Analysis
-
max time kernel
1803s -
max time network
1807s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 12:44
Static task
static1
Behavioral task
behavioral1
Sample
Western_Union_Compliance_pdf.js
Resource
win7-20220414-en
General
-
Target
Western_Union_Compliance_pdf.js
-
Size
28KB
-
MD5
f5adb4428e2fe6b9b397ae0e7a95ece6
-
SHA1
ffcee6adb3e4652372c70b9ccf4075776fedd44e
-
SHA256
9cd0bbc73202c8351256436145e2c87fe42882059f33d68eb2212eac587197e7
-
SHA512
611ba2911aec81de95f6d365f4614471145367061eef40f695e659676613cce56de9a0fa61b42179e8e089723e2bf02e0a136ada05d26b3f8b0bad857d4e8452
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
wscript.exeflow pid process 4 1092 wscript.exe 5 1092 wscript.exe 7 1092 wscript.exe 9 1092 wscript.exe 10 1092 wscript.exe 11 1092 wscript.exe 13 1092 wscript.exe 14 1092 wscript.exe 15 1092 wscript.exe 17 1092 wscript.exe 18 1092 wscript.exe 19 1092 wscript.exe 21 1092 wscript.exe 22 1092 wscript.exe 23 1092 wscript.exe 25 1092 wscript.exe 26 1092 wscript.exe 27 1092 wscript.exe 29 1092 wscript.exe 30 1092 wscript.exe 31 1092 wscript.exe 33 1092 wscript.exe 34 1092 wscript.exe 35 1092 wscript.exe 37 1092 wscript.exe 38 1092 wscript.exe 39 1092 wscript.exe 41 1092 wscript.exe 42 1092 wscript.exe 43 1092 wscript.exe 45 1092 wscript.exe 46 1092 wscript.exe 47 1092 wscript.exe 49 1092 wscript.exe 50 1092 wscript.exe 51 1092 wscript.exe 53 1092 wscript.exe 54 1092 wscript.exe 55 1092 wscript.exe 57 1092 wscript.exe 58 1092 wscript.exe 59 1092 wscript.exe 61 1092 wscript.exe 62 1092 wscript.exe 63 1092 wscript.exe 65 1092 wscript.exe 66 1092 wscript.exe 67 1092 wscript.exe 69 1092 wscript.exe 70 1092 wscript.exe 71 1092 wscript.exe 73 1092 wscript.exe 74 1092 wscript.exe 75 1092 wscript.exe 77 1092 wscript.exe 78 1092 wscript.exe 79 1092 wscript.exe 81 1092 wscript.exe 82 1092 wscript.exe 83 1092 wscript.exe 85 1092 wscript.exe 86 1092 wscript.exe 87 1092 wscript.exe 89 1092 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Western_Union_Compliance_pdf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Western_Union_Compliance_pdf.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1092 wrote to memory of 2020 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 2020 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 2020 1092 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Western_Union_Compliance_pdf.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HnCBlANEKZ.js"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\HnCBlANEKZ.jsFilesize
8KB
MD5396776d9c2fce3d6cd89a4b25253685c
SHA10037ed7e8c7ce8020c81fc2240f35894cd6040aa
SHA256832bc0cd978dd790936ffcf9845e3cbf3a74fa47ea41dbf6900a7195d38c560e
SHA51256af0a104104e1a7df4bb58974fd2a527d3559a4f5351607df92e6c0633d6e277a265cc390c7f68ab1b6706237235ae3f70aaaddd366430d28fd802878b455c2
-
memory/1092-54-0x000007FEFBF51000-0x000007FEFBF53000-memory.dmpFilesize
8KB
-
memory/2020-55-0x0000000000000000-mapping.dmp