Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2022 16:01
Static task
static1
Behavioral task
behavioral1
Sample
TRANSFERENCIA $112987.17.js
Resource
win7-20220812-en
General
-
Target
TRANSFERENCIA $112987.17.js
-
Size
14KB
-
MD5
eebdb2830ae3a8d54b21ef656b5f0666
-
SHA1
ccad487426e12ea32493045cc2dfcbf52377ca32
-
SHA256
1be2dc60fc190fa24ace0773da07977373d850d51766614a784219ae44e462a7
-
SHA512
ecaf8446de9d88089b87f16b149e24f27feea03eae1e2697a2bd54a557d3031aea1e2aeaaec25b63aa65b78359c3b104c3a3ac0f8713a751a3d6e10938dd47ff
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exewscript.exeflow pid process 8 3976 wscript.exe 10 1356 wscript.exe 11 1356 wscript.exe 13 1356 wscript.exe 14 1356 wscript.exe 17 1356 wscript.exe 18 1356 wscript.exe 21 1356 wscript.exe 24 1356 wscript.exe 27 1356 wscript.exe 28 1356 wscript.exe 29 1356 wscript.exe 30 1356 wscript.exe 31 1356 wscript.exe 32 1356 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HnQAZClRMy.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HnQAZClRMy.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 3976 wrote to memory of 1356 3976 wscript.exe wscript.exe PID 3976 wrote to memory of 1356 3976 wscript.exe wscript.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA $112987.17.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HnQAZClRMy.js"2⤵
- Blocklisted process makes network request
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\HnQAZClRMy.jsFilesize
6KB
MD51328ea72158d920e1e2f7c30285d564a
SHA1b76c06051f561638731d7a300abeddff2a1a9246
SHA256b576844a45f963b8222a07e75bda407c1488df6ffe776fc31a3df7ead3c5ad3b
SHA512b4aa3c82b7a4db86610011beddf26ef2fe5410bbbf882159247f8e4a891ef2fa31777fd605ce3ed6b74f1fe62bf179162e9bdead0fbed068ea1b5d83801efeee
-
memory/1356-132-0x0000000000000000-mapping.dmp