Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 07:16
Static task
static1
Behavioral task
behavioral1
Sample
WesternUnionCompliancepdf.js
Resource
win7-20220414-en
General
-
Target
WesternUnionCompliancepdf.js
-
Size
28KB
-
MD5
f5adb4428e2fe6b9b397ae0e7a95ece6
-
SHA1
ffcee6adb3e4652372c70b9ccf4075776fedd44e
-
SHA256
9cd0bbc73202c8351256436145e2c87fe42882059f33d68eb2212eac587197e7
-
SHA512
611ba2911aec81de95f6d365f4614471145367061eef40f695e659676613cce56de9a0fa61b42179e8e089723e2bf02e0a136ada05d26b3f8b0bad857d4e8452
Malware Config
Extracted
vjw0rm
http://biznetworks.ddns.net:2345
Signatures
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 5 3836 wscript.exe 23 3836 wscript.exe 24 3836 wscript.exe 35 3836 wscript.exe 36 3836 wscript.exe 40 3836 wscript.exe 44 3836 wscript.exe 45 3836 wscript.exe 46 3836 wscript.exe 47 3836 wscript.exe 49 3836 wscript.exe 50 3836 wscript.exe 51 3836 wscript.exe 52 3836 wscript.exe 53 3836 wscript.exe 54 3836 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WesternUnionCompliancepdf.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WesternUnionCompliancepdf.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 3836 wrote to memory of 716 3836 wscript.exe wscript.exe PID 3836 wrote to memory of 716 3836 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\WesternUnionCompliancepdf.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HnCBlANEKZ.js"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\HnCBlANEKZ.jsFilesize
8KB
MD5396776d9c2fce3d6cd89a4b25253685c
SHA10037ed7e8c7ce8020c81fc2240f35894cd6040aa
SHA256832bc0cd978dd790936ffcf9845e3cbf3a74fa47ea41dbf6900a7195d38c560e
SHA51256af0a104104e1a7df4bb58974fd2a527d3559a4f5351607df92e6c0633d6e277a265cc390c7f68ab1b6706237235ae3f70aaaddd366430d28fd802878b455c2
-
memory/716-130-0x0000000000000000-mapping.dmp