Analysis
-
max time kernel
9s -
max time network
7s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20/01/2022, 08:09
Static task
static1
Behavioral task
behavioral1
Sample
RFQ _JTCEngineering_110355500342450_PDF.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
RFQ _JTCEngineering_110355500342450_PDF.js
Resource
win10v2004-en-20220113
General
-
Target
RFQ _JTCEngineering_110355500342450_PDF.js
-
Size
182KB
-
MD5
ce78d7595ff47d40be541be7ea67abca
-
SHA1
9df02d4e402d211326c047dafebc3a7932fb9356
-
SHA256
05e8a158081eeaf61480bc366266b9da128ced63ab253eba0f1a4c1278b9676f
-
SHA512
430853fa668966004b8e2aface3446731a5857a787f9cc6e3a31eee41129113c7fe1f994d16fe4d38085949abde58a598951aa17fe2c7090ff18c4a055bc8254
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1312 wrote to memory of 1980 1312 wscript.exe 52 PID 1312 wrote to memory of 1980 1312 wscript.exe 52
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ _JTCEngineering_110355500342450_PDF.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\tvimyqcm.txt"2⤵PID:1980
-