Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 08:41
Static task
static1
Behavioral task
behavioral1
Sample
transaction-statement_632ac8d3-e96d-a443-8227-db1e5339fb8c_de-de_381b3d.js
Resource
win7-20220901-en
General
-
Target
transaction-statement_632ac8d3-e96d-a443-8227-db1e5339fb8c_de-de_381b3d.js
-
Size
113KB
-
MD5
a3f0fc528a20dbcacfb69e1b69907a4b
-
SHA1
400c75cffd7342908c1282b862d3df10d5a95e65
-
SHA256
508b21cb602b5a3e9e19eb6ba9e010fb0d4a743d18e4a869063f72e2454324f7
-
SHA512
6c750e6f3c53d4bdc1e7c1602c46692ef04143434a76e66ab373a7091c9ddf1816c67dd39106c5db27212eb6a905858677f24ae479f29d6ad1a2ded836b022ae
-
SSDEEP
1536:W7KmfMkwheMurpzqwPUSvf0cCF11blV6DmEJMAB/iJuoG2446rTCRLTiR6RccQ:o2Mrqe7C/0vB2uo96/U/XPQ
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 4 1164 WScript.exe 24 1164 WScript.exe 40 1164 WScript.exe 44 1164 WScript.exe 48 1164 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HzqeCuGMns.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HzqeCuGMns.js WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings wscript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4660 javaw.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4644 wrote to memory of 1164 4644 wscript.exe 83 PID 4644 wrote to memory of 1164 4644 wscript.exe 83 PID 4644 wrote to memory of 4660 4644 wscript.exe 84 PID 4644 wrote to memory of 4660 4644 wscript.exe 84
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\transaction-statement_632ac8d3-e96d-a443-8227-db1e5339fb8c_de-de_381b3d.js1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\HzqeCuGMns.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1164
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\bzjupikerj.txt"2⤵
- Suspicious use of SetWindowsHookEx
PID:4660
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD57d8cc50c80e29db13ca0032d3e00a56d
SHA1d8d138717093b67b4d6205234c82a6fe4f801429
SHA2560ff424c14ee63e81e35e1431f9b5636b2bfe1e6f49e8fc5650260e9806f3402b
SHA512b1f2d71401d7d4cdc4bf55569c04b1ea2c49097bacd04b2bc24c0e84bfd6bd418ffb4aeadd171032944aaf1ac94c5b868bf9924ffe0e84fa60866c9e8b583b1c
-
Filesize
51KB
MD5c1783ea3118978252aa6c8891d0ea61c
SHA19986142768fd83fb445f8ac6dfd196aba3fb3139
SHA25623b78abed63ac1a61a43873aa4bc168f30a4bef0e1fa9132a89f479c02805855
SHA5126a22b6683589c981eaa8d1aad2bfaffc06789ec9671b3a6ec6b7279f4fcbaf6d2c1b1bf8ed3ffb047a86e711294d66b532d313805b4973566afd27b2fc182006