Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25-08-2021 17:33
Static task
static1
Behavioral task
behavioral1
Sample
Request For Quotation.js
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Request For Quotation.js
Resource
win10v20210410
General
-
Target
Request For Quotation.js
-
Size
200KB
-
MD5
63a88c19299c8fd2e3bf299798a6a322
-
SHA1
7545d8fb37a2626b7bf4bd28ab3365e82068e0c8
-
SHA256
fc5631bd6d785c3b3c634e71ca51fe274c72018110d5dd66e37595653f8ab0dc
-
SHA512
3ccc6253e000a8dfd2fecd803294e43f867d3e97a98996a03db4a5f0cdf2172c8338827f0587d2a596cd6c9b657d23f228ab197181655590692db50c18b029d3
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
WScript.exeflow pid process 8 1904 WScript.exe 19 1904 WScript.exe 20 1904 WScript.exe 21 1904 WScript.exe 22 1904 WScript.exe 23 1904 WScript.exe 24 1904 WScript.exe 25 1904 WScript.exe 26 1904 WScript.exe 27 1904 WScript.exe 28 1904 WScript.exe 29 1904 WScript.exe 30 1904 WScript.exe 31 1904 WScript.exe 32 1904 WScript.exe 33 1904 WScript.exe 34 1904 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezpMaaZeIO.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ezpMaaZeIO.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\ezpMaaZeIO.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2400 1924 WerFault.exe javaw.exe -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe 2400 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2400 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 3204 wrote to memory of 1904 3204 wscript.exe WScript.exe PID 3204 wrote to memory of 1904 3204 wscript.exe WScript.exe PID 3204 wrote to memory of 1924 3204 wscript.exe javaw.exe PID 3204 wrote to memory of 1924 3204 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ezpMaaZeIO.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\azcinmknig.txt"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1924 -s 3523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\azcinmknig.txtMD5
06f61cd3d0cdf9257fcdac6483d4c1ba
SHA1f4eec20fdbc68dbdd8bb5fd1dfecd918b099ef2f
SHA256424ba40767618afade696d3714c1ba1960ff91e3bc1658fa510cd2332baf2a2f
SHA5129aa7d19fb9999d0414d2399e14ccf43b66cbd6a1bf54be6538b6a0a9e9ac096bdc065a43e4d776ed5cd01a14562446fcd535979b0756781e132e13b27b575657
-
C:\Users\Admin\AppData\Roaming\ezpMaaZeIO.jsMD5
12bdb4d35045ca79f03c7ab66fa2a4d0
SHA1fa1942411e165ec654f437f026b0e2e8028fa1fd
SHA2569114eca4a389a22ca38fa1eeb32bdb08cfc0c913c35307829e04bb86a496138a
SHA5129ae5dbe7c33064970d3c18510088864c9c5ad1ee652e87bf0b99c09d6fcfb6141f6c5b442341a56bc119a74e687bb0822ff65d37b80879ee8e4f543bfcd3aea9
-
memory/1904-114-0x0000000000000000-mapping.dmp
-
memory/1924-115-0x0000000000000000-mapping.dmp