Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28-06-2022 10:09
Static task
static1
Behavioral task
behavioral1
Sample
PO-Order 4500324718.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO-Order 4500324718.js
Resource
win10v2004-20220414-en
General
-
Target
PO-Order 4500324718.js
-
Size
45KB
-
MD5
f8386388be14928dcf22d1e1752be75c
-
SHA1
0d9f55e0580d39acd03651379366d172517638b4
-
SHA256
ddb9205dd6921da69e80e86a70c935be328dfd6c9559e6bf1a7d7dda92267ceb
-
SHA512
3a61511f6b2c259aeb6d97d6cb9ff2a9d316bb1029ee647c3b45c53ed03188c12d6d9f2710e37e87035943c7fc6804df37af614cf0315dac5cdcc4e4d4ae442b
Malware Config
Signatures
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 4120 wscript.exe 10 3940 wscript.exe 17 3940 wscript.exe 23 3940 wscript.exe 28 3940 wscript.exe 32 3940 wscript.exe 36 3940 wscript.exe 37 3940 wscript.exe 40 3940 wscript.exe 44 3940 wscript.exe 45 3940 wscript.exe 48 3940 wscript.exe 49 3940 wscript.exe 50 3940 wscript.exe 51 3940 wscript.exe 52 3940 wscript.exe 53 3940 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hQmuBCMosF.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hQmuBCMosF.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\hQmuBCMosF.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 4120 wrote to memory of 3940 4120 wscript.exe wscript.exe PID 4120 wrote to memory of 3940 4120 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\PO-Order 4500324718.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\hQmuBCMosF.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\hQmuBCMosF.jsFilesize
17KB
MD5c2518c838be74ed1d74e96eb8107a047
SHA19bc3eed3a61e9c894c365430a652318b4c00cdf0
SHA25674470b878e6b534df7c3615f7369d15ed7019b99a9dd5d63b0a2e184ac452175
SHA512cb5877dc4a1e37c15b95bfe388f8b4cda3790428c8c1fcd009588cf6e4e5f6130bde80e8603c9f66af37e6283002c2a0b805cf20efb873647ce2600e321f2fb8
-
memory/3940-131-0x0000000000000000-mapping.dmp