Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 12:47
Static task
static1
Behavioral task
behavioral1
Sample
RFQ#-SWMKA-07101.js
Resource
win7-20220718-en
General
-
Target
RFQ#-SWMKA-07101.js
-
Size
891KB
-
MD5
fecd15e5dbf479eb20796e50555acd67
-
SHA1
71f419889ef0b86b04b752cf9ad59b46253c3bf5
-
SHA256
4e1931a0ea86afa05c45d032854ecb675aedf8481540e7ca14141b955d0c30e9
-
SHA512
18360f56243bb5393dd7cf9786e96f9cb5bff0983228ac3c721c1d46821304c46908fbf4c70a172165d85fc6d31917db5c7c37777958b8f671a53fb4e9a86554
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops file in System32 directory 1 IoCs
Processes:
java.exedescription ioc Process File created C:\Windows\System32\test.txt java.exe -
Drops file in Program Files directory 12 IoCs
Processes:
javaw.exedescription ioc Process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings wscript.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
javaw.exejava.exepid Process 3140 javaw.exe 1744 java.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
wscript.exejavaw.exejava.execmd.execmd.exedescription pid Process procid_target PID 3844 wrote to memory of 1684 3844 wscript.exe 81 PID 3844 wrote to memory of 1684 3844 wscript.exe 81 PID 3844 wrote to memory of 3140 3844 wscript.exe 82 PID 3844 wrote to memory of 3140 3844 wscript.exe 82 PID 3140 wrote to memory of 1744 3140 javaw.exe 83 PID 3140 wrote to memory of 1744 3140 javaw.exe 83 PID 1744 wrote to memory of 232 1744 java.exe 85 PID 1744 wrote to memory of 232 1744 java.exe 85 PID 232 wrote to memory of 3692 232 cmd.exe 87 PID 232 wrote to memory of 3692 232 cmd.exe 87 PID 1744 wrote to memory of 3020 1744 java.exe 88 PID 1744 wrote to memory of 3020 1744 java.exe 88 PID 3020 wrote to memory of 1700 3020 cmd.exe 90 PID 3020 wrote to memory of 1700 3020 cmd.exe 90 PID 1744 wrote to memory of 4980 1744 java.exe 93 PID 1744 wrote to memory of 4980 1744 java.exe 93 PID 1744 wrote to memory of 3980 1744 java.exe 98 PID 1744 wrote to memory of 3980 1744 java.exe 98
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ#-SWMKA-07101.js1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\yIwUYjpjEe.js"2⤵PID:1684
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\iwqvdiet.txt"2⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.86438026340789697225838845840499698.class3⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5614013994800070083.vbs4⤵
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5614013994800070083.vbs5⤵PID:3692
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5529500065395076127.vbs4⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5529500065395076127.vbs5⤵PID:1700
-
-
-
C:\Windows\SYSTEM32\xcopy.exexcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e4⤵PID:4980
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe4⤵PID:3980
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5974d9fca81018bf05d56a52f6f233393
SHA1268e62ac8849b9ba91a6dbc848e9ecbc7184813f
SHA2565302044a14b9c637e080e37e4f92e43bce17f9bf6f0004bad3b2b465dcfc7273
SHA5129e5e3211dee1aa544505e0561a49ac6abe470230c62f9578f83dae202ef372ef2520ab4e0f66e6c95b941387b664d563a80a2f6aaa952b6c62f628991a598bf6
-
Filesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
Filesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1809750270-3141839489-3074374771-1000\83aa4cc77f591dfc2374580bbd95f6ba_2c7a2658-1166-4e8e-b7f6-c01b4ff97801
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
479KB
MD54d9a717a9d3bb25ed5fd107ec7795e3a
SHA1341ff4f74c807650c0a81ca0c2711caceddbed44
SHA256d4532757afd5774d841e830196ce2d5812f3443785f693d57e5c5d7d4ca3288a
SHA512ca6445a628a057895bd62028a2353a12b008e28b6bcf11d4277ffb18a51c5282bdd74864eb4412512387282dd43b2f5b915f4ec0df8e3f74ba2fab3905a197ce
-
Filesize
857B
MD5a3bec43c6c97fe9cee29df6c15d53244
SHA1e8d7a0e03e2fdc090739a72d30874b6250a78f4a
SHA2567610035671988a2c0373477fd62e6d558a2fbe81e98f3c8f22bc3820731deb76
SHA51283f36cebf942af5349d8c233e05e49259b0c2de891f843816eb60ab225f1ad3bba84d3b6f4e584777e6de1ff9bb0e03669fdaea2581125aa193e4a448d1761ab