Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26/09/2022, 18:28
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order____________pdf.js
Resource
win7-20220812-en
General
-
Target
Purchase Order____________pdf.js
-
Size
117KB
-
MD5
130fe2e5e4dfbd03e161a332ce14cebe
-
SHA1
89a0f599416dd6f9b75058e32ac542edbc7ff108
-
SHA256
a1aa91a1ae489d8be807999d3b7a8bc8b10794063d763d06667384ae6152e720
-
SHA512
4366e5e84e77b850389bedd9c57787f07289471cd8e7c31ea8ffd6b48fb2f41664838ff87276370933d6a6ba8a74b1135d99068958516be7f8821b672e3ee818
-
SSDEEP
1536:NG347n0iT37jLbtB+3NABd7+2rCSmKO+e5JZTDRc+cMw4xl5hY6/QO7STboOhGrW:yiT3fj+38XeTP5Wuj/97m0INcw
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 5 4660 WScript.exe 42 4660 WScript.exe 60 4660 WScript.exe 65 4660 WScript.exe 66 4660 WScript.exe 67 4660 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nbrkkMGeYq.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nbrkkMGeYq.js WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings wscript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 856 javaw.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 5024 wrote to memory of 4660 5024 wscript.exe 84 PID 5024 wrote to memory of 4660 5024 wscript.exe 84 PID 5024 wrote to memory of 856 5024 wscript.exe 85 PID 5024 wrote to memory of 856 5024 wscript.exe 85
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order____________pdf.js"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nbrkkMGeYq.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4660
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\uvuegptgct.txt"2⤵
- Suspicious use of SetWindowsHookEx
PID:856
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5a9238779333b1aea96970177b647723b
SHA18f5ee4d7b77ff3b00473ed0acbf33fe7c72f3b76
SHA2569575923c7e3fe773ed3a5a0e9527d14d7e0ac80f57ea817cd079b392191e81b3
SHA512825127d06be4413db342e968b24d73c2bd552eca3a3a87489b0f4bc53d02ccfa0bf0a9fff42b2d87295ac629e598eec7d47dfb618daedad877710bd8719b4674
-
Filesize
51KB
MD5df91a24b4385f63e96878f62cc9257a0
SHA1e91ccdbb6122256b89b652ab65dc2d3411f442c4
SHA25611a49b8ff72f776e7565eba69e17ae09bee0aa51dd7c66ae6874bed08f2f6e08
SHA512179b4886ccbb6ecbbb9fa54c2516709d44cb5f1a710369321b615c22ecc4a7b4101119063654060243a742b4a5605d5dce994d10076802cd3089399eaf44b090