Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 12:44
Static task
static1
Behavioral task
behavioral1
Sample
Western_Union_Compliance_pdf.js
Resource
win7-20220414-en
General
-
Target
Western_Union_Compliance_pdf.js
-
Size
28KB
-
MD5
f5adb4428e2fe6b9b397ae0e7a95ece6
-
SHA1
ffcee6adb3e4652372c70b9ccf4075776fedd44e
-
SHA256
9cd0bbc73202c8351256436145e2c87fe42882059f33d68eb2212eac587197e7
-
SHA512
611ba2911aec81de95f6d365f4614471145367061eef40f695e659676613cce56de9a0fa61b42179e8e089723e2bf02e0a136ada05d26b3f8b0bad857d4e8452
Malware Config
Signatures
-
Blocklisted process makes network request 11 IoCs
Processes:
wscript.exeflow pid process 4 384 wscript.exe 5 384 wscript.exe 6 384 wscript.exe 8 384 wscript.exe 10 384 wscript.exe 11 384 wscript.exe 13 384 wscript.exe 14 384 wscript.exe 15 384 wscript.exe 17 384 wscript.exe 18 384 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Western_Union_Compliance_pdf.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Western_Union_Compliance_pdf.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 384 wrote to memory of 2044 384 wscript.exe wscript.exe PID 384 wrote to memory of 2044 384 wscript.exe wscript.exe PID 384 wrote to memory of 2044 384 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Western_Union_Compliance_pdf.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HnCBlANEKZ.js"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\HnCBlANEKZ.jsFilesize
8KB
MD5396776d9c2fce3d6cd89a4b25253685c
SHA10037ed7e8c7ce8020c81fc2240f35894cd6040aa
SHA256832bc0cd978dd790936ffcf9845e3cbf3a74fa47ea41dbf6900a7195d38c560e
SHA51256af0a104104e1a7df4bb58974fd2a527d3559a4f5351607df92e6c0633d6e277a265cc390c7f68ab1b6706237235ae3f70aaaddd366430d28fd802878b455c2
-
memory/384-54-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmpFilesize
8KB
-
memory/2044-55-0x0000000000000000-mapping.dmp