Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-06-2022 17:14
Static task
static1
Behavioral task
behavioral1
Sample
mNMlIoDJiKpayload.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
mNMlIoDJiKpayload.js
Resource
win10v2004-20220414-en
General
-
Target
mNMlIoDJiKpayload.js
-
Size
51KB
-
MD5
5a08aec194a8ab523638fb7f9ddbf925
-
SHA1
70fcdecfe4750362ee2a711125c4aac7998ee2bc
-
SHA256
13736a6b2be3eb037191ab8e9e6104dfa6faf6b85f56214e9587efe239527a62
-
SHA512
7d4f62baaadfcf041e087d356b17b558b5ec6c7c4565d1f720dbd580e69e670d6c7781619c1c7705759d7b5d2f52aab0225ce16485f452b1c6647a5db33c8c80
Malware Config
Signatures
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 28 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 1108 wscript.exe 7 1304 wscript.exe 8 1304 wscript.exe 9 1304 wscript.exe 10 1304 wscript.exe 12 1304 wscript.exe 13 1108 wscript.exe 15 1304 wscript.exe 17 1304 wscript.exe 18 1304 wscript.exe 19 1304 wscript.exe 21 1304 wscript.exe 22 1108 wscript.exe 24 1304 wscript.exe 25 1304 wscript.exe 26 1304 wscript.exe 27 1304 wscript.exe 30 1304 wscript.exe 31 1108 wscript.exe 33 1304 wscript.exe 34 1304 wscript.exe 35 1304 wscript.exe 37 1304 wscript.exe 38 1304 wscript.exe 39 1108 wscript.exe 41 1304 wscript.exe 42 1304 wscript.exe 43 1304 wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sPFVpavffF.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sPFVpavffF.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payload = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payload.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\sPFVpavffF.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\payload = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payload.vbs\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exedescription pid process target process PID 1808 wrote to memory of 1108 1808 wscript.exe wscript.exe PID 1808 wrote to memory of 1108 1808 wscript.exe wscript.exe PID 1808 wrote to memory of 1108 1808 wscript.exe wscript.exe PID 1808 wrote to memory of 1304 1808 wscript.exe wscript.exe PID 1808 wrote to memory of 1304 1808 wscript.exe wscript.exe PID 1808 wrote to memory of 1304 1808 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\mNMlIoDJiKpayload.js1⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\sPFVpavffF.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1108 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\payload.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1304
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\payload.vbsFilesize
13KB
MD53c5846a19b95e2441a049c7c2e8eeb14
SHA19d30716b1eef3995228ac87cf800d2acdec9e0fc
SHA256e72818e8c8076b6d0d4c10604f4c0681148c7e17ca0099fe5bf17c0dd27b7cd1
SHA51232e8f1e0e45f5cfc733de865fdbc3b69d2e21183a67d06e270dbbeb2d701db10d62b4048f9ece0bbff95d96a517030f5a51d1883a32d189a6d9554f001f40476
-
C:\Users\Admin\AppData\Roaming\sPFVpavffF.jsFilesize
10KB
MD5053698bda987f7439e41e50b3d9481b2
SHA17e6a0db2788faf1216282d791b6287a1a39a840e
SHA2565c389e732a8cf9f3db60512bc0889ef95a714a713e38bc2243e36626ab206bf4
SHA512829e33a6d4c4d90511f4ffeca4890217b388f72f491fd15d9d11edcef1352592614377b7bb53d05ba3493adc29a4f403bc9335b583096e7721f9323c587dff83
-
memory/1108-55-0x0000000000000000-mapping.dmp
-
memory/1304-56-0x0000000000000000-mapping.dmp
-
memory/1808-54-0x000007FEFB671000-0x000007FEFB673000-memory.dmpFilesize
8KB