Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
25-08-2021 11:53
Static task
static1
Behavioral task
behavioral1
Sample
Request For Quotation.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Request For Quotation.js
Resource
win10v20210410
General
-
Target
Request For Quotation.js
-
Size
200KB
-
MD5
63a88c19299c8fd2e3bf299798a6a322
-
SHA1
7545d8fb37a2626b7bf4bd28ab3365e82068e0c8
-
SHA256
fc5631bd6d785c3b3c634e71ca51fe274c72018110d5dd66e37595653f8ab0dc
-
SHA512
3ccc6253e000a8dfd2fecd803294e43f867d3e97a98996a03db4a5f0cdf2172c8338827f0587d2a596cd6c9b657d23f228ab197181655590692db50c18b029d3
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
WScript.exeflow pid process 6 1896 WScript.exe 7 1896 WScript.exe 8 1896 WScript.exe 10 1896 WScript.exe 11 1896 WScript.exe 12 1896 WScript.exe 14 1896 WScript.exe 15 1896 WScript.exe 16 1896 WScript.exe 18 1896 WScript.exe 19 1896 WScript.exe 20 1896 WScript.exe 22 1896 WScript.exe 23 1896 WScript.exe 24 1896 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezpMaaZeIO.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezpMaaZeIO.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ezpMaaZeIO.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1868 1632 WerFault.exe javaw.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1868 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1868 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exejavaw.exedescription pid process target process PID 344 wrote to memory of 1896 344 wscript.exe WScript.exe PID 344 wrote to memory of 1896 344 wscript.exe WScript.exe PID 344 wrote to memory of 1896 344 wscript.exe WScript.exe PID 344 wrote to memory of 1632 344 wscript.exe javaw.exe PID 344 wrote to memory of 1632 344 wscript.exe javaw.exe PID 344 wrote to memory of 1632 344 wscript.exe javaw.exe PID 1632 wrote to memory of 1868 1632 javaw.exe WerFault.exe PID 1632 wrote to memory of 1868 1632 javaw.exe WerFault.exe PID 1632 wrote to memory of 1868 1632 javaw.exe WerFault.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"1⤵
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ezpMaaZeIO.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1896 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ckhrqocmdp.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1632 -s 1403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1868
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ckhrqocmdp.txtMD5
06f61cd3d0cdf9257fcdac6483d4c1ba
SHA1f4eec20fdbc68dbdd8bb5fd1dfecd918b099ef2f
SHA256424ba40767618afade696d3714c1ba1960ff91e3bc1658fa510cd2332baf2a2f
SHA5129aa7d19fb9999d0414d2399e14ccf43b66cbd6a1bf54be6538b6a0a9e9ac096bdc065a43e4d776ed5cd01a14562446fcd535979b0756781e132e13b27b575657
-
C:\Users\Admin\AppData\Roaming\ezpMaaZeIO.jsMD5
12bdb4d35045ca79f03c7ab66fa2a4d0
SHA1fa1942411e165ec654f437f026b0e2e8028fa1fd
SHA2569114eca4a389a22ca38fa1eeb32bdb08cfc0c913c35307829e04bb86a496138a
SHA5129ae5dbe7c33064970d3c18510088864c9c5ad1ee652e87bf0b99c09d6fcfb6141f6c5b442341a56bc119a74e687bb0822ff65d37b80879ee8e4f543bfcd3aea9
-
memory/344-60-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmpFilesize
8KB
-
memory/1632-63-0x0000000000000000-mapping.dmp
-
memory/1868-66-0x0000000000000000-mapping.dmp
-
memory/1868-68-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/1896-61-0x0000000000000000-mapping.dmp