Analysis
-
max time kernel
144s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
09/12/2021, 12:55
Static task
static1
Behavioral task
behavioral1
Sample
Request_For_Quotation.js
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Request_For_Quotation.js
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
Request_For_Quotation.js
-
Size
184KB
-
MD5
d86eb37fb515a419f7d154c0e0e915e5
-
SHA1
3817f60df66abe6278cf7bf0e0d8581e0a448cd2
-
SHA256
7e46aa47cfe108b7d8113725729e70a96bae5ef32686e7e41cbc56ca76aae58f
-
SHA512
367ae0645b01b452d75b603097b6c5a12f3bb2e77b9f8f36b50d9b690a67c28dcdc225d33ffa19fbe40874373448a4daaef2a72ef6f094842cdd9aba3a72d050
Score
10/10
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ovphewroo.txt java.exe -
Loads dropped DLL 1 IoCs
pid Process 1136 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\ovphewroo = "\"C:\\Users\\Admin\\AppData\\Roaming\\ovphewroo.txt\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ovphewroo = "\"C:\\Users\\Admin\\AppData\\Roaming\\ovphewroo.txt\"" java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1824 schtasks.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1940 wrote to memory of 572 1940 wscript.exe 27 PID 1940 wrote to memory of 572 1940 wscript.exe 27 PID 1940 wrote to memory of 572 1940 wscript.exe 27 PID 572 wrote to memory of 1136 572 javaw.exe 29 PID 572 wrote to memory of 1136 572 javaw.exe 29 PID 572 wrote to memory of 1136 572 javaw.exe 29 PID 1136 wrote to memory of 980 1136 java.exe 31 PID 1136 wrote to memory of 980 1136 java.exe 31 PID 1136 wrote to memory of 980 1136 java.exe 31 PID 1136 wrote to memory of 1832 1136 java.exe 30 PID 1136 wrote to memory of 1832 1136 java.exe 30 PID 1136 wrote to memory of 1832 1136 java.exe 30 PID 980 wrote to memory of 1824 980 cmd.exe 34 PID 980 wrote to memory of 1824 980 cmd.exe 34 PID 980 wrote to memory of 1824 980 cmd.exe 34
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Request_For_Quotation.js1⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ovphewroo.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\ovphewroo.txt"3⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\ovphewroo.txt"4⤵PID:1832
-
-
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ovphewroo.txt"4⤵
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ovphewroo.txt"5⤵
- Creates scheduled task(s)
PID:1824
-
-
-
-