Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2022, 11:16
Static task
static1
Behavioral task
behavioral1
Sample
DP1010.js
Resource
win7-20220812-en
General
-
Target
DP1010.js
-
Size
462KB
-
MD5
fbed7e5f3d4312ba715856597ca55060
-
SHA1
8b047a323041693ad29f3eb3c56653c2d6630356
-
SHA256
319372731b242e6a2e7b2e159c2272c34dba4f9af69691d7b887df75353f3823
-
SHA512
a9ab7cdd172639eea6076aafe3801f25f67e78a0072b6b5083c9573a030e03a625dc01600a2039fb27486720ff23969368f46b4104288ad3fd32fac149eda750
-
SSDEEP
6144:kJU4h6FzMe3n2xL/l5EMmPfkScu+zbDbMINH8erNLnDQHQOiHWHtTXjRhcHybCh2:kJUAyobEMmPfkScu80ibhJy+HhLjGrV
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 9 4904 wscript.exe 23 4904 wscript.exe 42 4904 wscript.exe 45 4904 wscript.exe 48 4904 wscript.exe 49 4904 wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 4572 fireblende.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iNFyCMUHlt.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iNFyCMUHlt.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4572 fireblende.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4424 wrote to memory of 4904 4424 wscript.exe 82 PID 4424 wrote to memory of 4904 4424 wscript.exe 82 PID 4424 wrote to memory of 4572 4424 wscript.exe 84 PID 4424 wrote to memory of 4572 4424 wscript.exe 84 PID 4424 wrote to memory of 4572 4424 wscript.exe 84
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\DP1010.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\iNFyCMUHlt.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:4904
-
-
C:\Users\Admin\AppData\Local\Temp\fireblende.exe"C:\Users\Admin\AppData\Local\Temp\fireblende.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4572
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD5f5eeb7b7ec72a813286f53d736c9f78a
SHA1ce5cf9aef07eeb0f8dfaec7bb708540572a0d7e9
SHA25619f029efa58192c3659eae9ff4e2a19968048d1c0a0f0247ac044c23ca4d8358
SHA5124528a0dbe9f9a2068086d7a2193fd10c81774f6e30c857fb60cb284387613aa5350845a81b74d5b9e37c1d9cd4058fe2b73b451efbfdc452f97d757ff16d14e9
-
Filesize
252KB
MD5f5eeb7b7ec72a813286f53d736c9f78a
SHA1ce5cf9aef07eeb0f8dfaec7bb708540572a0d7e9
SHA25619f029efa58192c3659eae9ff4e2a19968048d1c0a0f0247ac044c23ca4d8358
SHA5124528a0dbe9f9a2068086d7a2193fd10c81774f6e30c857fb60cb284387613aa5350845a81b74d5b9e37c1d9cd4058fe2b73b451efbfdc452f97d757ff16d14e9
-
Filesize
5KB
MD58a0de3cb189e9f7611b73438796e43ba
SHA173684c9be5b1992510c4e0a8d3b70137a2efd207
SHA256ce31a6b170ccb2670e50cc95c292923cde1aff9ea1bbf6d64c9f2d6338991899
SHA5128c92d8cc47f356b48020bbbfe17dafc9e9420f08b3bfa43b53ef7d3afc129282bc5248db5115202ff58c424c5c5c417271382d5e33ab305d5d550f4165346ac2