Analysis
-
max time kernel
136s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 18:20
Static task
static1
Behavioral task
behavioral1
Sample
INQUIRY NO- 2744.js
Resource
win7-20220414-en
General
-
Target
INQUIRY NO- 2744.js
-
Size
2.1MB
-
MD5
2f3507015138a0ef0d3c91fca1fcf5f2
-
SHA1
7cf3028b2f73ee9a7474b242721fbf9d1639e6c8
-
SHA256
bde745851b6cfd0b1f52692ff12873484fc0553f0a4c22976a71404991557655
-
SHA512
62c2ad91c890f7763063625f8f4dcee4f4eb845de9bd9ea9a65988d9915e55095c77c492848ecd66567c17ddc0d5bada37edc05a89dc0fc6fb1f76568f75aa68
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
mqrJgpkqFQIDTGK.exefilename.exefilename.exepid process 1060 mqrJgpkqFQIDTGK.exe 1704 filename.exe 336 filename.exe -
Loads dropped DLL 3 IoCs
Processes:
mqrJgpkqFQIDTGK.exefilename.exepid process 1060 mqrJgpkqFQIDTGK.exe 1060 mqrJgpkqFQIDTGK.exe 1704 filename.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
filename.exeWScript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Service = "C:\\Program Files (x86)\\ARP Service\\arpsvc.exe" filename.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry Key Name = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\filename.vbs -LL" WScript.exe -
Processes:
filename.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA filename.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
filename.exedescription pid process target process PID 1704 set thread context of 336 1704 filename.exe filename.exe -
Drops file in Program Files directory 2 IoCs
Processes:
filename.exedescription ioc process File created C:\Program Files (x86)\ARP Service\arpsvc.exe filename.exe File opened for modification C:\Program Files (x86)\ARP Service\arpsvc.exe filename.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
filename.exepid process 336 filename.exe 336 filename.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
filename.exedescription pid process Token: SeDebugPrivilege 336 filename.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mqrJgpkqFQIDTGK.exefilename.exepid process 1060 mqrJgpkqFQIDTGK.exe 1704 filename.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
filename.exepid process 336 filename.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
wscript.exemqrJgpkqFQIDTGK.exefilename.exedescription pid process target process PID 452 wrote to memory of 1060 452 wscript.exe mqrJgpkqFQIDTGK.exe PID 452 wrote to memory of 1060 452 wscript.exe mqrJgpkqFQIDTGK.exe PID 452 wrote to memory of 1060 452 wscript.exe mqrJgpkqFQIDTGK.exe PID 452 wrote to memory of 1060 452 wscript.exe mqrJgpkqFQIDTGK.exe PID 1060 wrote to memory of 2044 1060 mqrJgpkqFQIDTGK.exe WScript.exe PID 1060 wrote to memory of 2044 1060 mqrJgpkqFQIDTGK.exe WScript.exe PID 1060 wrote to memory of 2044 1060 mqrJgpkqFQIDTGK.exe WScript.exe PID 1060 wrote to memory of 2044 1060 mqrJgpkqFQIDTGK.exe WScript.exe PID 1060 wrote to memory of 1704 1060 mqrJgpkqFQIDTGK.exe filename.exe PID 1060 wrote to memory of 1704 1060 mqrJgpkqFQIDTGK.exe filename.exe PID 1060 wrote to memory of 1704 1060 mqrJgpkqFQIDTGK.exe filename.exe PID 1060 wrote to memory of 1704 1060 mqrJgpkqFQIDTGK.exe filename.exe PID 1704 wrote to memory of 336 1704 filename.exe filename.exe PID 1704 wrote to memory of 336 1704 filename.exe filename.exe PID 1704 wrote to memory of 336 1704 filename.exe filename.exe PID 1704 wrote to memory of 336 1704 filename.exe filename.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\INQUIRY NO- 2744.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mqrJgpkqFQIDTGK.exe"C:\Users\Admin\AppData\Local\Temp\mqrJgpkqFQIDTGK.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exeC:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mqrJgpkqFQIDTGK.exeFilesize
1.5MB
MD578d03f710ce3b6b685466910ef2b5de6
SHA1705a31cfaa14a4390ae7609ca62b86f7d29999a1
SHA25625aa79b4a1ba3a3b6a411a76cfb839fc3d72324c690445b1b6dcbdb1240f9c4f
SHA512cc089a3b76e5bd41ad88e629230b523c1c0a05163a4a8428f1690992310c02b91b69bc0f0bf1980415750758d0810c5d20683d17b24523468b9ab67ab949f5a5
