Analysis
-
max time kernel
107s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 06:32
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-Order 4500324718-MMS.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ-Order 4500324718-MMS.js
Resource
win10v2004-20220414-en
General
-
Target
RFQ-Order 4500324718-MMS.js
-
Size
916KB
-
MD5
8343334b6b8f7ef2641e1653bb94dc6c
-
SHA1
94aef9a464da41331903db7b2e81cc3a2204e4c1
-
SHA256
b0c7ce4c1135c7209615703555d72723fa989159aaae95bf1a7f48770a523cfa
-
SHA512
4b0a3e62457361fd2b085155d2ee10f34bf95e90b416ddf7024c05b9d8ed9d88676d78a66751be48717f709046fd67833fcd4c7154705834383e46acd5e54b11
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings wscript.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exejavaw.exedescription pid Process procid_target PID 3736 wrote to memory of 4676 3736 wscript.exe 80 PID 3736 wrote to memory of 4676 3736 wscript.exe 80 PID 3736 wrote to memory of 4592 3736 wscript.exe 81 PID 3736 wrote to memory of 4592 3736 wscript.exe 81 PID 4592 wrote to memory of 4396 4592 javaw.exe 84 PID 4592 wrote to memory of 4396 4592 javaw.exe 84
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ-Order 4500324718-MMS.js"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\grgTqPNffK.js"2⤵PID:4676
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\fepcqdslpx.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.89372155270513073348242485333966476.class3⤵PID:4396
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5cea8be905b28990ce3ed27b210bfc993
SHA189c5f9a70689079dd48e4524ca3bfb0f25f8c430
SHA25640a7053b56ac73a3ff786cb5166657b9554d5ace7804e8b3be25b15ab5f5b60c
SHA5124068d49c9d94f99c7f37558e61438231e6ae1098226e87ba2988f026f78d3d72bac2927c46e98860c8435e28e7c717f3d1ac534c6259b6131f97b9c05bbc8cb4
-
Filesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3751123196-3323558407-1869646069-1000\83aa4cc77f591dfc2374580bbd95f6ba_6bb404a8-25bc-4cef-a831-797f8d1e89c0
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
479KB
MD54d9a717a9d3bb25ed5fd107ec7795e3a
SHA1341ff4f74c807650c0a81ca0c2711caceddbed44
SHA256d4532757afd5774d841e830196ce2d5812f3443785f693d57e5c5d7d4ca3288a
SHA512ca6445a628a057895bd62028a2353a12b008e28b6bcf11d4277ffb18a51c5282bdd74864eb4412512387282dd43b2f5b915f4ec0df8e3f74ba2fab3905a197ce
-
Filesize
9KB
MD58baf883e7807950dfe601193a9072712
SHA17d1cebfe9822f36967f9b9396a3314c55f05b699
SHA256f6c386cd1676a01876b71bb72784a5ccfc69ad0c880a876c00381b96d6110377
SHA512d9118810e4a6da72620d4c0d9e0f925d998d47b9cb8b8d240da19ca6cfab2ae63f6724028d9b68aa4b5393666cf7e93b9b1b6ab7135960d63a458c7a851c61a5