Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-06-2022 10:09
Static task
static1
Behavioral task
behavioral1
Sample
PO-Order 4500324718.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO-Order 4500324718.js
Resource
win10v2004-20220414-en
General
-
Target
PO-Order 4500324718.js
-
Size
45KB
-
MD5
f8386388be14928dcf22d1e1752be75c
-
SHA1
0d9f55e0580d39acd03651379366d172517638b4
-
SHA256
ddb9205dd6921da69e80e86a70c935be328dfd6c9559e6bf1a7d7dda92267ceb
-
SHA512
3a61511f6b2c259aeb6d97d6cb9ff2a9d316bb1029ee647c3b45c53ed03188c12d6d9f2710e37e87035943c7fc6804df37af614cf0315dac5cdcc4e4d4ae442b
Malware Config
Signatures
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exewscript.exeflow pid process 5 1992 wscript.exe 8 1976 wscript.exe 9 1976 wscript.exe 12 1976 wscript.exe 15 1976 wscript.exe 18 1976 wscript.exe 21 1976 wscript.exe 23 1976 wscript.exe 25 1976 wscript.exe 27 1976 wscript.exe 31 1976 wscript.exe 33 1976 wscript.exe 35 1976 wscript.exe 37 1976 wscript.exe 39 1976 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hQmuBCMosF.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hQmuBCMosF.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\hQmuBCMosF.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1992 wrote to memory of 1976 1992 wscript.exe wscript.exe PID 1992 wrote to memory of 1976 1992 wscript.exe wscript.exe PID 1992 wrote to memory of 1976 1992 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PO-Order 4500324718.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\hQmuBCMosF.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\hQmuBCMosF.jsFilesize
17KB
MD5c2518c838be74ed1d74e96eb8107a047
SHA19bc3eed3a61e9c894c365430a652318b4c00cdf0
SHA25674470b878e6b534df7c3615f7369d15ed7019b99a9dd5d63b0a2e184ac452175
SHA512cb5877dc4a1e37c15b95bfe388f8b4cda3790428c8c1fcd009588cf6e4e5f6130bde80e8603c9f66af37e6283002c2a0b805cf20efb873647ce2600e321f2fb8
-
memory/1976-55-0x0000000000000000-mapping.dmp
-
memory/1992-54-0x000007FEFB871000-0x000007FEFB873000-memory.dmpFilesize
8KB