Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 07:17
Static task
static1
Behavioral task
behavioral1
Sample
WesternUnionCompliancepdf.js
Resource
win7-20220414-en
General
-
Target
WesternUnionCompliancepdf.js
-
Size
28KB
-
MD5
f5adb4428e2fe6b9b397ae0e7a95ece6
-
SHA1
ffcee6adb3e4652372c70b9ccf4075776fedd44e
-
SHA256
9cd0bbc73202c8351256436145e2c87fe42882059f33d68eb2212eac587197e7
-
SHA512
611ba2911aec81de95f6d365f4614471145367061eef40f695e659676613cce56de9a0fa61b42179e8e089723e2bf02e0a136ada05d26b3f8b0bad857d4e8452
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeflow pid process 4 884 wscript.exe 5 884 wscript.exe 6 884 wscript.exe 8 884 wscript.exe 10 884 wscript.exe 11 884 wscript.exe 13 884 wscript.exe 14 884 wscript.exe 15 884 wscript.exe 17 884 wscript.exe 18 884 wscript.exe 19 884 wscript.exe 21 884 wscript.exe 22 884 wscript.exe 23 884 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WesternUnionCompliancepdf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WesternUnionCompliancepdf.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 884 wrote to memory of 972 884 wscript.exe wscript.exe PID 884 wrote to memory of 972 884 wscript.exe wscript.exe PID 884 wrote to memory of 972 884 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\WesternUnionCompliancepdf.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HnCBlANEKZ.js"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\HnCBlANEKZ.jsFilesize
8KB
MD5396776d9c2fce3d6cd89a4b25253685c
SHA10037ed7e8c7ce8020c81fc2240f35894cd6040aa
SHA256832bc0cd978dd790936ffcf9845e3cbf3a74fa47ea41dbf6900a7195d38c560e
SHA51256af0a104104e1a7df4bb58974fd2a527d3559a4f5351607df92e6c0633d6e277a265cc390c7f68ab1b6706237235ae3f70aaaddd366430d28fd802878b455c2
-
memory/884-54-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmpFilesize
8KB
-
memory/972-55-0x0000000000000000-mapping.dmp