Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13/12/2021, 15:19
Static task
static1
Behavioral task
behavioral1
Sample
Request_For_Quotation.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Request_For_Quotation.js
Resource
win10-en-20211208
General
-
Target
Request_For_Quotation.js
-
Size
182KB
-
MD5
b6dfbc43cb551d1c52da19a0709fb5ad
-
SHA1
c5b2c6093e12a8797d587533f2ab7e56622e8de5
-
SHA256
423a355fb8233f9681ad718fb887df922942594b6ada5e926b1ecf4e67b6cd71
-
SHA512
8ab41fadf08ceeb49f4f2fbeb33bbe0b0c5150daf07b2ab1d6bba38ee1bbe7baa8a7051cd9bc27372191389b850feac7e70878fda4f181d75e723c8422ea7a0b
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dnvjxkerl.txt java.exe -
Loads dropped DLL 2 IoCs
pid Process 844 java.exe 1568 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dnvjxkerl = "\"C:\\Users\\Admin\\AppData\\Roaming\\dnvjxkerl.txt\"" java.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\dnvjxkerl = "\"C:\\Users\\Admin\\AppData\\Roaming\\dnvjxkerl.txt\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 832 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 940 WMIC.exe Token: SeSecurityPrivilege 940 WMIC.exe Token: SeTakeOwnershipPrivilege 940 WMIC.exe Token: SeLoadDriverPrivilege 940 WMIC.exe Token: SeSystemProfilePrivilege 940 WMIC.exe Token: SeSystemtimePrivilege 940 WMIC.exe Token: SeProfSingleProcessPrivilege 940 WMIC.exe Token: SeIncBasePriorityPrivilege 940 WMIC.exe Token: SeCreatePagefilePrivilege 940 WMIC.exe Token: SeBackupPrivilege 940 WMIC.exe Token: SeRestorePrivilege 940 WMIC.exe Token: SeShutdownPrivilege 940 WMIC.exe Token: SeDebugPrivilege 940 WMIC.exe Token: SeSystemEnvironmentPrivilege 940 WMIC.exe Token: SeRemoteShutdownPrivilege 940 WMIC.exe Token: SeUndockPrivilege 940 WMIC.exe Token: SeManageVolumePrivilege 940 WMIC.exe Token: 33 940 WMIC.exe Token: 34 940 WMIC.exe Token: 35 940 WMIC.exe Token: SeIncreaseQuotaPrivilege 940 WMIC.exe Token: SeSecurityPrivilege 940 WMIC.exe Token: SeTakeOwnershipPrivilege 940 WMIC.exe Token: SeLoadDriverPrivilege 940 WMIC.exe Token: SeSystemProfilePrivilege 940 WMIC.exe Token: SeSystemtimePrivilege 940 WMIC.exe Token: SeProfSingleProcessPrivilege 940 WMIC.exe Token: SeIncBasePriorityPrivilege 940 WMIC.exe Token: SeCreatePagefilePrivilege 940 WMIC.exe Token: SeBackupPrivilege 940 WMIC.exe Token: SeRestorePrivilege 940 WMIC.exe Token: SeShutdownPrivilege 940 WMIC.exe Token: SeDebugPrivilege 940 WMIC.exe Token: SeSystemEnvironmentPrivilege 940 WMIC.exe Token: SeRemoteShutdownPrivilege 940 WMIC.exe Token: SeUndockPrivilege 940 WMIC.exe Token: SeManageVolumePrivilege 940 WMIC.exe Token: 33 940 WMIC.exe Token: 34 940 WMIC.exe Token: 35 940 WMIC.exe Token: SeIncreaseQuotaPrivilege 1148 WMIC.exe Token: SeSecurityPrivilege 1148 WMIC.exe Token: SeTakeOwnershipPrivilege 1148 WMIC.exe Token: SeLoadDriverPrivilege 1148 WMIC.exe Token: SeSystemProfilePrivilege 1148 WMIC.exe Token: SeSystemtimePrivilege 1148 WMIC.exe Token: SeProfSingleProcessPrivilege 1148 WMIC.exe Token: SeIncBasePriorityPrivilege 1148 WMIC.exe Token: SeCreatePagefilePrivilege 1148 WMIC.exe Token: SeBackupPrivilege 