Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09/12/2021, 12:55
Static task
static1
Behavioral task
behavioral1
Sample
Request_For_Quotation.js
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Request_For_Quotation.js
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
Request_For_Quotation.js
-
Size
184KB
-
MD5
d86eb37fb515a419f7d154c0e0e915e5
-
SHA1
3817f60df66abe6278cf7bf0e0d8581e0a448cd2
-
SHA256
7e46aa47cfe108b7d8113725729e70a96bae5ef32686e7e41cbc56ca76aae58f
-
SHA512
367ae0645b01b452d75b603097b6c5a12f3bb2e77b9f8f36b50d9b690a67c28dcdc225d33ffa19fbe40874373448a4daaef2a72ef6f094842cdd9aba3a72d050
Score
4/10
Malware Config
Signatures
-
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2756 2480 wscript.exe 68 PID 2480 wrote to memory of 2756 2480 wscript.exe 68
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Request_For_Quotation.js1⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\qkzxfdpdmc.txt"2⤵
- Drops file in Program Files directory
PID:2756
-