Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/09/2022, 13:40
Static task
static1
Behavioral task
behavioral1
Sample
Statement Power Metre SRL.js
Resource
win7-20220901-en
General
-
Target
Statement Power Metre SRL.js
-
Size
117KB
-
MD5
911a689ab23a99b27ec0a41df25dc1b2
-
SHA1
f78334182a6c6af188f996c215ea7b48bb4043ea
-
SHA256
6dde0bc3fc8d0b186be04fd2ca3b284aa7f922f28cd04830adc1e2e03d95e34b
-
SHA512
b0ef082316a219063c26aa92f2adb914fd0ec3648531d9fa0d3082ad13762f3cdedec91b85e936ed6da7bebf227de6f63e8bc10949b059961d1db7beb7517a6d
-
SSDEEP
1536:Exy5MbAav/s5Aj6hQDvY1lnpFjPdTtiS7b2Piz4KBVmNBs3lt66hS5LmFf3:9s/ujSvaJPDjYiXVDloI0I3
Malware Config
Signatures
-
Blocklisted process makes network request 16 IoCs
flow pid Process 5 5024 WScript.exe 7 5024 WScript.exe 19 5024 WScript.exe 33 5024 WScript.exe 34 5024 WScript.exe 37 5024 WScript.exe 38 5024 WScript.exe 40 5024 WScript.exe 41 5024 WScript.exe 42 5024 WScript.exe 44 5024 WScript.exe 45 5024 WScript.exe 46 5024 WScript.exe 47 5024 WScript.exe 48 5024 WScript.exe 49 5024 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 860 dl3025944341293021328888936654.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings wscript.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 860 dl3025944341293021328888936654.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4604 javaw.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4972 wrote to memory of 5024 4972 wscript.exe 80 PID 4972 wrote to memory of 5024 4972 wscript.exe 80 PID 4972 wrote to memory of 4604 4972 wscript.exe 81 PID 4972 wrote to memory of 4604 4972 wscript.exe 81 PID 4604 wrote to memory of 860 4604 javaw.exe 84 PID 4604 wrote to memory of 860 4604 javaw.exe 84 PID 4604 wrote to memory of 860 4604 javaw.exe 84
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Statement Power Metre SRL.js"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:5024
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\qtkykjur.txt"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exeC:\Users\Admin\AppData\Local\Temp\dl3025944341293021328888936654.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD52febb58744b8f59fe8fcdce3bd4f4aa8
SHA1629cf9935873f774f9c3115a59109253ece7cd00
SHA256b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284
SHA512854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619
-
Filesize
7KB
MD52febb58744b8f59fe8fcdce3bd4f4aa8
SHA1629cf9935873f774f9c3115a59109253ece7cd00
SHA256b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284
SHA512854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619
-
Filesize
51KB
MD51d6cb5a374117999329351e6f28268e3
SHA1a08e5a413f3febe7def2dff25717cbfe16b315b5
SHA256cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd
SHA5120ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51
-
Filesize
6KB
MD5aeea41deb4363e0a23003555ffc0ada1
SHA1c1fc845800ef733bfd2886bceba15ed4ec19bbdb
SHA256e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e
SHA512bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823