Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-06-2022 09:21
Static task
static1
Behavioral task
behavioral1
Sample
52220106202022.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
52220106202022.js
Resource
win10v2004-20220414-en
General
-
Target
52220106202022.js
-
Size
107KB
-
MD5
05d29ef471cbead69dd8c6f56a900004
-
SHA1
fa017cb4a1ad381d6b0569f7ec50791822350ba4
-
SHA256
ca905686651e423399d864687173d5472e4ecdbc76ea201b46d23012c799b617
-
SHA512
81f86970b830533d080e1627ffbb2bb4148a71b0bc9692553928f5f6671c4c8b2bc2d7648adb3b6d61bab2fc8437ab9ecff344d382af2701645b5b9e17eefd08
Malware Config
Signatures
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 42 IoCs
Processes:
wscript.exewscript.exeflow pid process 7 1616 wscript.exe 8 1360 wscript.exe 9 1360 wscript.exe 10 1616 wscript.exe 11 1360 wscript.exe 13 1360 wscript.exe 14 1616 wscript.exe 15 1360 wscript.exe 18 1360 wscript.exe 19 1616 wscript.exe 21 1360 wscript.exe 23 1360 wscript.exe 24 1616 wscript.exe 25 1360 wscript.exe 27 1360 wscript.exe 28 1616 wscript.exe 30 1360 wscript.exe 32 1360 wscript.exe 33 1616 wscript.exe 34 1360 wscript.exe 36 1360 wscript.exe 37 1616 wscript.exe 38 1360 wscript.exe 40 1616 wscript.exe 41 1360 wscript.exe 44 1360 wscript.exe 45 1616 wscript.exe 46 1360 wscript.exe 48 1360 wscript.exe 49 1616 wscript.exe 50 1360 wscript.exe 51 1360 wscript.exe 53 1616 wscript.exe 54 1360 wscript.exe 57 1360 wscript.exe 58 1616 wscript.exe 59 1360 wscript.exe 60 1360 wscript.exe 62 1616 wscript.exe 63 1360 wscript.exe 65 1360 wscript.exe 66 1616 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zpgygxtRex.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hmmm.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hmmm.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zpgygxtRex.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\hmmm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hmmm.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hmmm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hmmm.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\zpgygxtRex.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 2016 wrote to memory of 1616 2016 wscript.exe wscript.exe PID 2016 wrote to memory of 1616 2016 wscript.exe wscript.exe PID 2016 wrote to memory of 1616 2016 wscript.exe wscript.exe PID 2016 wrote to memory of 1360 2016 wscript.exe wscript.exe PID 2016 wrote to memory of 1360 2016 wscript.exe wscript.exe PID 2016 wrote to memory of 1360 2016 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\52220106202022.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zpgygxtRex.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\hmmm.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\hmmm.vbsFilesize
13KB
MD52eb194e1b54695a5c2aeb82b95807606
SHA1f148013459520d855a4177d980b3870ef1d6b8f0
SHA256404dfe7add02b2973a45f43d425005451c7b6ff688e5177dd7c7606a1a7320d6
SHA5125c17914444aaa0d6c5ed6703ae9cf22f15b35cdc55ee68bac46142a9e21fefebf373957def42b8b66e027579f747a9ca5f9ca95bf69cb919ea104232570c0670
-
C:\Users\Admin\AppData\Roaming\zpgygxtRex.jsFilesize
30KB
MD57c2e7e5a48421b27561a23936f1d9fee
SHA1739fde5b0ad4d2f651a16e2458bf3e64bfa748b0
SHA256c409b163881ea5ee746756d65f515f7a5dca8b622e6d1e557ef963acb6849000
SHA512149fe69bf7b778ca8e450c2b0d3c4b54a34023b908b8705a65d8da9d060b0e4e46346664f45e100969af3c21315f2bcd9f517ee99b94dfe5bf8134c9cf0dc323
-
memory/1360-56-0x0000000000000000-mapping.dmp
-
memory/1616-55-0x0000000000000000-mapping.dmp
-
memory/2016-54-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmpFilesize
8KB