Overview

overview

10

Static

static

Quotation.jar

windows7_x64

3

Quotation.jar

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    11-05-2021 06:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation.jar

  • Size

    118KB

  • MD5

    3025deb4a8f51cc463b3784961b00b9d

  • SHA1

    693fcc0e8c4ce1a62d79ed490e8cbdfbb52d3346

  • SHA256

    7b252e149c75956c0f103a1b019aee20004e8c5b8ec5011becc283aca581507a

  • SHA512

    fe244cf750e826ef4342d88cffecc3b78fd20c4eabb673802681ec1317b86c24233f475b5caf1b1d901823ee4deb9196c32d5bfac73de4c0a70b80322c37df11

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\Quotation.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Windows\system32\wscript.exe
      wscript C:\Users\Admin\ltvywopbtr.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Program Files\Java\jre7\bin\javaw.exe
        "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\hmarvabtst.txt"
        3⤵
          PID:1712

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\hmarvabtst.txt
      MD5

      3b098ed6aa7c3b342772a135129afebd

      SHA1

      f5b5e634b40d0a043c77f48a259dab9b5eea1f5b

      SHA256

      4a4a333147eb03fa0bfb7d0f03b37585669e4d056d63d31beecbb56eafc80c91

      SHA512

      56157f4c0168098877927c46334ac6f1236d18147ad331797152d71a3281d5e2d7bf24c5b0609f868cbf94ec978f6f4e91d882f596e7a97605bd42d4f619e98f

      Download Submit
    • C:\Users\Admin\ltvywopbtr.js
      MD5

      afa8a2405270564c521d461ad00122df

      SHA1

      61e8553d531aa7ab7005a8ab58f4b6fcd4583a1c

      SHA256

      08fc942a3c8a9342e18e835316100440d441c36a613787bfc2010dc947362a95

      SHA512

      c4bb09f1d540562767e6243f7542a3bffa07c5fe8e89ebc0b47bd035d8438e3ef655acf1dc3a514a6d8cee7a3a31bf0109046aa799fb3daed0cf21fdbe8e0fda

      Download Submit
    • memory/1040-59-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1040-60-0x00000000022D0000-0x0000000002540000-memory.dmp
      Filesize

      2.4MB

      Download
    • memory/1040-62-0x0000000000120000-0x0000000000121000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1712-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1712-67-0x0000000002240000-0x00000000024B0000-memory.dmp
      Filesize

      2.4MB

      Download
    • memory/1712-68-0x0000000000110000-0x0000000000111000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1712-69-0x0000000000110000-0x0000000000111000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1712-72-0x0000000000110000-0x0000000000111000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1712-73-0x0000000000110000-0x0000000000111000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1972-61-0x0000000000000000-mapping.dmp
      Download