Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
13-03-2023 06:41
Static task
static1
Behavioral task
behavioral1
Sample
Contract Tender.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Contract Tender.js
Resource
win10v2004-20230220-en
General
-
Target
Contract Tender.js
-
Size
345KB
-
MD5
74a8701c0a76d1fdaccbb6a39ac3a427
-
SHA1
96578577dd9d2063b257f7b43d735792cc84e4c1
-
SHA256
0419649389ae3389a8133907858ff7844f5b9130755d21f649a1f594990e85d5
-
SHA512
9f5c9cc8780e5d678cc975126e4586f367a67231fe80400c58b155f7fecd12bc43fc1fb14d9e12db65a4d8dfba7a725dce317e1fa1730f52ec6675e58b7f79a9
-
SSDEEP
6144:GQFQhWlP6ek95bcGCnhj21THlnII0pDI8he7v+qlJ5/Qceq5rEd6JDpu6Bz68:N2clP6obkT9L0pDk+qbS6LB5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4340 wrote to memory of 4148 4340 wscript.exe 87 PID 4340 wrote to memory of 4148 4340 wscript.exe 87
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Contract Tender.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\wqfhurrqhv.txt"2⤵PID:4148
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164KB
MD53834513023ec311a08f09b81a3b13fb8
SHA1cb2faf30e64be67532aa01a59480052a2438ded6
SHA2567b43f6ba187bf62f37f43374ef60808601cd187f5796e97458d15954f50c619b
SHA5127fbf3b5b180fc0427cd641810806ebbb0e6c8fb710faf15bbf579af9fa668ed8257ea011e27b73cf3921f0714c0ad82d1be3eed3729319396017592d5f6df859