Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10/10/2022, 09:11
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry - P.O# 01048.js
Resource
win7-20220812-en
General
-
Target
Inquiry - P.O# 01048.js
-
Size
18KB
-
MD5
1970cfc97fe91d9565f7360520b254ac
-
SHA1
6aab77218504a02b60333cc1b6d4385f3eef4ddd
-
SHA256
ee4fe0e9b80548010efafc805070d10302444cd4c3cda5d320c07abfc4bf0cba
-
SHA512
ad4a80ee806f6ddf5f2b8384d24f62290e84cd0572a0482e8c39b1153af8f12c2938acf10e0ea3e02f07dc929defd2916e550939505bf891e5e8db1a0f6c58ea
-
SSDEEP
384:GFc+6G3dqKh16bpOGGRjKIbWqMsu+dv9Dv+QM3F:GqLPo6gRjnMstDGQM3F
Malware Config
Extracted
vjw0rm
http://185.222.57.147:1989
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 6 1668 wscript.exe 7 2040 wscript.exe 9 1668 wscript.exe 13 1668 wscript.exe 17 1668 wscript.exe 21 1668 wscript.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JyYkfwNuDh.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JyYkfwNuDh.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1668 2040 wscript.exe 28 PID 2040 wrote to memory of 1668 2040 wscript.exe 28 PID 2040 wrote to memory of 1668 2040 wscript.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Inquiry - P.O# 01048.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JyYkfwNuDh.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1668
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5895bcda898dfd53568e6ece9575c6cae
SHA14d2b8293cc6e7b73d2c6ec215a97b7cf97b8389e
SHA256374ef5ace54b2820db0b0e4d059425f29dff35df65e976a6d7b7a83c52d30fa5
SHA512ee10d14aa34cfbeb5124d3bc18b597ee2d2bcec799d96b9775d14ac2645b1a468377c6c8f1ff0c793fdb21132982e9b853643ac1f3293d6c0218985347ae98dd