Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-06-2022 08:24
Static task
static1
Behavioral task
behavioral1
Sample
New Order.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
New Order.js
Resource
win10v2004-20220414-en
General
-
Target
New Order.js
-
Size
102KB
-
MD5
f890e7d367f88ec86a590713f93891b5
-
SHA1
a179e35efd7a8fa0eb5216b4d3e65e8e8935493c
-
SHA256
c673548131b745edf8a8ec0737790633ec0a44aef9771ac4d4ff301fd915d2e0
-
SHA512
63a9adb256314a0acc4f8491dcb6b7e4471ecdfcfc9e40a659689d5f836d2807275de15e9d44823c67a662d421a783d58f6addcef44231aa7ac029b0e450ba22
Malware Config
Signatures
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 40 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1524 wscript.exe 7 1776 wscript.exe 8 1776 wscript.exe 9 1524 wscript.exe 11 1776 wscript.exe 12 1776 wscript.exe 14 1524 wscript.exe 16 1776 wscript.exe 17 1524 wscript.exe 19 1776 wscript.exe 21 1776 wscript.exe 23 1524 wscript.exe 24 1776 wscript.exe 25 1776 wscript.exe 27 1524 wscript.exe 29 1776 wscript.exe 30 1524 wscript.exe 32 1776 wscript.exe 33 1776 wscript.exe 34 1524 wscript.exe 36 1776 wscript.exe 37 1776 wscript.exe 39 1524 wscript.exe 41 1776 wscript.exe 42 1776 wscript.exe 44 1524 wscript.exe 45 1776 wscript.exe 46 1776 wscript.exe 47 1524 wscript.exe 49 1524 wscript.exe 52 1524 wscript.exe 54 1776 wscript.exe 55 1776 wscript.exe 57 1524 wscript.exe 58 1776 wscript.exe 60 1524 wscript.exe 61 1776 wscript.exe 63 1776 wscript.exe 64 1524 wscript.exe 66 1776 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\banga.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\banga.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qwbDCtDwoT.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qwbDCtDwoT.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\banga = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\banga.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\banga = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\banga.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\qwbDCtDwoT.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 880 wrote to memory of 1524 880 wscript.exe wscript.exe PID 880 wrote to memory of 1524 880 wscript.exe wscript.exe PID 880 wrote to memory of 1524 880 wscript.exe wscript.exe PID 880 wrote to memory of 1776 880 wscript.exe wscript.exe PID 880 wrote to memory of 1776 880 wscript.exe wscript.exe PID 880 wrote to memory of 1776 880 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\New Order.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qwbDCtDwoT.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\banga.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\banga.vbsFilesize
13KB
MD5176af413683987deea53dbad395c8027
SHA1f3b812fb7332428198a741ab6dd87512de3d90b7
SHA25654c8679f246a73a270a028047bd7a6e99ef4b8ca4c1fedaa3ef8f721c374ae8b
SHA51299afe74936a00618b1380c7ee0a64c31adf8948286576c0c14f6c63d00ca9160d66c95b5a2fe99855d6bbf03412180e0f01e9e817caa24f74449dad513808dd9
-
C:\Users\Admin\AppData\Roaming\qwbDCtDwoT.jsFilesize
28KB
MD502dfcde710c26f469f0b5d931926840e
SHA15985779d32ee71ea07cb6e8f14767f1238fab1bb
SHA25659a6cd007dc4f1ab77cfb404ac08e54ed63b29e442ba5842db00daf4a0fee890
SHA512d8d25488e63e9333de10e8a90d232eba656a47d2bdb7e20c4ceee995e6e24b3834774e4e76bf2d90752191ed466d1b3eb6fd4e593610f502f37d2664abe66553
-
memory/880-54-0x000007FEFB6E1000-0x000007FEFB6E3000-memory.dmpFilesize
8KB
-
memory/1524-55-0x0000000000000000-mapping.dmp
-
memory/1776-56-0x0000000000000000-mapping.dmp