Analysis
-
max time kernel
115s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13/12/2021, 15:19
Static task
static1
Behavioral task
behavioral1
Sample
Request_For_Quotation.js
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Request_For_Quotation.js
Resource
win10-en-20211208
0 signatures
0 seconds
General
-
Target
Request_For_Quotation.js
-
Size
182KB
-
MD5
b6dfbc43cb551d1c52da19a0709fb5ad
-
SHA1
c5b2c6093e12a8797d587533f2ab7e56622e8de5
-
SHA256
423a355fb8233f9681ad718fb887df922942594b6ada5e926b1ecf4e67b6cd71
-
SHA512
8ab41fadf08ceeb49f4f2fbeb33bbe0b0c5150daf07b2ab1d6bba38ee1bbe7baa8a7051cd9bc27372191389b850feac7e70878fda4f181d75e723c8422ea7a0b
Score
4/10
Malware Config
Signatures
-
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3484 wrote to memory of 3684 3484 wscript.exe 69 PID 3484 wrote to memory of 3684 3484 wscript.exe 69
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Request_For_Quotation.js1⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\iwcun.txt"2⤵
- Drops file in Program Files directory
PID:3684
-