Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    13/12/2021, 15:19

General

  • Target

    Request_For_Quotation.js

  • Size

    182KB

  • MD5

    b6dfbc43cb551d1c52da19a0709fb5ad

  • SHA1

    c5b2c6093e12a8797d587533f2ab7e56622e8de5

  • SHA256

    423a355fb8233f9681ad718fb887df922942594b6ada5e926b1ecf4e67b6cd71

  • SHA512

    8ab41fadf08ceeb49f4f2fbeb33bbe0b0c5150daf07b2ab1d6bba38ee1bbe7baa8a7051cd9bc27372191389b850feac7e70878fda4f181d75e723c8422ea7a0b

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Request_For_Quotation.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\dnvjxkerl.txt"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:596
      • C:\Program Files\Java\jre7\bin\java.exe
        "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\dnvjxkerl.txt"
        3⤵
        • Drops startup file
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:844
        • C:\Windows\system32\cmd.exe
          cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\dnvjxkerl.txt"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1156
          • C:\Windows\system32\schtasks.exe
            schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\dnvjxkerl.txt"
            5⤵
            • Creates scheduled task(s)
            PID:832
        • C:\Program Files\Java\jre7\bin\java.exe
          "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\dnvjxkerl.txt"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1568
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1224
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:940
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1720
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1148
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
            5⤵
              PID:1736
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
                6⤵
                  PID:1796
              • C:\Windows\system32\cmd.exe
                cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:588
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
                  6⤵
                    PID:1128

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/596-77-0x0000000000110000-0x0000000000111000-memory.dmp

                Filesize

                4KB

              • memory/596-57-0x0000000002220000-0x0000000002490000-memory.dmp

                Filesize

                2.4MB

              • memory/596-76-0x0000000000110000-0x0000000000111000-memory.dmp

                Filesize

                4KB

              • memory/596-55-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

                Filesize

                8KB

              • memory/596-58-0x0000000002220000-0x0000000002490000-memory.dmp

                Filesize

                2.4MB

              • memory/596-75-0x0000000000110000-0x0000000000111000-memory.dmp

                Filesize

                4KB

              • memory/596-73-0x0000000000110000-0x0000000000111000-memory.dmp

                Filesize

                4KB

              • memory/596-71-0x0000000000110000-0x0000000000111000-memory.dmp

                Filesize

                4KB

              • memory/596-69-0x0000000000110000-0x0000000000111000-memory.dmp

                Filesize

                4KB

              • memory/596-68-0x0000000000110000-0x0000000000111000-memory.dmp

                Filesize

                4KB

              • memory/596-59-0x0000000000110000-0x0000000000111000-memory.dmp

                Filesize

                4KB

              • memory/596-79-0x0000000000110000-0x0000000000111000-memory.dmp

                Filesize

                4KB

              • memory/596-60-0x0000000000110000-0x0000000000111000-memory.dmp

                Filesize

                4KB

              • memory/596-63-0x0000000000110000-0x0000000000111000-memory.dmp

                Filesize

                4KB

              • memory/596-65-0x0000000000110000-0x0000000000111000-memory.dmp

                Filesize

                4KB

              • memory/844-95-0x0000000000120000-0x0000000000121000-memory.dmp

                Filesize

                4KB

              • memory/844-85-0x0000000000120000-0x0000000000121000-memory.dmp

                Filesize

                4KB

              • memory/844-86-0x0000000002180000-0x00000000023F0000-memory.dmp

                Filesize

                2.4MB

              • memory/1568-101-0x0000000000330000-0x0000000000331000-memory.dmp

                Filesize

                4KB

              • memory/1568-139-0x0000000000330000-0x0000000000331000-memory.dmp

                Filesize

                4KB

              • memory/1568-140-0x0000000000330000-0x0000000000331000-memory.dmp

                Filesize

                4KB

              • memory/1568-138-0x0000000000330000-0x0000000000331000-memory.dmp

                Filesize

                4KB

              • memory/1568-137-0x0000000000330000-0x0000000000331000-memory.dmp

                Filesize

                4KB

              • memory/1568-109-0x0000000000330000-0x0000000000331000-memory.dmp

                Filesize

                4KB

              • memory/1568-100-0x0000000002090000-0x0000000002300000-memory.dmp

                Filesize

                2.4MB