Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-06-2022 12:23
Static task
static1
Behavioral task
behavioral1
Sample
ca905686651e423399d864687173d5472e4ecdbc76ea201b46d23012c799b617.js
Resource
win10-20220414-en
Behavioral task
behavioral2
Sample
ca905686651e423399d864687173d5472e4ecdbc76ea201b46d23012c799b617.js
Resource
win10v2004-20220414-en
General
-
Target
ca905686651e423399d864687173d5472e4ecdbc76ea201b46d23012c799b617.js
-
Size
107KB
-
MD5
05d29ef471cbead69dd8c6f56a900004
-
SHA1
fa017cb4a1ad381d6b0569f7ec50791822350ba4
-
SHA256
ca905686651e423399d864687173d5472e4ecdbc76ea201b46d23012c799b617
-
SHA512
81f86970b830533d080e1627ffbb2bb4148a71b0bc9692553928f5f6671c4c8b2bc2d7648adb3b6d61bab2fc8437ab9ecff344d382af2701645b5b9e17eefd08
Malware Config
Signatures
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 44 IoCs
Processes:
wscript.exewscript.exeflow pid process 9 4572 wscript.exe 10 3940 wscript.exe 17 4572 wscript.exe 18 3940 wscript.exe 21 4572 wscript.exe 26 4572 wscript.exe 28 3940 wscript.exe 29 4572 wscript.exe 30 4572 wscript.exe 34 3940 wscript.exe 38 4572 wscript.exe 39 4572 wscript.exe 40 3940 wscript.exe 42 4572 wscript.exe 45 3940 wscript.exe 46 4572 wscript.exe 47 4572 wscript.exe 48 3940 wscript.exe 51 4572 wscript.exe 52 4572 wscript.exe 53 3940 wscript.exe 57 4572 wscript.exe 58 4572 wscript.exe 59 3940 wscript.exe 60 4572 wscript.exe 61 3940 wscript.exe 62 4572 wscript.exe 65 4572 wscript.exe 66 3940 wscript.exe 67 4572 wscript.exe 68 4572 wscript.exe 69 3940 wscript.exe 70 4572 wscript.exe 71 4572 wscript.exe 72 3940 wscript.exe 73 4572 wscript.exe 74 4572 wscript.exe 75 3940 wscript.exe 76 4572 wscript.exe 77 4572 wscript.exe 78 3940 wscript.exe 79 4572 wscript.exe 80 4572 wscript.exe 81 3940 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zpgygxtRex.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hmmm.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hmmm.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zpgygxtRex.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hmmm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hmmm.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hmmm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hmmm.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\zpgygxtRex.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 4120 wrote to memory of 3940 4120 wscript.exe wscript.exe PID 4120 wrote to memory of 3940 4120 wscript.exe wscript.exe PID 4120 wrote to memory of 4572 4120 wscript.exe wscript.exe PID 4120 wrote to memory of 4572 4120 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ca905686651e423399d864687173d5472e4ecdbc76ea201b46d23012c799b617.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\zpgygxtRex.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3940
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\hmmm.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:4572
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD52eb194e1b54695a5c2aeb82b95807606
SHA1f148013459520d855a4177d980b3870ef1d6b8f0
SHA256404dfe7add02b2973a45f43d425005451c7b6ff688e5177dd7c7606a1a7320d6
SHA5125c17914444aaa0d6c5ed6703ae9cf22f15b35cdc55ee68bac46142a9e21fefebf373957def42b8b66e027579f747a9ca5f9ca95bf69cb919ea104232570c0670
-
Filesize
30KB
MD57c2e7e5a48421b27561a23936f1d9fee
SHA1739fde5b0ad4d2f651a16e2458bf3e64bfa748b0
SHA256c409b163881ea5ee746756d65f515f7a5dca8b622e6d1e557ef963acb6849000
SHA512149fe69bf7b778ca8e450c2b0d3c4b54a34023b908b8705a65d8da9d060b0e4e46346664f45e100969af3c21315f2bcd9f517ee99b94dfe5bf8134c9cf0dc323