Analysis
-
max time kernel
167s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 07:03
Static task
static1
Behavioral task
behavioral1
Sample
PO scan copy.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO scan copy.js
Resource
win10v2004-20220414-en
General
-
Target
PO scan copy.js
-
Size
90KB
-
MD5
38e8ff0f57ff64b5511dd56676b1053a
-
SHA1
fbae99edd1a3acdb9ceacef8a0da3e0dc51ecca9
-
SHA256
d4525203fe3f04c24c96df5d52770f3a99357bd244006abd28d782ddcdffbd29
-
SHA512
a020891cae1fb9b8a30e6d16dc564c127d50f1ffc656838dea55aeef323571a03706d883e7fc31d9695c9f6c644b4bfa9d81bc5cedadd20426839f627a34a4a6
Malware Config
Signatures
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 27 IoCs
Processes:
wscript.exewscript.exeflow pid process 4 2480 wscript.exe 7 1108 wscript.exe 14 2480 wscript.exe 23 1108 wscript.exe 27 1108 wscript.exe 31 1108 wscript.exe 36 2480 wscript.exe 38 2480 wscript.exe 41 1108 wscript.exe 47 1108 wscript.exe 48 2480 wscript.exe 52 2480 wscript.exe 53 1108 wscript.exe 54 2480 wscript.exe 61 1108 wscript.exe 63 2480 wscript.exe 64 2480 wscript.exe 65 1108 wscript.exe 66 2480 wscript.exe 71 1108 wscript.exe 72 2480 wscript.exe 73 2480 wscript.exe 74 1108 wscript.exe 75 2480 wscript.exe 78 2480 wscript.exe 79 1108 wscript.exe 80 2480 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YEZiWznaVZ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YEZiWznaVZ.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.vbs wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\test.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\test.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\YEZiWznaVZ.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 4640 wrote to memory of 1108 4640 wscript.exe wscript.exe PID 4640 wrote to memory of 1108 4640 wscript.exe wscript.exe PID 4640 wrote to memory of 2480 4640 wscript.exe wscript.exe PID 4640 wrote to memory of 2480 4640 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PO scan copy.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YEZiWznaVZ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\test.vbsFilesize
13KB
MD56496e81b6236c0bca1386f8b70e56259
SHA19098ac9c420f0addc7fd57af1767c461358dcb13
SHA256b6f6b2a90f44fa6f4ebe6ecc62dbb59d2c9f622966c5a6af2eee09829c44e4aa
SHA51239de83482ee0ec69981278c133939a87e528a5db1294aeea2abf5b548a6377ff271d3a5fa1cca0375366b8b1316203a09dae51c1f7d736133109f74e463d018e
-
C:\Users\Admin\AppData\Roaming\YEZiWznaVZ.jsFilesize
24KB
MD5663359be3238fc99a235e3c09b123038
SHA14f67d973c36edd1b237f55dbb3fc151c1d1a2690
SHA256e80721ceda82ea8d64cc5a1667bf93bacab6ec3d44be958ae0412d4512ac45f6
SHA512e83677189f3133b8029007521aebfcd19644febe4b56e51ed78b9fce7e36adcf8a990de7fbc21cc57a25ff4c0c567f99bf7a8e260dda1183222da66d0169de9e
-
memory/1108-130-0x0000000000000000-mapping.dmp
-
memory/2480-131-0x0000000000000000-mapping.dmp