Analysis

  • max time kernel
    107s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    14-07-2022 06:32

General

  • Target

    RFQ-Order 4500324718-MMS.js

  • Size

    916KB

  • MD5

    8343334b6b8f7ef2641e1653bb94dc6c

  • SHA1

    94aef9a464da41331903db7b2e81cc3a2204e4c1

  • SHA256

    b0c7ce4c1135c7209615703555d72723fa989159aaae95bf1a7f48770a523cfa

  • SHA512

    4b0a3e62457361fd2b085155d2ee10f34bf95e90b416ddf7024c05b9d8ed9d88676d78a66751be48717f709046fd67833fcd4c7154705834383e46acd5e54b11

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ-Order 4500324718-MMS.js"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\grgTqPNffK.js"
      2⤵
        PID:4676
      • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
        "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\fepcqdslpx.txt"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
          "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.89372155270513073348242485333966476.class
          3⤵
            PID:4396

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

        Filesize

        50B

        MD5

        cea8be905b28990ce3ed27b210bfc993

        SHA1

        89c5f9a70689079dd48e4524ca3bfb0f25f8c430

        SHA256

        40a7053b56ac73a3ff786cb5166657b9554d5ace7804e8b3be25b15ab5f5b60c

        SHA512

        4068d49c9d94f99c7f37558e61438231e6ae1098226e87ba2988f026f78d3d72bac2927c46e98860c8435e28e7c717f3d1ac534c6259b6131f97b9c05bbc8cb4

      • C:\Users\Admin\AppData\Local\Temp\_0.89372155270513073348242485333966476.class

        Filesize

        241KB

        MD5

        781fb531354d6f291f1ccab48da6d39f

        SHA1

        9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

        SHA256

        97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

        SHA512

        3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3751123196-3323558407-1869646069-1000\83aa4cc77f591dfc2374580bbd95f6ba_6bb404a8-25bc-4cef-a831-797f8d1e89c0

        Filesize

        45B

        MD5

        c8366ae350e7019aefc9d1e6e6a498c6

        SHA1

        5731d8a3e6568a5f2dfbbc87e3db9637df280b61

        SHA256

        11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

        SHA512

        33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

      • C:\Users\Admin\AppData\Roaming\fepcqdslpx.txt

        Filesize

        479KB

        MD5

        4d9a717a9d3bb25ed5fd107ec7795e3a

        SHA1

        341ff4f74c807650c0a81ca0c2711caceddbed44

        SHA256

        d4532757afd5774d841e830196ce2d5812f3443785f693d57e5c5d7d4ca3288a

        SHA512

        ca6445a628a057895bd62028a2353a12b008e28b6bcf11d4277ffb18a51c5282bdd74864eb4412512387282dd43b2f5b915f4ec0df8e3f74ba2fab3905a197ce

      • C:\Users\Admin\AppData\Roaming\grgTqPNffK.js

        Filesize

        9KB

        MD5

        8baf883e7807950dfe601193a9072712

        SHA1

        7d1cebfe9822f36967f9b9396a3314c55f05b699

        SHA256

        f6c386cd1676a01876b71bb72784a5ccfc69ad0c880a876c00381b96d6110377

        SHA512

        d9118810e4a6da72620d4c0d9e0f925d998d47b9cb8b8d240da19ca6cfab2ae63f6724028d9b68aa4b5393666cf7e93b9b1b6ab7135960d63a458c7a851c61a5

      • memory/4396-165-0x00000000033D0000-0x00000000043D0000-memory.dmp

        Filesize

        16.0MB

      • memory/4396-145-0x0000000000000000-mapping.dmp

      • memory/4396-156-0x00000000033D0000-0x00000000043D0000-memory.dmp

        Filesize

        16.0MB

      • memory/4396-166-0x00000000033D0000-0x00000000043D0000-memory.dmp

        Filesize

        16.0MB

      • memory/4592-144-0x0000000002D80000-0x0000000003D80000-memory.dmp

        Filesize

        16.0MB

      • memory/4592-142-0x0000000002D80000-0x0000000003D80000-memory.dmp

        Filesize

        16.0MB

      • memory/4592-132-0x0000000000000000-mapping.dmp

      • memory/4592-164-0x0000000002D80000-0x0000000003D80000-memory.dmp

        Filesize

        16.0MB

      • memory/4592-167-0x0000000002D80000-0x0000000003D80000-memory.dmp

        Filesize

        16.0MB

      • memory/4592-169-0x0000000002D80000-0x0000000003D80000-memory.dmp

        Filesize

        16.0MB

      • memory/4676-130-0x0000000000000000-mapping.dmp