f67d973c36edd1b237f55dbb3fc151c1d1a2690
SHA256e80721ceda82ea8d64cc5a1667bf93bacab6ec3d44be958ae0412d4512ac45f6
SHA512e83677189f3133b8029007521aebfcd19644febe4b56e51ed78b9fce7e36adcf8a990de7fbc21cc57a25ff4c0c567f99bf7a8e260dda1183222da66d0169de9e
-
memory/1368-56-0x0000000000000000-mapping.dmp
-
memory/1524-55-0x0000000000000000-mapping.dmp
-
memory/1972-54-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmpFilesize
8KB