Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2022, 15:31
Static task
static1
Behavioral task
behavioral1
Sample
jQCWVHjWAA.js
Resource
win7-20220812-en
General
-
Target
jQCWVHjWAA.js
-
Size
26KB
-
MD5
1f7855c87513cf8d9f4b5319445865cf
-
SHA1
a73d48e0da18067c2e943da97c45acb679e18139
-
SHA256
b386904566434edecd5319ebe730f8c5ecd05d8003eaf8b695cc771aa17c2579
-
SHA512
41eb3f05e08fa6b878b1a8ffa90cba44756be53ea09d00c63425ba176f1bef31dc677caea99acfb2e6298403efaae1af4e71ea5a7fe29158a9c0510bfee022a9
Malware Config
Signatures
-
Blocklisted process makes network request 34 IoCs
flow pid Process 6 4480 wscript.exe 7 3116 wscript.exe 11 3116 wscript.exe 12 4480 wscript.exe 13 4480 wscript.exe 14 3116 wscript.exe 15 3116 wscript.exe 16 4480 wscript.exe 25 4480 wscript.exe 26 3116 wscript.exe 27 4480 wscript.exe 28 3116 wscript.exe 31 4480 wscript.exe 32 3116 wscript.exe 36 4480 wscript.exe 37 3116 wscript.exe 38 4480 wscript.exe 39 3116 wscript.exe 40 4480 wscript.exe 41 3116 wscript.exe 42 4480 wscript.exe 43 3116 wscript.exe 44 4480 wscript.exe 45 3116 wscript.exe 46 4480 wscript.exe 47 3116 wscript.exe 48 4480 wscript.exe 49 3116 wscript.exe 50 4480 wscript.exe 51 3116 wscript.exe 52 4480 wscript.exe 53 3116 wscript.exe 54 4480 wscript.exe 55 3116 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jQCWVHjWAA.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jQCWVHjWAA.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3116 wrote to memory of 4480 3116 wscript.exe 81 PID 3116 wrote to memory of 4480 3116 wscript.exe 81
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\jQCWVHjWAA.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4480
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5a542a21ecaba36f6ba8c6457b8ab67f9
SHA13f05ddc6d6e59554cd9870b9e4b17919b81eaa6c
SHA256bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b
SHA51278ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a