Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-06-2022 02:06
Static task
static1
Behavioral task
behavioral1
Sample
RFQ- Ref. No. MS-DGP-220137.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ- Ref. No. MS-DGP-220137.js
Resource
win10v2004-20220414-en
General
-
Target
RFQ- Ref. No. MS-DGP-220137.js
-
Size
375KB
-
MD5
522a31506ef88ce5bff4b179b11a9a4e
-
SHA1
24c6896ce449bd32acc6827247b14f5c51ae9f71
-
SHA256
db0307c145bf8f940b790830d5ade8fd7bb6bac5dfc482a0d2eda2097ba24246
-
SHA512
02ca78bd2121f5d94e282af76beee1c292871eb9e22ab90474230de7565b4199682df14295100b7144c2cbd3940a2a5e23ce066e7dbd3b34dba65378af8843ce
Malware Config
Signatures
-
Blocklisted process makes network request 14 IoCs
Processes:
wscript.exeflow pid process 4 4036 wscript.exe 6 4036 wscript.exe 10 4036 wscript.exe 22 4036 wscript.exe 31 4036 wscript.exe 34 4036 wscript.exe 36 4036 wscript.exe 37 4036 wscript.exe 41 4036 wscript.exe 42 4036 wscript.exe 44 4036 wscript.exe 45 4036 wscript.exe 46 4036 wscript.exe 51 4036 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JUclMnXWGX.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JUclMnXWGX.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\JUclMnXWGX.js\"" wscript.exe -
Drops file in Program Files directory 12 IoCs
Processes:
java.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 4548 wrote to memory of 4036 4548 wscript.exe wscript.exe PID 4548 wrote to memory of 4036 4548 wscript.exe wscript.exe PID 4548 wrote to memory of 4664 4548 wscript.exe java.exe PID 4548 wrote to memory of 4664 4548 wscript.exe java.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ- Ref. No. MS-DGP-220137.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JUclMnXWGX.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Local\Temp\SM.jar"2⤵
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SM.jarFilesize
164KB
MD5edf0e95033cb0df96be06c5088142288
SHA13972af92633203e7857ec0e4ae65246b32c83539
SHA2569712cb8921bc1aaf24f86d6a82ce59a332f6ad04eb1af0414f9bd51e0f35e049
SHA512b7086f0880328bfbb11f6a48a95bde9718318bec9a66c4d00dc16384a1c7ccae97685c7e50d8278c3a267431032d418c61acc9a9ca926d0bd948b79c722a562a
-
C:\Users\Admin\AppData\Roaming\JUclMnXWGX.jsFilesize
30KB
MD51a78c6c4ea92442d7da8af8d2557e0d2
SHA1410764bee9220b5630ac46f7a1c5c36c93b742c9
SHA256288f91b613ec105cf8d9576e056b6c504c859c842b3b17649d103308040bd82d
SHA512548c4cd49e8277b49d25d2d4b3ba04a29ba474e0ae1761a8edf12643923a6872e8bc448c05b0003c7bcea44cf1847d82ea7ad89874b6657e41055b89e7d4b20d
-
memory/4036-130-0x0000000000000000-mapping.dmp
-
memory/4664-132-0x0000000000000000-mapping.dmp
-
memory/4664-143-0x0000000002710000-0x0000000003710000-memory.dmpFilesize
16.0MB
-
memory/4664-153-0x0000000002710000-0x0000000003710000-memory.dmpFilesize
16.0MB
-
memory/4664-154-0x0000000002710000-0x0000000003710000-memory.dmpFilesize
16.0MB