Analysis
-
max time kernel
156s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-06-2022 07:37
Static task
static1
Behavioral task
behavioral1
Sample
Electronic receipt #AMZ-HWRM-1605160622.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Electronic receipt #AMZ-HWRM-1605160622.js
Resource
win10v2004-20220414-en
General
-
Target
Electronic receipt #AMZ-HWRM-1605160622.js
-
Size
127KB
-
MD5
9279ce6d838dae04a670dd9414db00eb
-
SHA1
960f79f13370c8bbaafed34d188cec956abb9cf5
-
SHA256
6e5e0e9f651300eb398ab45b10aa881ce9218088fb6a48c0e381be206c44b7b4
-
SHA512
55cf16a3024f5c60d4374fa05f22e7f00f93c011e7a1dda180a2805768cfcb6bd12f52d303e7616e46de3e0bd14a238b83940b1393ed91b44787da0e4b3e8485
Malware Config
Signatures
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 42 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1748 wscript.exe 7 700 wscript.exe 8 700 wscript.exe 10 1748 wscript.exe 11 700 wscript.exe 12 700 wscript.exe 13 1748 wscript.exe 16 700 wscript.exe 18 1748 wscript.exe 19 700 wscript.exe 21 700 wscript.exe 22 1748 wscript.exe 24 700 wscript.exe 26 1748 wscript.exe 27 700 wscript.exe 29 700 wscript.exe 31 1748 wscript.exe 32 700 wscript.exe 33 700 wscript.exe 35 1748 wscript.exe 36 700 wscript.exe 37 1748 wscript.exe 39 700 wscript.exe 41 700 wscript.exe 43 1748 wscript.exe 44 700 wscript.exe 45 700 wscript.exe 47 1748 wscript.exe 48 700 wscript.exe 49 1748 wscript.exe 51 700 wscript.exe 53 700 wscript.exe 55 1748 wscript.exe 56 700 wscript.exe 58 1748 wscript.exe 59 700 wscript.exe 60 700 wscript.exe 62 1748 wscript.exe 64 700 wscript.exe 65 700 wscript.exe 66 1748 wscript.exe 68 700 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qrqblJSZkU.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qrqblJSZkU.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs wscript.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
wscript.exewscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\qrqblJSZkU.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 1964 wrote to memory of 1748 1964 wscript.exe wscript.exe PID 1964 wrote to memory of 1748 1964 wscript.exe wscript.exe PID 1964 wrote to memory of 1748 1964 wscript.exe wscript.exe PID 1964 wrote to memory of 1768 1964 wscript.exe wscript.exe PID 1964 wrote to memory of 1768 1964 wscript.exe wscript.exe PID 1964 wrote to memory of 1768 1964 wscript.exe wscript.exe PID 1768 wrote to memory of 700 1768 wscript.exe wscript.exe PID 1768 wrote to memory of 700 1768 wscript.exe wscript.exe PID 1768 wrote to memory of 700 1768 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Electronic receipt #AMZ-HWRM-1605160622.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qrqblJSZkU.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\1.vbs"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\ProgramData\1.vbs"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\1.vbsFilesize
13KB
MD5b35e3e27a51c38b3c80edb236338dc8a
SHA11e696d13ade727030d8f0c921e4a603402ccce49
SHA256d572c9837b6e5125ab6beef8b833bc2ce2ba2d150f5d876c5510b406b0faa32f
SHA512bfd8a293f01fe7b9b5b154d3639808da3d9484324f61a06a2fb5c0c5d61d14574c3f2881008c43456305ed446a01da2c75d6cf604ebcb66266df750396a13677
-
C:\Users\Admin\AppData\Roaming\1.vbsFilesize
13KB
MD5b35e3e27a51c38b3c80edb236338dc8a
SHA11e696d13ade727030d8f0c921e4a603402ccce49
SHA256d572c9837b6e5125ab6beef8b833bc2ce2ba2d150f5d876c5510b406b0faa32f
SHA512bfd8a293f01fe7b9b5b154d3639808da3d9484324f61a06a2fb5c0c5d61d14574c3f2881008c43456305ed446a01da2c75d6cf604ebcb66266df750396a13677
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbsFilesize
13KB
MD5b35e3e27a51c38b3c80edb236338dc8a
SHA11e696d13ade727030d8f0c921e4a603402ccce49
SHA256d572c9837b6e5125ab6beef8b833bc2ce2ba2d150f5d876c5510b406b0faa32f
SHA512bfd8a293f01fe7b9b5b154d3639808da3d9484324f61a06a2fb5c0c5d61d14574c3f2881008c43456305ed446a01da2c75d6cf604ebcb66266df750396a13677
-
C:\Users\Admin\AppData\Roaming\qrqblJSZkU.jsFilesize
37KB
MD5806dc77d323a5ca00b11c27b757861f1
SHA1cf39f5d773ed14dfcaa6e09e1f759917ff8eccb2
SHA2560f7e286a25499a4bce0347ea338f6521212392bba9c539c5ca3608ac032914c0
SHA5121dbc545c230917e5d70c990ec0dc007ddb8867ee1da9d0a719e22f5c5a50c763cb3cf567518e7cee5e3e34aaa86a31dfb2b928f492e2a7a36e35b374e540e927
-
memory/700-61-0x0000000000000000-mapping.dmp
-
memory/1748-55-0x0000000000000000-mapping.dmp
-
memory/1768-57-0x0000000000000000-mapping.dmp
-
memory/1964-54-0x000007FEFBF51000-0x000007FEFBF53000-memory.dmpFilesize
8KB