Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-06-2022 08:25
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Purchase Order.js
Resource
win10v2004-20220414-en
General
-
Target
Purchase Order.js
-
Size
102KB
-
MD5
96ed923c16d7a86c7f70675e508fdb77
-
SHA1
6cc9cd0e2aee7833a9677c2db346778382d6a800
-
SHA256
941e953be533b065e079b5dc1480cb6cba4db8db25343d6ada935cf0b293e60e
-
SHA512
553118001a8a216285f6a1754a2b8adc7079028c10acb7c92ae9732aa7b687358246a4b41ca9ac69af8ab4f77b4d9595deb2ece0ac9ebdd9b6cff4a36083315e
Malware Config
Signatures
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 41 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1308 wscript.exe 7 1280 wscript.exe 8 1280 wscript.exe 10 1308 wscript.exe 11 1280 wscript.exe 12 1280 wscript.exe 14 1308 wscript.exe 16 1280 wscript.exe 18 1308 wscript.exe 19 1280 wscript.exe 20 1280 wscript.exe 22 1308 wscript.exe 24 1280 wscript.exe 26 1308 wscript.exe 27 1280 wscript.exe 29 1280 wscript.exe 31 1308 wscript.exe 32 1280 wscript.exe 33 1280 wscript.exe 35 1308 wscript.exe 36 1280 wscript.exe 37 1308 wscript.exe 39 1280 wscript.exe 41 1280 wscript.exe 42 1308 wscript.exe 44 1280 wscript.exe 45 1308 wscript.exe 47 1280 wscript.exe 48 1280 wscript.exe 50 1308 wscript.exe 52 1280 wscript.exe 53 1280 wscript.exe 55 1308 wscript.exe 56 1280 wscript.exe 57 1308 wscript.exe 59 1280 wscript.exe 60 1280 wscript.exe 62 1308 wscript.exe 64 1280 wscript.exe 65 1308 wscript.exe 67 1280 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coco.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coco.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QleZiDKtJk.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QleZiDKtJk.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\coco = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\coco.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coco = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\coco.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\QleZiDKtJk.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1748 wrote to memory of 1308 1748 wscript.exe wscript.exe PID 1748 wrote to memory of 1308 1748 wscript.exe wscript.exe PID 1748 wrote to memory of 1308 1748 wscript.exe wscript.exe PID 1748 wrote to memory of 1280 1748 wscript.exe wscript.exe PID 1748 wrote to memory of 1280 1748 wscript.exe wscript.exe PID 1748 wrote to memory of 1280 1748 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order.js"1⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\QleZiDKtJk.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1308
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\coco.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1280
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5c654a6599cf8a2a114c82cf39890527e
SHA10fdd2f5ac577d5491cdad11e9ab9682eb29f2e3b
SHA256cc7f0bb9d21b137fd799468d7e6823881134b5c18a2d48a24a69c5af3286bdcc
SHA512dc954af78c3e4daaa53ee81cbab5b6831e95b6fa80e7fff56febf884389da5feb473207b0121a81d704755039ed3b8d3870f07620e5fc58161df1c82210bf357
-
Filesize
28KB
MD5e8908e1558ac022da33a07c8b5e8412d
SHA17c355f06b4e50fa9b85e9d312d7e3f3614b894cf
SHA25657a54d7d2dfbaf1feb5dbf9599e4f393f1477dbf47bac32d35f90f13558cde1e
SHA512a164bc999d45c84754b44783716bcca6a7266215b69cb8ca88f845d4d221c38ecf655979d3e2b4dba9ef7cadb445b11219a1ea0734bd244cec0974f4788cb640