Analysis
-
max time kernel
300s -
max time network
312s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25-08-2021 10:22
Static task
static1
Behavioral task
behavioral1
Sample
Request_For_Quotation.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Request_For_Quotation.js
Resource
win10v20210410
General
-
Target
Request_For_Quotation.js
-
Size
200KB
-
MD5
63a88c19299c8fd2e3bf299798a6a322
-
SHA1
7545d8fb37a2626b7bf4bd28ab3365e82068e0c8
-
SHA256
fc5631bd6d785c3b3c634e71ca51fe274c72018110d5dd66e37595653f8ab0dc
-
SHA512
3ccc6253e000a8dfd2fecd803294e43f867d3e97a98996a03db4a5f0cdf2172c8338827f0587d2a596cd6c9b657d23f228ab197181655590692db50c18b029d3
Malware Config
Signatures
-
Blocklisted process makes network request 37 IoCs
Processes:
WScript.exeflow pid process 9 1444 WScript.exe 16 1444 WScript.exe 19 1444 WScript.exe 20 1444 WScript.exe 21 1444 WScript.exe 22 1444 WScript.exe 23 1444 WScript.exe 24 1444 WScript.exe 25 1444 WScript.exe 26 1444 WScript.exe 27 1444 WScript.exe 28 1444 WScript.exe 29 1444 WScript.exe 30 1444 WScript.exe 31 1444 WScript.exe 32 1444 WScript.exe 33 1444 WScript.exe 34 1444 WScript.exe 35 1444 WScript.exe 36 1444 WScript.exe 37 1444 WScript.exe 38 1444 WScript.exe 39 1444 WScript.exe 40 1444 WScript.exe 41 1444 WScript.exe 42 1444 WScript.exe 43 1444 WScript.exe 44 1444 WScript.exe 45 1444 WScript.exe 46 1444 WScript.exe 47 1444 WScript.exe 48 1444 WScript.exe 49 1444 WScript.exe 50 1444 WScript.exe 51 1444 WScript.exe 52 1444 WScript.exe 53 1444 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezpMaaZeIO.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezpMaaZeIO.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ezpMaaZeIO.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2608 1892 WerFault.exe javaw.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2608 WerFault.exe 2608 WerFault.exe 2608 WerFault.exe 2608 WerFault.exe 2608 WerFault.exe 2608 WerFault.exe 2608 WerFault.exe 2608 WerFault.exe 2608 WerFault.exe 2608 WerFault.exe 2608 WerFault.exe 2608 WerFault.exe 2608 WerFault.exe 2608 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2608 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 3968 wrote to memory of 1444 3968 wscript.exe WScript.exe PID 3968 wrote to memory of 1444 3968 wscript.exe WScript.exe PID 3968 wrote to memory of 1892 3968 wscript.exe javaw.exe PID 3968 wrote to memory of 1892 3968 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Request_For_Quotation.js1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ezpMaaZeIO.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1444 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\mvxmag.txt"2⤵PID:1892
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1892 -s 3523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ezpMaaZeIO.jsMD5
12bdb4d35045ca79f03c7ab66fa2a4d0
SHA1fa1942411e165ec654f437f026b0e2e8028fa1fd
SHA2569114eca4a389a22ca38fa1eeb32bdb08cfc0c913c35307829e04bb86a496138a
SHA5129ae5dbe7c33064970d3c18510088864c9c5ad1ee652e87bf0b99c09d6fcfb6141f6c5b442341a56bc119a74e687bb0822ff65d37b80879ee8e4f543bfcd3aea9
-
C:\Users\Admin\AppData\Roaming\mvxmag.txtMD5
06f61cd3d0cdf9257fcdac6483d4c1ba
SHA1f4eec20fdbc68dbdd8bb5fd1dfecd918b099ef2f
SHA256424ba40767618afade696d3714c1ba1960ff91e3bc1658fa510cd2332baf2a2f
SHA5129aa7d19fb9999d0414d2399e14ccf43b66cbd6a1bf54be6538b6a0a9e9ac096bdc065a43e4d776ed5cd01a14562446fcd535979b0756781e132e13b27b575657
-
memory/1444-114-0x0000000000000000-mapping.dmp
-
memory/1892-116-0x0000000000000000-mapping.dmp