Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
14-03-2022 05:47
Static task
static1
Behavioral task
behavioral1
Sample
INQUIRY QT190682047.js
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
INQUIRY QT190682047.js
Resource
win10v2004-20220310-en
General
-
Target
INQUIRY QT190682047.js
-
Size
1.4MB
-
MD5
5443f54be37634afdf2a5461d1e0cafd
-
SHA1
e4d40869a09bcc002e4080c2bd85fac23f7e2d1e
-
SHA256
405e04cf871e8638c9b24420ad9cc06f21169ec98db50e82b5642b38ae5002e6
-
SHA512
79905f0caef652e29640d3a3590a94c0ef0e78b6a37a0bcffb34ea066fa3cd0d05c5cca706a681cdac384e2132cabb566be7be8d43282d5ec74acb0e913cbc3e
Malware Config
Extracted
remcos
RemoteHost
billypax-fax.dyn.home-webserver.de:62742
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
poiuyts.exe
-
copy_folder
iuytrdf
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
09786ty.dat
-
keylog_flag
false
-
keylog_folder
679uj
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
0iuygf-QOJK52
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
fstrytu
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeflow pid process 9 4372 wscript.exe 13 4372 wscript.exe 14 4372 wscript.exe 23 4372 wscript.exe 24 4372 wscript.exe 28 4372 wscript.exe 31 4372 wscript.exe 32 4372 wscript.exe 33 4372 wscript.exe 34 4372 wscript.exe 35 4372 wscript.exe 36 4372 wscript.exe 37 4372 wscript.exe 40 4372 wscript.exe 41 4372 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
bin.exepid process 4432 bin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmAusBTYRm.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmAusBTYRm.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\cmAusBTYRm.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
bin.exepid process 4432 bin.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid process target process PID 756 wrote to memory of 4372 756 wscript.exe wscript.exe PID 756 wrote to memory of 4372 756 wscript.exe wscript.exe PID 756 wrote to memory of 4432 756 wscript.exe bin.exe PID 756 wrote to memory of 4432 756 wscript.exe bin.exe PID 756 wrote to memory of 4432 756 wscript.exe bin.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\INQUIRY QT190682047.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\cmAusBTYRm.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bin.exeMD5
3f000a9aa0c0b1ba8bcf065e7380b8cd
SHA169dd31d4ebb7a092101d15d764dc1c83cc8d627f
SHA256bde7e648965a1c1d26157ff246731a7eeaf31843a414b9fd6dff8a72df01c0ba
SHA512ceadb105145fb65a541c6d6f91d18f3fd7460a70b021d7e9129a43e98373453e47a34b38789a793cb815de702dc05aa489c37c78188735f56ab94b85d88f0b4e
-
C:\Users\Admin\AppData\Local\Temp\bin.exeMD5
3f000a9aa0c0b1ba8bcf065e7380b8cd
SHA169dd31d4ebb7a092101d15d764dc1c83cc8d627f
SHA256bde7e648965a1c1d26157ff246731a7eeaf31843a414b9fd6dff8a72df01c0ba
SHA512ceadb105145fb65a541c6d6f91d18f3fd7460a70b021d7e9129a43e98373453e47a34b38789a793cb815de702dc05aa489c37c78188735f56ab94b85d88f0b4e
-
C:\Users\Admin\AppData\Roaming\cmAusBTYRm.jsMD5
c05d7910018e812d5674187e635ba5f0
SHA12d92d2e819012b7a5f1e87a56ad2f25fd7d1f7c1
SHA256f3a3aba936347be70ea396a9c005a2436a393a8c29fc70a7774828e40869b80e
SHA512a057d24168a9e695c968e67961e4c2c755abb9eef8a40cda04b8f1d5cbf87ba77fa0c360baee17a4b36b4f2b1fc9138016533412120edc7dacbe544193164677