Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-06-2022 07:37
Static task
static1
Behavioral task
behavioral1
Sample
Electronic receipt #AMZ-HWRM-1605160622.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Electronic receipt #AMZ-HWRM-1605160622.js
Resource
win10v2004-20220414-en
General
-
Target
Electronic receipt #AMZ-HWRM-1605160622.js
-
Size
127KB
-
MD5
9279ce6d838dae04a670dd9414db00eb
-
SHA1
960f79f13370c8bbaafed34d188cec956abb9cf5
-
SHA256
6e5e0e9f651300eb398ab45b10aa881ce9218088fb6a48c0e381be206c44b7b4
-
SHA512
55cf16a3024f5c60d4374fa05f22e7f00f93c011e7a1dda180a2805768cfcb6bd12f52d303e7616e46de3e0bd14a238b83940b1393ed91b44787da0e4b3e8485
Malware Config
Signatures
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 40 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 2560 wscript.exe 7 3660 wscript.exe 9 2560 wscript.exe 10 3660 wscript.exe 11 2560 wscript.exe 12 2560 wscript.exe 13 3660 wscript.exe 16 2560 wscript.exe 24 2560 wscript.exe 25 3660 wscript.exe 27 2560 wscript.exe 28 2560 wscript.exe 29 3660 wscript.exe 37 3660 wscript.exe 40 3660 wscript.exe 44 2560 wscript.exe 45 3660 wscript.exe 46 2560 wscript.exe 48 2560 wscript.exe 49 3660 wscript.exe 50 2560 wscript.exe 56 3660 wscript.exe 57 2560 wscript.exe 61 2560 wscript.exe 63 3660 wscript.exe 67 2560 wscript.exe 73 2560 wscript.exe 84 3660 wscript.exe 87 2560 wscript.exe 88 2560 wscript.exe 90 3660 wscript.exe 91 2560 wscript.exe 92 2560 wscript.exe 93 3660 wscript.exe 100 2560 wscript.exe 104 3660 wscript.exe 108 2560 wscript.exe 129 2560 wscript.exe 144 3660 wscript.exe 154 2560 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qrqblJSZkU.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qrqblJSZkU.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs wscript.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
wscript.exewscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\qrqblJSZkU.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "wscript.exe //B \"C:\\ProgramData\\1.vbs\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 2300 wrote to memory of 3660 2300 wscript.exe wscript.exe PID 2300 wrote to memory of 3660 2300 wscript.exe wscript.exe PID 2300 wrote to memory of 912 2300 wscript.exe wscript.exe PID 2300 wrote to memory of 912 2300 wscript.exe wscript.exe PID 912 wrote to memory of 2560 912 wscript.exe wscript.exe PID 912 wrote to memory of 2560 912 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Electronic receipt #AMZ-HWRM-1605160622.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qrqblJSZkU.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\1.vbs"2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\ProgramData\1.vbs"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\1.vbsFilesize
13KB
MD5b35e3e27a51c38b3c80edb236338dc8a
SHA11e696d13ade727030d8f0c921e4a603402ccce49
SHA256d572c9837b6e5125ab6beef8b833bc2ce2ba2d150f5d876c5510b406b0faa32f
SHA512bfd8a293f01fe7b9b5b154d3639808da3d9484324f61a06a2fb5c0c5d61d14574c3f2881008c43456305ed446a01da2c75d6cf604ebcb66266df750396a13677
-
C:\Users\Admin\AppData\Roaming\1.vbsFilesize
13KB
MD5b35e3e27a51c38b3c80edb236338dc8a
SHA11e696d13ade727030d8f0c921e4a603402ccce49
SHA256d572c9837b6e5125ab6beef8b833bc2ce2ba2d150f5d876c5510b406b0faa32f
SHA512bfd8a293f01fe7b9b5b154d3639808da3d9484324f61a06a2fb5c0c5d61d14574c3f2881008c43456305ed446a01da2c75d6cf604ebcb66266df750396a13677
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbsFilesize
13KB
MD5b35e3e27a51c38b3c80edb236338dc8a
SHA11e696d13ade727030d8f0c921e4a603402ccce49
SHA256d572c9837b6e5125ab6beef8b833bc2ce2ba2d150f5d876c5510b406b0faa32f
SHA512bfd8a293f01fe7b9b5b154d3639808da3d9484324f61a06a2fb5c0c5d61d14574c3f2881008c43456305ed446a01da2c75d6cf604ebcb66266df750396a13677
-
C:\Users\Admin\AppData\Roaming\qrqblJSZkU.jsFilesize
37KB
MD5806dc77d323a5ca00b11c27b757861f1
SHA1cf39f5d773ed14dfcaa6e09e1f759917ff8eccb2
SHA2560f7e286a25499a4bce0347ea338f6521212392bba9c539c5ca3608ac032914c0
SHA5121dbc545c230917e5d70c990ec0dc007ddb8867ee1da9d0a719e22f5c5a50c763cb3cf567518e7cee5e3e34aaa86a31dfb2b928f492e2a7a36e35b374e540e927
-
memory/912-131-0x0000000000000000-mapping.dmp
-
memory/2560-134-0x0000000000000000-mapping.dmp
-
memory/3660-130-0x0000000000000000-mapping.dmp