Analysis
-
max time kernel
294s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2022, 17:31
Static task
static1
Behavioral task
behavioral1
Sample
TRANSFERENCIA $112987.17.js
Resource
win7-20220812-en
General
-
Target
TRANSFERENCIA $112987.17.js
-
Size
50KB
-
MD5
fec5ad2c4cd364f6780813e4170d43d5
-
SHA1
b7ce2fb648f9cbf7fd69a16f083599bfe5511d53
-
SHA256
5dfaea003a9b484fad723fc13f79303169e4c8f2f414a4ee0ef187f7ebd0aac9
-
SHA512
bfa44ffc12478a1bb12266e8a00ff912def28f321a1eaa400c0cec730f2aacfb97e78822b33f5ad436421e1aa8e170c0da3da01ad646a59f466b0cd04dae4838
Malware Config
Signatures
-
Blocklisted process makes network request 61 IoCs
flow pid Process 5 2172 wscript.exe 10 4944 wscript.exe 11 4844 wscript.exe 12 4844 wscript.exe 13 4944 wscript.exe 14 4844 wscript.exe 15 4944 wscript.exe 22 4844 wscript.exe 23 4944 wscript.exe 26 4844 wscript.exe 27 4944 wscript.exe 29 4844 wscript.exe 30 4944 wscript.exe 39 4844 wscript.exe 40 4944 wscript.exe 45 4844 wscript.exe 46 4944 wscript.exe 48 4944 wscript.exe 50 4944 wscript.exe 51 4844 wscript.exe 52 4944 wscript.exe 54 4944 wscript.exe 55 4944 wscript.exe 56 4844 wscript.exe 57 4944 wscript.exe 59 4844 wscript.exe 60 4944 wscript.exe 61 4844 wscript.exe 62 4944 wscript.exe 63 4844 wscript.exe 64 4944 wscript.exe 65 4844 wscript.exe 66 4944 wscript.exe 67 4844 wscript.exe 68 4944 wscript.exe 69 4844 wscript.exe 70 4944 wscript.exe 71 4844 wscript.exe 72 4944 wscript.exe 73 4844 wscript.exe 74 4944 wscript.exe 75 4844 wscript.exe 76 4944 wscript.exe 77 4844 wscript.exe 78 4944 wscript.exe 79 4844 wscript.exe 80 4944 wscript.exe 81 4844 wscript.exe 82 4944 wscript.exe 83 4844 wscript.exe 84 4944 wscript.exe 85 4844 wscript.exe 86 4944 wscript.exe 87 4844 wscript.exe 88 4944 wscript.exe 89 4844 wscript.exe 90 4944 wscript.exe 91 4844 wscript.exe 92 4944 wscript.exe 93 4844 wscript.exe 94 4944 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jQCWVHjWAA.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jQCWVHjWAA.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2172 wrote to memory of 4944 2172 wscript.exe 83 PID 2172 wrote to memory of 4944 2172 wscript.exe 83 PID 4944 wrote to memory of 4844 4944 wscript.exe 84 PID 4944 wrote to memory of 4844 4944 wscript.exe 84
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA $112987.17.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jQCWVHjWAA.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:4844
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5a542a21ecaba36f6ba8c6457b8ab67f9
SHA13f05ddc6d6e59554cd9870b9e4b17919b81eaa6c
SHA256bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b
SHA51278ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a
-
Filesize
26KB
MD51f7855c87513cf8d9f4b5319445865cf
SHA1a73d48e0da18067c2e943da97c45acb679e18139
SHA256b386904566434edecd5319ebe730f8c5ecd05d8003eaf8b695cc771aa17c2579
SHA51241eb3f05e08fa6b878b1a8ffa90cba44756be53ea09d00c63425ba176f1bef31dc677caea99acfb2e6298403efaae1af4e71ea5a7fe29158a9c0510bfee022a9