Analysis
-
max time kernel
150s -
max time network
165s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25-08-2021 11:53
Static task
static1
Behavioral task
behavioral1
Sample
Request For Quotation.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Request For Quotation.js
Resource
win10v20210410
General
-
Target
Request For Quotation.js
-
Size
200KB
-
MD5
63a88c19299c8fd2e3bf299798a6a322
-
SHA1
7545d8fb37a2626b7bf4bd28ab3365e82068e0c8
-
SHA256
fc5631bd6d785c3b3c634e71ca51fe274c72018110d5dd66e37595653f8ab0dc
-
SHA512
3ccc6253e000a8dfd2fecd803294e43f867d3e97a98996a03db4a5f0cdf2172c8338827f0587d2a596cd6c9b657d23f228ab197181655590692db50c18b029d3
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
WScript.exeflow pid process 11 2408 WScript.exe 17 2408 WScript.exe 21 2408 WScript.exe 22 2408 WScript.exe 23 2408 WScript.exe 24 2408 WScript.exe 25 2408 WScript.exe 26 2408 WScript.exe 27 2408 WScript.exe 28 2408 WScript.exe 29 2408 WScript.exe 30 2408 WScript.exe 31 2408 WScript.exe 32 2408 WScript.exe 33 2408 WScript.exe 34 2408 WScript.exe 35 2408 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezpMaaZeIO.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezpMaaZeIO.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ezpMaaZeIO.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3252 2624 WerFault.exe javaw.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe 3252 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 3252 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 3188 wrote to memory of 2408 3188 wscript.exe WScript.exe PID 3188 wrote to memory of 2408 3188 wscript.exe WScript.exe PID 3188 wrote to memory of 2624 3188 wscript.exe javaw.exe PID 3188 wrote to memory of 2624 3188 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ezpMaaZeIO.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2408 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\whicmrqp.txt"2⤵PID:2624
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2624 -s 3523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3252
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ezpMaaZeIO.jsMD5
12bdb4d35045ca79f03c7ab66fa2a4d0
SHA1fa1942411e165ec654f437f026b0e2e8028fa1fd
SHA2569114eca4a389a22ca38fa1eeb32bdb08cfc0c913c35307829e04bb86a496138a
SHA5129ae5dbe7c33064970d3c18510088864c9c5ad1ee652e87bf0b99c09d6fcfb6141f6c5b442341a56bc119a74e687bb0822ff65d37b80879ee8e4f543bfcd3aea9
-
C:\Users\Admin\AppData\Roaming\whicmrqp.txtMD5
06f61cd3d0cdf9257fcdac6483d4c1ba
SHA1f4eec20fdbc68dbdd8bb5fd1dfecd918b099ef2f
SHA256424ba40767618afade696d3714c1ba1960ff91e3bc1658fa510cd2332baf2a2f
SHA5129aa7d19fb9999d0414d2399e14ccf43b66cbd6a1bf54be6538b6a0a9e9ac096bdc065a43e4d776ed5cd01a14562446fcd535979b0756781e132e13b27b575657
-
memory/2408-114-0x0000000000000000-mapping.dmp
-
memory/2624-115-0x0000000000000000-mapping.dmp