Analysis

  • max time kernel
    9s
  • max time network
    7s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    20/01/2022, 08:09

General

  • Target

    RFQ _JTCEngineering_110355500342450_PDF.js

  • Size

    182KB

  • MD5

    ce78d7595ff47d40be541be7ea67abca

  • SHA1

    9df02d4e402d211326c047dafebc3a7932fb9356

  • SHA256

    05e8a158081eeaf61480bc366266b9da128ced63ab253eba0f1a4c1278b9676f

  • SHA512

    430853fa668966004b8e2aface3446731a5857a787f9cc6e3a31eee41129113c7fe1f994d16fe4d38085949abde58a598951aa17fe2c7090ff18c4a055bc8254

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ _JTCEngineering_110355500342450_PDF.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\tvimyqcm.txt"
      2⤵
        PID:1980

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads