Overview

overview

10

Static

static

INQUIRY QT...047.js

windows7_x64

10

INQUIRY QT...047.js

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    14-03-2022 05:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INQUIRY QT190682047.js

  • Size

    1.4MB

  • MD5

    5443f54be37634afdf2a5461d1e0cafd

  • SHA1

    e4d40869a09bcc002e4080c2bd85fac23f7e2d1e

  • SHA256

    405e04cf871e8638c9b24420ad9cc06f21169ec98db50e82b5642b38ae5002e6

  • SHA512

    79905f0caef652e29640d3a3590a94c0ef0e78b6a37a0bcffb34ea066fa3cd0d05c5cca706a681cdac384e2132cabb566be7be8d43282d5ec74acb0e913cbc3e

Score
10/10
remcosvjw0rmremotehostpersistencerattrojanworm

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

billypax-fax.dyn.home-webserver.de:62742

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    poiuyts.exe

  • copy_folder

    iuytrdf

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    09786ty.dat

  • keylog_flag

    false

  • keylog_folder

    679uj

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    0iuygf-QOJK52

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    fstrytu

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 15 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\INQUIRY QT190682047.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\cmAusBTYRm.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:4372
    • C:\Users\Admin\AppData\Local\Temp\bin.exe
      "C:\Users\Admin\AppData\Local\Temp\bin.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bin.exe
    MD5

    3f000a9aa0c0b1ba8bcf065e7380b8cd

    SHA1

    69dd31d4ebb7a092101d15d764dc1c83cc8d627f

    SHA256

    bde7e648965a1c1d26157ff246731a7eeaf31843a414b9fd6dff8a72df01c0ba

    SHA512

    ceadb105145fb65a541c6d6f91d18f3fd7460a70b021d7e9129a43e98373453e47a34b38789a793cb815de702dc05aa489c37c78188735f56ab94b85d88f0b4e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bin.exe
    MD5

    3f000a9aa0c0b1ba8bcf065e7380b8cd

    SHA1

    69dd31d4ebb7a092101d15d764dc1c83cc8d627f

    SHA256

    bde7e648965a1c1d26157ff246731a7eeaf31843a414b9fd6dff8a72df01c0ba

    SHA512

    ceadb105145fb65a541c6d6f91d18f3fd7460a70b021d7e9129a43e98373453e47a34b38789a793cb815de702dc05aa489c37c78188735f56ab94b85d88f0b4e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\cmAusBTYRm.js
    MD5

    c05d7910018e812d5674187e635ba5f0

    SHA1

    2d92d2e819012b7a5f1e87a56ad2f25fd7d1f7c1

    SHA256

    f3a3aba936347be70ea396a9c005a2436a393a8c29fc70a7774828e40869b80e

    SHA512

    a057d24168a9e695c968e67961e4c2c755abb9eef8a40cda04b8f1d5cbf87ba77fa0c360baee17a4b36b4f2b1fc9138016533412120edc7dacbe544193164677

    Download Submit