Analysis
-
max time kernel
41s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-06-2022 08:10
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-20222606.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ-20222606.js
Resource
win10v2004-20220414-en
General
-
Target
RFQ-20222606.js
-
Size
904KB
-
MD5
2e374bbdfd996ff9b0a22647f2a06726
-
SHA1
9d8410f23744dbc340a4a412686634c2fb6e496b
-
SHA256
7eea26c62d8b952f70d4a84aaec4c33b8a4d44aee6ae2480ad389865e7e033aa
-
SHA512
aa37b6a665303c68730ff981f06fda696341f3b4eeb59846e3b33609f9196eeca10574ed0217faea7d27f647e8b982775ed9c2956e48a788fa1f6ef160fb178b
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 3784 WScript.exe 7 3784 WScript.exe 15 3784 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oRQQPreZxd.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oRQQPreZxd.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\oRQQPreZxd.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings wscript.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4772 javaw.exe 1744 java.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3868 wrote to memory of 3784 3868 wscript.exe 82 PID 3868 wrote to memory of 3784 3868 wscript.exe 82 PID 3868 wrote to memory of 4772 3868 wscript.exe 83 PID 3868 wrote to memory of 4772 3868 wscript.exe 83 PID 4772 wrote to memory of 1744 4772 javaw.exe 84 PID 4772 wrote to memory of 1744 4772 javaw.exe 84 PID 4772 wrote to memory of 3080 4772 javaw.exe 87 PID 4772 wrote to memory of 3080 4772 javaw.exe 87 PID 1744 wrote to memory of 2176 1744 java.exe 88 PID 1744 wrote to memory of 2176 1744 java.exe 88 PID 2176 wrote to memory of 3540 2176 cmd.exe 92 PID 2176 wrote to memory of 3540 2176 cmd.exe 92 PID 3080 wrote to memory of 3492 3080 cmd.exe 91 PID 3080 wrote to memory of 3492 3080 cmd.exe 91
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ-20222606.js1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\oRQQPreZxd.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3784
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\qqdnjcy.txt"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.64529390757446917446356467187093415.class3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6725757014680576802.vbs4⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6725757014680576802.vbs5⤵PID:3540
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2887554250066647638.vbs4⤵PID:4892
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2887554250066647638.vbs5⤵PID:3380
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1496218592790102588.vbs3⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1496218592790102588.vbs4⤵PID:3492
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7012841106692668034.vbs3⤵PID:4240
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7012841106692668034.vbs4⤵PID:4496
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD59573a78ff80a931d33c89524caf216f5
SHA1ee7fd94ac5805330f3c30cbefde7472a236d1878
SHA256d3f7b7ff123746d757e7d627801dac6f923133b9600eaf82bf200de827f941b7
SHA512823e6ddf7cec0fa862ef19c224d164209f78526710dfb20ee03079076b3302c20a1da301f6b3d2032c2d8db970e15980e14c17fe505fe37e41044098bb6aecfe
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
Filesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1081944012-3634099177-1681222835-1000\83aa4cc77f591dfc2374580bbd95f6ba_20e30e2f-4677-4eb9-89e6-7dd1fd044635
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
5KB
MD5ee7c86331e927c3bb54cc0ec2cb2e254
SHA1c2fb27bd598702b19cd48e25df42f8027b55c511
SHA256f476e352ca10a3062a409c491e0d6cb79cf09579ebc561de66d2172358201c17
SHA512f05135c606464b1a79fbf7a053112dd609417c94c0c66c31c98d177fc67068fe6f382e203f24a329d5915ee84d288a368e23c1914dee3c2f48107643a88534a4
-
Filesize
479KB
MD5e6e49d6575a99dc7eaf81091e02190b6
SHA1d7abf421d1a9d080d89b2922003a0d869d64ac2c
SHA2563df792e3ab0c1efd66231647b0369e5805d359403d5b534a2562a7ba301b0757
SHA51298743a430ab0490aed350a800d057dbaf7b29d2ce9833ca7cefc3e52a18dc5918c315918f64b193ca6d42f0250f7d93f001606689852de3f56182de42e0a7d3f