Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-06-2022 09:21
Static task
static1
Behavioral task
behavioral1
Sample
52220106202022.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
52220106202022.js
Resource
win10v2004-20220414-en
General
-
Target
52220106202022.js
-
Size
107KB
-
MD5
05d29ef471cbead69dd8c6f56a900004
-
SHA1
fa017cb4a1ad381d6b0569f7ec50791822350ba4
-
SHA256
ca905686651e423399d864687173d5472e4ecdbc76ea201b46d23012c799b617
-
SHA512
81f86970b830533d080e1627ffbb2bb4148a71b0bc9692553928f5f6671c4c8b2bc2d7648adb3b6d61bab2fc8437ab9ecff344d382af2701645b5b9e17eefd08
Malware Config
Signatures
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 41 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1956 wscript.exe 7 2772 wscript.exe 14 2772 wscript.exe 15 2772 wscript.exe 17 2772 wscript.exe 21 2772 wscript.exe 25 1956 wscript.exe 28 2772 wscript.exe 35 2772 wscript.exe 36 1956 wscript.exe 37 2772 wscript.exe 40 2772 wscript.exe 43 1956 wscript.exe 44 2772 wscript.exe 45 2772 wscript.exe 46 1956 wscript.exe 49 2772 wscript.exe 50 2772 wscript.exe 51 1956 wscript.exe 52 2772 wscript.exe 53 2772 wscript.exe 54 1956 wscript.exe 55 2772 wscript.exe 58 2772 wscript.exe 59 1956 wscript.exe 60 2772 wscript.exe 61 2772 wscript.exe 62 1956 wscript.exe 63 2772 wscript.exe 64 2772 wscript.exe 65 1956 wscript.exe 66 2772 wscript.exe 67 2772 wscript.exe 68 1956 wscript.exe 69 2772 wscript.exe 70 2772 wscript.exe 71 1956 wscript.exe 72 2772 wscript.exe 73 2772 wscript.exe 74 1956 wscript.exe 75 2772 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hmmm.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hmmm.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zpgygxtRex.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zpgygxtRex.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hmmm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hmmm.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hmmm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hmmm.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\zpgygxtRex.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\software\microsoft\windows\currentversion\run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 3504 wrote to memory of 1956 3504 wscript.exe wscript.exe PID 3504 wrote to memory of 1956 3504 wscript.exe wscript.exe PID 3504 wrote to memory of 2772 3504 wscript.exe wscript.exe PID 3504 wrote to memory of 2772 3504 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\52220106202022.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zpgygxtRex.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1956 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\hmmm.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\hmmm.vbsFilesize
13KB
MD52eb194e1b54695a5c2aeb82b95807606
SHA1f148013459520d855a4177d980b3870ef1d6b8f0
SHA256404dfe7add02b2973a45f43d425005451c7b6ff688e5177dd7c7606a1a7320d6
SHA5125c17914444aaa0d6c5ed6703ae9cf22f15b35cdc55ee68bac46142a9e21fefebf373957def42b8b66e027579f747a9ca5f9ca95bf69cb919ea104232570c0670
-
C:\Users\Admin\AppData\Roaming\zpgygxtRex.jsFilesize
30KB
MD57c2e7e5a48421b27561a23936f1d9fee
SHA1739fde5b0ad4d2f651a16e2458bf3e64bfa748b0
SHA256c409b163881ea5ee746756d65f515f7a5dca8b622e6d1e557ef963acb6849000
SHA512149fe69bf7b778ca8e450c2b0d3c4b54a34023b908b8705a65d8da9d060b0e4e46346664f45e100969af3c21315f2bcd9f517ee99b94dfe5bf8134c9cf0dc323
-
memory/1956-130-0x0000000000000000-mapping.dmp
-
memory/2772-131-0x0000000000000000-mapping.dmp