1148 WMIC.exe Token: SeRestorePrivilege 1148 WMIC.exe Token: SeShutdownPrivilege 1148 WMIC.exe Token: SeDebugPrivilege 1148 WMIC.exe Token: SeSystemEnvironmentPrivilege 1148 WMIC.exe Token: SeRemoteShutdownPrivilege 1148 WMIC.exe Token: SeUndockPrivilege 1148 WMIC.exe Token: SeManageVolumePrivilege 1148 WMIC.exe Token: 33 1148 WMIC.exe Token: 34 1148 WMIC.exe Token: 35 1148 WMIC.exe Token: SeIncreaseQuotaPrivilege 1148 WMIC.exe Token: SeSecurityPrivilege 1148 WMIC.exe Token: SeTakeOwnershipPrivilege 1148 WMIC.exe Token: SeLoadDriverPrivilege 1148 WMIC.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 812 wrote to memory of 596 812 wscript.exe 27 PID 812 wrote to memory of 596 812 wscript.exe 27 PID 812 wrote to memory of 596 812 wscript.exe 27 PID 596 wrote to memory of 844 596 javaw.exe 28 PID 596 wrote to memory of 844 596 javaw.exe 28 PID 596 wrote to memory of 844 596 javaw.exe 28 PID 844 wrote to memory of 1156 844 java.exe 30 PID 844 wrote to memory of 1156 844 java.exe 30 PID 844 wrote to memory of 1156 844 java.exe 30 PID 844 wrote to memory of 1568 844 java.exe 33 PID 844 wrote to memory of 1568 844 java.exe 33 PID 844 wrote to memory of 1568 844 java.exe 33 PID 1156 wrote to memory of 832 1156 cmd.exe 34 PID 1156 wrote to memory of 832 1156 cmd.exe 34 PID 1156 wrote to memory of 832 1156 cmd.exe 34 PID 1568 wrote to memory of 1224 1568 java.exe 36 PID 1568 wrote to memory of 1224 1568 java.exe 36 PID 1568 wrote to memory of 1224 1568 java.exe 36 PID 1224 wrote to memory of 940 1224 cmd.exe 38 PID 1224 wrote to memory of 940 1224 cmd.exe 38 PID 1224 wrote to memory of 940 1224 cmd.exe 38 PID 1568 wrote to memory of 1720 1568 java.exe 41 PID 1568 wrote to memory of 1720 1568 java.exe 41 PID 1568 wrote to memory of 1720 1568 java.exe 41 PID 1720 wrote to memory of 1148 1720 cmd.exe 43 PID 1720 wrote to memory of 1148 1720 cmd.exe 43 PID 1720 wrote to memory of 1148 1720 cmd.exe 43 PID 1568 wrote to memory of 1736 1568 java.exe 44 PID 1568 wrote to memory of 1736 1568 java.exe 44 PID 1568 wrote to memory of 1736 1568 java.exe 44 PID 1568 wrote to memory of 588 1568 java.exe 47 PID 1568 wrote to memory of 588 1568 java.exe 47 PID 1568 wrote to memory of 588 1568 java.exe 47 PID 588 wrote to memory of 1128 588 cmd.exe 49 PID 588 wrote to memory of 1128 588 cmd.exe 49 PID 588 wrote to memory of 1128 588 cmd.exe 49
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Request_For_Quotation.js1⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\dnvjxkerl.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\dnvjxkerl.txt"3⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\dnvjxkerl.txt"4⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\dnvjxkerl.txt"5⤵
- Creates scheduled task(s)
PID:832
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\dnvjxkerl.txt"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list6⤵
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"5⤵PID:1736
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list6⤵PID:1796
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list6⤵PID:1128
-
-
-
-
-