Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-06-2022 13:36
Static task
static1
Behavioral task
behavioral1
Sample
IMG-02100.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
IMG-02100.js
Resource
win10v2004-20220414-en
General
-
Target
IMG-02100.js
-
Size
347KB
-
MD5
e869daed2a101e37df329f54350baac5
-
SHA1
82cd02f5668b730646b1ead1c23e72ccaedb56f0
-
SHA256
7d87428b37ec7ffe4e99b34737d777ba2df35b51f990488d68ecaa6521de1164
-
SHA512
12f7832246e43d77ceeaded76f82ed06ff81f95ca97bb1fe994f32479dcb365d9a43f799b5ca06fc6e791e31cf7637777b58241c93133bac8d8282e60f3c9c11
Malware Config
Signatures
-
Blocklisted process makes network request 38 IoCs
Processes:
wscript.exewscript.exeflow pid process 6 3100 wscript.exe 7 4420 wscript.exe 14 3100 wscript.exe 15 4420 wscript.exe 22 3100 wscript.exe 24 4420 wscript.exe 25 3100 wscript.exe 28 4420 wscript.exe 34 3100 wscript.exe 36 3100 wscript.exe 38 4420 wscript.exe 39 3100 wscript.exe 43 4420 wscript.exe 46 3100 wscript.exe 47 4420 wscript.exe 48 3100 wscript.exe 50 4420 wscript.exe 51 3100 wscript.exe 53 3100 wscript.exe 54 4420 wscript.exe 55 3100 wscript.exe 56 4420 wscript.exe 57 3100 wscript.exe 59 4420 wscript.exe 60 3100 wscript.exe 61 4420 wscript.exe 62 3100 wscript.exe 63 3100 wscript.exe 64 4420 wscript.exe 65 3100 wscript.exe 66 4420 wscript.exe 67 3100 wscript.exe 68 4420 wscript.exe 69 3100 wscript.exe 70 4420 wscript.exe 71 3100 wscript.exe 72 3100 wscript.exe 73 4420 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hworm.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hworm.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ordahWuzjJ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ordahWuzjJ.js wscript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hworm.vbs\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\hworm.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\ordahWuzjJ.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 3768 wrote to memory of 4420 3768 wscript.exe wscript.exe PID 3768 wrote to memory of 4420 3768 wscript.exe wscript.exe PID 3768 wrote to memory of 3100 3768 wscript.exe wscript.exe PID 3768 wrote to memory of 3100 3768 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\IMG-02100.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ordahWuzjJ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\hworm.vbs"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\hworm.vbsFilesize
13KB
MD5790a8cad8ec90292bf077c129486ec19
SHA170f5de19aef552ee45bd31de1bf1e2e05020631f
SHA256cd003f5ce0dde74b9793685c549a6883b405fca4d533f27fbb050199a2339a28
SHA512ba7ebaaa57729630aaaff34946122a6d9731a7c5264274803d6629fe6b63e5cc0703e4f41218bcbb56207da4eac686bc23ec8c13b19173205db66826594d7ec9
-
C:\Users\Admin\AppData\Roaming\ordahWuzjJ.jsFilesize
117KB
MD5ab7b0b2a8b0400680902921c621c567e
SHA14a13aece7e5067de9bf964b2da971674c1ffb8b9
SHA256ce7413534151201cc50e7fe17224c127c1e87556c98af5a507a3a579286536a9
SHA5124716077db2ea5b520bb6207eb6f5dc6761c5814023a602830cf9164f37eea2ca083a1cae3670b88234049de7ee53e784b1244fdf7d16ddbc86f694a7418bdf80
-
memory/3100-131-0x0000000000000000-mapping.dmp
-
memory/4420-130-0x0000000000000000-mapping.dmp