Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2022, 09:11
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry - P.O# 01048.js
Resource
win7-20220812-en
General
-
Target
Inquiry - P.O# 01048.js
-
Size
18KB
-
MD5
1970cfc97fe91d9565f7360520b254ac
-
SHA1
6aab77218504a02b60333cc1b6d4385f3eef4ddd
-
SHA256
ee4fe0e9b80548010efafc805070d10302444cd4c3cda5d320c07abfc4bf0cba
-
SHA512
ad4a80ee806f6ddf5f2b8384d24f62290e84cd0572a0482e8c39b1153af8f12c2938acf10e0ea3e02f07dc929defd2916e550939505bf891e5e8db1a0f6c58ea
-
SSDEEP
384:GFc+6G3dqKh16bpOGGRjKIbWqMsu+dv9Dv+QM3F:GqLPo6gRjnMstDGQM3F
Malware Config
Extracted
vjw0rm
http://185.222.57.147:1989
Signatures
-
Blocklisted process makes network request 7 IoCs
flow pid Process 4 4028 wscript.exe 6 2220 wscript.exe 19 2220 wscript.exe 32 2220 wscript.exe 34 2220 wscript.exe 36 2220 wscript.exe 37 2220 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JyYkfwNuDh.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JyYkfwNuDh.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4028 wrote to memory of 2220 4028 wscript.exe 82 PID 4028 wrote to memory of 2220 4028 wscript.exe 82
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Inquiry - P.O# 01048.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JyYkfwNuDh.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:2220
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5895bcda898dfd53568e6ece9575c6cae
SHA14d2b8293cc6e7b73d2c6ec215a97b7cf97b8389e
SHA256374ef5ace54b2820db0b0e4d059425f29dff35df65e976a6d7b7a83c52d30fa5
SHA512ee10d14aa34cfbeb5124d3bc18b597ee2d2bcec799d96b9775d14ac2645b1a468377c6c8f1ff0c793fdb21132982e9b853643ac1f3293d6c0218985347ae98dd