Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 10:42
Static task
static1
Behavioral task
behavioral1
Sample
File 2.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
File 2.js
Resource
win10v2004-20220414-en
General
-
Target
File 2.js
-
Size
51KB
-
MD5
199c37a6953be6415f368cafa8525133
-
SHA1
c28cfdd4d9f80ba3873a134f9f21815e0b6540bc
-
SHA256
cfe9dc76a15fae96808fa814135113d763fcf418aae410cea34580b15fb00edd
-
SHA512
4cb1beada3ec189732331926b5db39d51654dbea5ae9bfe764d63636adf788312c2be7513c40186480d4140882b0a251dda292e7437aa3fc8ca437508ba7c044
Malware Config
Signatures
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 41 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1964 wscript.exe 7 2000 wscript.exe 8 2000 wscript.exe 10 1964 wscript.exe 11 2000 wscript.exe 12 1964 wscript.exe 13 2000 wscript.exe 16 2000 wscript.exe 18 1964 wscript.exe 20 2000 wscript.exe 21 2000 wscript.exe 22 1964 wscript.exe 24 2000 wscript.exe 25 1964 wscript.exe 27 2000 wscript.exe 28 2000 wscript.exe 30 1964 wscript.exe 31 2000 wscript.exe 32 1964 wscript.exe 34 2000 wscript.exe 35 2000 wscript.exe 36 1964 wscript.exe 39 2000 wscript.exe 40 1964 wscript.exe 41 2000 wscript.exe 43 2000 wscript.exe 44 1964 wscript.exe 45 2000 wscript.exe 46 2000 wscript.exe 48 1964 wscript.exe 50 2000 wscript.exe 51 1964 wscript.exe 53 2000 wscript.exe 54 2000 wscript.exe 55 1964 wscript.exe 57 2000 wscript.exe 58 2000 wscript.exe 59 1964 wscript.exe 61 2000 wscript.exe 63 1964 wscript.exe 64 2000 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hwo1.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hwo1.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oCrgSTqqkH.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oCrgSTqqkH.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\oCrgSTqqkH.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\hwo1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hwo1.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwo1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hwo1.vbs\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1164 wrote to memory of 1964 1164 wscript.exe wscript.exe PID 1164 wrote to memory of 1964 1164 wscript.exe wscript.exe PID 1164 wrote to memory of 1964 1164 wscript.exe wscript.exe PID 1164 wrote to memory of 2000 1164 wscript.exe wscript.exe PID 1164 wrote to memory of 2000 1164 wscript.exe wscript.exe PID 1164 wrote to memory of 2000 1164 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\File 2.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\oCrgSTqqkH.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\hwo1.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\hwo1.vbsFilesize
13KB
MD50fa22927ed90ae0bfbc0fbc979d566ff
SHA1c6562835566afe7eded525f68a0cfdf6f82b4a0a
SHA2569ec1848a60e25d9bf6f2d3dd2e607e269a259925b143ea20ee7dfbe58f7152e7
SHA5128692696d841a50b811e21384ee040cbeb478cfe5a2f093ed7b6d1869ae910c590ad940771d9f95a76880f4c25d637d4f29fbe14e2c16b6a424e54a48812b7203
-
C:\Users\Admin\AppData\Roaming\oCrgSTqqkH.jsFilesize
10KB
MD52a51c61b3c71bf82152d9bf999f6d17a
SHA17797cb26749b99890927c177fbbf7fd82e65c28a
SHA256f730012c1425907bc39cc75f7992ab2246f6b560c48e3fccf68f848989708837
SHA512aab4bee725b1d776aa07cad3cbe628c1d4069540f1ee8d941cc3fc641f9fa220479b203a83338b99f6d00487f9cb4854184b1f05749dbcc8eff2f5909c8c190f
-
memory/1164-54-0x000007FEFC061000-0x000007FEFC063000-memory.dmpFilesize
8KB
-
memory/1964-55-0x0000000000000000-mapping.dmp
-
memory/2000-56-0x0000000000000000-mapping.dmp