-
C:\Users\Admin\AppData\Local\Temp\mqrJgpkqFQIDTGK.exeFilesize
1.5MB
MD578d03f710ce3b6b685466910ef2b5de6
SHA1705a31cfaa14a4390ae7609ca62b86f7d29999a1
SHA25625aa79b4a1ba3a3b6a411a76cfb839fc3d72324c690445b1b6dcbdb1240f9c4f
SHA512cc089a3b76e5bd41ad88e629230b523c1c0a05163a4a8428f1690992310c02b91b69bc0f0bf1980415750758d0810c5d20683d17b24523468b9ab67ab949f5a5
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exeFilesize
1.5MB
MD578d03f710ce3b6b685466910ef2b5de6
SHA1705a31cfaa14a4390ae7609ca62b86f7d29999a1
SHA25625aa79b4a1ba3a3b6a411a76cfb839fc3d72324c690445b1b6dcbdb1240f9c4f
SHA512cc089a3b76e5bd41ad88e629230b523c1c0a05163a4a8428f1690992310c02b91b69bc0f0bf1980415750758d0810c5d20683d17b24523468b9ab67ab949f5a5
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exeFilesize
1.5MB
MD578d03f710ce3b6b685466910ef2b5de6
SHA1705a31cfaa14a4390ae7609ca62b86f7d29999a1
SHA25625aa79b4a1ba3a3b6a411a76cfb839fc3d72324c690445b1b6dcbdb1240f9c4f
SHA512cc089a3b76e5bd41ad88e629230b523c1c0a05163a4a8428f1690992310c02b91b69bc0f0bf1980415750758d0810c5d20683d17b24523468b9ab67ab949f5a5
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exeFilesize
1.5MB
MD578d03f710ce3b6b685466910ef2b5de6
SHA1705a31cfaa14a4390ae7609ca62b86f7d29999a1
SHA25625aa79b4a1ba3a3b6a411a76cfb839fc3d72324c690445b1b6dcbdb1240f9c4f
SHA512cc089a3b76e5bd41ad88e629230b523c1c0a05163a4a8428f1690992310c02b91b69bc0f0bf1980415750758d0810c5d20683d17b24523468b9ab67ab949f5a5
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbsFilesize
1024B
MD5027c384fe2dc14fabe3c2ecd2b85043b
SHA13a066fb1a971f2a9a9ebe38f9332e5180cad1a3d
SHA2566fa7a9e80bc9b9e3c1481628553c2bc6fec478eec7531f533b9bdbebab18a62c
SHA51218598a07f58c79cc93d4fdaab6745923138e98896cef570b5cf24c36da0deba0cdaedc12141d3d69c7953f100ee71a885945194cfd7f3b047ab6360450486b55
-
\Users\Admin\AppData\Local\Temp\subfolder\filename.exeFilesize
1.5MB
MD578d03f710ce3b6b685466910ef2b5de6
SHA1705a31cfaa14a4390ae7609ca62b86f7d29999a1
SHA25625aa79b4a1ba3a3b6a411a76cfb839fc3d72324c690445b1b6dcbdb1240f9c4f
SHA512cc089a3b76e5bd41ad88e629230b523c1c0a05163a4a8428f1690992310c02b91b69bc0f0bf1980415750758d0810c5d20683d17b24523468b9ab67ab949f5a5
-
\Users\Admin\AppData\Local\Temp\subfolder\filename.exeFilesize
1.5MB
MD578d03f710ce3b6b685466910ef2b5de6
SHA1705a31cfaa14a4390ae7609ca62b86f7d29999a1
SHA25625aa79b4a1ba3a3b6a411a76cfb839fc3d72324c690445b1b6dcbdb1240f9c4f
SHA512cc089a3b76e5bd41ad88e629230b523c1c0a05163a4a8428f1690992310c02b91b69bc0f0bf1980415750758d0810c5d20683d17b24523468b9ab67ab949f5a5
-
\Users\Admin\AppData\Local\Temp\subfolder\filename.exeFilesize
1.5MB
MD578d03f710ce3b6b685466910ef2b5de6
SHA1705a31cfaa14a4390ae7609ca62b86f7d29999a1
SHA25625aa79b4a1ba3a3b6a411a76cfb839fc3d72324c690445b1b6dcbdb1240f9c4f
SHA512cc089a3b76e5bd41ad88e629230b523c1c0a05163a4a8428f1690992310c02b91b69bc0f0bf1980415750758d0810c5d20683d17b24523468b9ab67ab949f5a5
-
memory/336-82-0x0000000077300000-0x0000000077480000-memory.dmpFilesize
1.5MB
-
memory/336-83-0x0000000077300000-0x0000000077480000-memory.dmpFilesize
1.5MB
-
memory/336-81-0x0000000000400000-0x0000000000576000-memory.dmpFilesize
1.5MB
-
memory/336-84-0x00000000744C0000-0x0000000074A6B000-memory.dmpFilesize
5.7MB
-
memory/336-80-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/336-85-0x00000000744C0000-0x0000000074A6B000-memory.dmpFilesize
5.7MB
-
memory/336-76-0x000000000046B801-mapping.dmp
-
memory/452-54-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmpFilesize
8KB
-
memory/1060-62-0x0000000077300000-0x0000000077480000-memory.dmpFilesize
1.5MB
-
memory/1060-70-0x0000000077300000-0x0000000077480000-memory.dmpFilesize
1.5MB
-
memory/1060-60-0x0000000075361000-0x0000000075363000-memory.dmpFilesize
8KB
-
memory/1060-59-0x0000000000690000-0x0000000000697000-memory.dmpFilesize
28KB
-
memory/1060-55-0x0000000000000000-mapping.dmp
-
memory/1704-78-0x0000000077300000-0x0000000077480000-memory.dmpFilesize
1.5MB
-
memory/1704-67-0x0000000000000000-mapping.dmp
-
memory/2044-63-0x0000000000000000-mapping.dmp