Analysis
-
max time kernel
4294209s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
14-03-2022 05:47
Static task
static1
Behavioral task
behavioral1
Sample
INQUIRY QT190682047.js
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
INQUIRY QT190682047.js
Resource
win10v2004-20220310-en
General
-
Target
INQUIRY QT190682047.js
-
Size
1.4MB
-
MD5
5443f54be37634afdf2a5461d1e0cafd
-
SHA1
e4d40869a09bcc002e4080c2bd85fac23f7e2d1e
-
SHA256
405e04cf871e8638c9b24420ad9cc06f21169ec98db50e82b5642b38ae5002e6
-
SHA512
79905f0caef652e29640d3a3590a94c0ef0e78b6a37a0bcffb34ea066fa3cd0d05c5cca706a681cdac384e2132cabb566be7be8d43282d5ec74acb0e913cbc3e
Malware Config
Extracted
remcos
RemoteHost
billypax-fax.dyn.home-webserver.de:62742
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
poiuyts.exe
-
copy_folder
iuytrdf
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
09786ty.dat
-
keylog_flag
false
-
keylog_folder
679uj
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
0iuygf-QOJK52
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
fstrytu
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exeflow pid process 7 1640 wscript.exe 8 1640 wscript.exe 9 1640 wscript.exe 11 1640 wscript.exe 12 1640 wscript.exe 13 1640 wscript.exe 15 1640 wscript.exe 16 1640 wscript.exe 17 1640 wscript.exe 19 1640 wscript.exe 20 1640 wscript.exe 21 1640 wscript.exe 23 1640 wscript.exe 24 1640 wscript.exe 25 1640 wscript.exe 27 1640 wscript.exe 28 1640 wscript.exe 29 1640 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
bin.exepid process 580 bin.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmAusBTYRm.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmAusBTYRm.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\cmAusBTYRm.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
bin.exepid process 580 bin.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exedescription pid process target process PID 1884 wrote to memory of 1640 1884 wscript.exe wscript.exe PID 1884 wrote to memory of 1640 1884 wscript.exe wscript.exe PID 1884 wrote to memory of 1640 1884 wscript.exe wscript.exe PID 1884 wrote to memory of 580 1884 wscript.exe bin.exe PID 1884 wrote to memory of 580 1884 wscript.exe bin.exe PID 1884 wrote to memory of 580 1884 wscript.exe bin.exe PID 1884 wrote to memory of 580 1884 wscript.exe bin.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\INQUIRY QT190682047.js"1⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\cmAusBTYRm.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bin.exeMD5
3f000a9aa0c0b1ba8bcf065e7380b8cd
SHA169dd31d4ebb7a092101d15d764dc1c83cc8d627f
SHA256bde7e648965a1c1d26157ff246731a7eeaf31843a414b9fd6dff8a72df01c0ba
SHA512ceadb105145fb65a541c6d6f91d18f3fd7460a70b021d7e9129a43e98373453e47a34b38789a793cb815de702dc05aa489c37c78188735f56ab94b85d88f0b4e
-
C:\Users\Admin\AppData\Roaming\cmAusBTYRm.jsMD5
c05d7910018e812d5674187e635ba5f0
SHA12d92d2e819012b7a5f1e87a56ad2f25fd7d1f7c1
SHA256f3a3aba936347be70ea396a9c005a2436a393a8c29fc70a7774828e40869b80e
SHA512a057d24168a9e695c968e67961e4c2c755abb9eef8a40cda04b8f1d5cbf87ba77fa0c360baee17a4b36b4f2b1fc9138016533412120edc7dacbe544193164677
-
memory/580-56-0x00000000763D1000-0x00000000763D3000-memory.dmpFilesize
8KB