Analysis

  • max time kernel
    144s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    09/12/2021, 12:55

General

  • Target

    Request_For_Quotation.js

  • Size

    184KB

  • MD5

    d86eb37fb515a419f7d154c0e0e915e5

  • SHA1

    3817f60df66abe6278cf7bf0e0d8581e0a448cd2

  • SHA256

    7e46aa47cfe108b7d8113725729e70a96bae5ef32686e7e41cbc56ca76aae58f

  • SHA512

    367ae0645b01b452d75b603097b6c5a12f3bb2e77b9f8f36b50d9b690a67c28dcdc225d33ffa19fbe40874373448a4daaef2a72ef6f094842cdd9aba3a72d050

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Request_For_Quotation.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ovphewroo.txt"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:572
      • C:\Program Files\Java\jre7\bin\java.exe
        "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\ovphewroo.txt"
        3⤵
        • Drops startup file
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1136
        • C:\Program Files\Java\jre7\bin\java.exe
          "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\ovphewroo.txt"
          4⤵
            PID:1832
          • C:\Windows\system32\cmd.exe
            cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ovphewroo.txt"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:980
            • C:\Windows\system32\schtasks.exe
              schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ovphewroo.txt"
              5⤵
              • Creates scheduled task(s)
              PID:1824

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/572-62-0x0000000000110000-0x0000000000111000-memory.dmp

            Filesize

            4KB

          • memory/572-60-0x0000000000110000-0x0000000000111000-memory.dmp

            Filesize

            4KB

          • memory/572-55-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp

            Filesize

            8KB

          • memory/572-63-0x0000000000110000-0x0000000000111000-memory.dmp

            Filesize

            4KB

          • memory/572-57-0x0000000002270000-0x00000000024E0000-memory.dmp

            Filesize

            2.4MB

          • memory/572-61-0x0000000000110000-0x0000000000111000-memory.dmp

            Filesize

            4KB

          • memory/572-58-0x0000000002270000-0x00000000024E0000-memory.dmp

            Filesize

            2.4MB

          • memory/572-59-0x0000000000110000-0x0000000000111000-memory.dmp

            Filesize

            4KB

          • memory/1136-80-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

          • memory/1136-70-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

          • memory/1136-74-0x0000000002200000-0x0000000002470000-memory.dmp

            Filesize

            2.4MB

          • memory/1832-84-0x00000000021C0000-0x0000000002430000-memory.dmp

            Filesize

            2.4MB

          • memory/1832-86-0x0000000000120000-0x0000000000121000-memory.dmp

            Filesize

            4KB

          • memory/1832-87-0x0000000000120000-0x0000000000121000-memory.dmp

            Filesize

            4KB

          • memory/1832-96-0x0000000000120000-0x0000000000121000-memory.dmp

            Filesize

            4KB