Analysis
-
max time kernel
1800s -
max time network
1806s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 12:44
Static task
static1
Behavioral task
behavioral1
Sample
Western_Union_Compliance_pdf.js
Resource
win7-20220414-en
General
-
Target
Western_Union_Compliance_pdf.js
-
Size
28KB
-
MD5
f5adb4428e2fe6b9b397ae0e7a95ece6
-
SHA1
ffcee6adb3e4652372c70b9ccf4075776fedd44e
-
SHA256
9cd0bbc73202c8351256436145e2c87fe42882059f33d68eb2212eac587197e7
-
SHA512
611ba2911aec81de95f6d365f4614471145367061eef40f695e659676613cce56de9a0fa61b42179e8e089723e2bf02e0a136ada05d26b3f8b0bad857d4e8452
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
wscript.exeflow pid process 5 1092 wscript.exe 8 1092 wscript.exe 25 1092 wscript.exe 34 1092 wscript.exe 38 1092 wscript.exe 58 1092 wscript.exe 61 1092 wscript.exe 69 1092 wscript.exe 71 1092 wscript.exe 75 1092 wscript.exe 76 1092 wscript.exe 80 1092 wscript.exe 81 1092 wscript.exe 84 1092 wscript.exe 88 1092 wscript.exe 89 1092 wscript.exe 93 1092 wscript.exe 94 1092 wscript.exe 104 1092 wscript.exe 105 1092 wscript.exe 106 1092 wscript.exe 108 1092 wscript.exe 109 1092 wscript.exe 124 1092 wscript.exe 129 1092 wscript.exe 130 1092 wscript.exe 136 1092 wscript.exe 137 1092 wscript.exe 146 1092 wscript.exe 150 1092 wscript.exe 151 1092 wscript.exe 152 1092 wscript.exe 153 1092 wscript.exe 154 1092 wscript.exe 155 1092 wscript.exe 156 1092 wscript.exe 157 1092 wscript.exe 158 1092 wscript.exe 159 1092 wscript.exe 160 1092 wscript.exe 161 1092 wscript.exe 162 1092 wscript.exe 163 1092 wscript.exe 164 1092 wscript.exe 165 1092 wscript.exe 166 1092 wscript.exe 167 1092 wscript.exe 168 1092 wscript.exe 169 1092 wscript.exe 170 1092 wscript.exe 179 1092 wscript.exe 180 1092 wscript.exe 181 1092 wscript.exe 182 1092 wscript.exe 184 1092 wscript.exe 185 1092 wscript.exe 186 1092 wscript.exe 187 1092 wscript.exe 188 1092 wscript.exe 189 1092 wscript.exe 190 1092 wscript.exe 191 1092 wscript.exe 192 1092 wscript.exe 193 1092 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Western_Union_Compliance_pdf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Western_Union_Compliance_pdf.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 1092 wrote to memory of 756 1092 wscript.exe wscript.exe PID 1092 wrote to memory of 756 1092 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Western_Union_Compliance_pdf.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HnCBlANEKZ.js"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\HnCBlANEKZ.jsFilesize
8KB
MD5396776d9c2fce3d6cd89a4b25253685c
SHA10037ed7e8c7ce8020c81fc2240f35894cd6040aa
SHA256832bc0cd978dd790936ffcf9845e3cbf3a74fa47ea41dbf6900a7195d38c560e
SHA51256af0a104104e1a7df4bb58974fd2a527d3559a4f5351607df92e6c0633d6e277a265cc390c7f68ab1b6706237235ae3f70aaaddd366430d28fd802878b455c2
-
memory/756-130-0x0000000000000000-mapping.dmp