Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 05:34
Static task
static1
Behavioral task
behavioral1
Sample
RFQPOKMM7983972ORDERDETAILS.js
Resource
win7-20240903-en
General
-
Target
RFQPOKMM7983972ORDERDETAILS.js
-
Size
4.6MB
-
MD5
cd0f549f054ceab42921cf3979164fcd
-
SHA1
a4045303bdb5b2e5e32e515a29dd3f43fc2cd4c3
-
SHA256
0c3672c680c56eb694c95914c7ea78a7fd0667c8b88c02c9b0b988cb520c3983
-
SHA512
dd614ea2258f39e989922ef48d380cf4530c5f9bd69e724d955f2f5b256a2cdbb7b8c8a9f1e925329553720573f2c4f3b9321b65fbc45e58a5495c562b150f3f
-
SSDEEP
49152:Dy0k7Tbm+wKoJjMRRfQTr95R5NDE97TydtK1B0v3qyPAmYEHgdkgJWyLJe/BG0PF:d
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 2432 x.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0008000000023463-4.dat autoit_exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 936 2432 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1564 wrote to memory of 2432 1564 wscript.exe 84 PID 1564 wrote to memory of 2432 1564 wscript.exe 84 PID 1564 wrote to memory of 2432 1564 wscript.exe 84 PID 2432 wrote to memory of 956 2432 x.exe 85 PID 2432 wrote to memory of 956 2432 x.exe 85 PID 2432 wrote to memory of 956 2432 x.exe 85
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\RFQPOKMM7983972ORDERDETAILS.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"3⤵PID:956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 7403⤵
- Program crash
PID:936
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2432 -ip 24321⤵PID:4084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD516169512f2e05c8e01449e52ea10b525
SHA10724ad3ada6f7b87d0be9fe051da3e50449d9775
SHA2560b232cd5b3cd6d2ba6d618a0bb68711901d2746be6dbdc67df1242459e0e5c5a
SHA5127487faa357cdf96653d84d4b028725fa8650614bf6801ca61c78f2a4f42f8ac288172ae5eaa52365143aaf7edb9fd62ebdc40a6e578b897875eb682f8e299611