Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17/01/2022, 10:28
Static task
static1
Behavioral task
behavioral1
Sample
Request For Quotation.js
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Request For Quotation.js
Resource
win10v2004-en-20220113
0 signatures
0 seconds
General
-
Target
Request For Quotation.js
-
Size
446KB
-
MD5
0afce07b69b1f5e065f36c00b44802b0
-
SHA1
412b7f715e1c325330d51d5eeae0f166e8a0497d
-
SHA256
9608362f4713abe6fe636520a1f55218350d6ff78794aa432d45eef1c95e04e7
-
SHA512
3d1d6099cfc633415f27a08a378e3b96c20e6a193034724f943c5f19807a3a99ff7fcf22190b76ed8b2a6713204c28cb2442c22dfdb13ba9499c2e75da634040
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 5 580 WScript.exe 12 580 WScript.exe 15 580 WScript.exe 17 580 WScript.exe 18 580 WScript.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JRzXjjDHaa.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JRzXjjDHaa.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrpncbicwi.txt java.exe -
Loads dropped DLL 1 IoCs
pid Process 1996 java.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\JRzXjjDHaa.js\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\yrpncbicwi = "\"C:\\Users\\Admin\\AppData\\Roaming\\yrpncbicwi.txt\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yrpncbicwi = "\"C:\\Users\\Admin\\AppData\\Roaming\\yrpncbicwi.txt\"" java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 308 schtasks.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 308 wrote to memory of 580 308 wscript.exe 27 PID 308 wrote to memory of 580 308 wscript.exe 27 PID 308 wrote to memory of 580 308 wscript.exe 27 PID 308 wrote to memory of 704 308 wscript.exe 28 PID 308 wrote to memory of 704 308 wscript.exe 28 PID 308 wrote to memory of 704 308 wscript.exe 28 PID 704 wrote to memory of 1996 704 javaw.exe 32 PID 704 wrote to memory of 1996 704 javaw.exe 32 PID 704 wrote to memory of 1996 704 javaw.exe 32 PID 1996 wrote to memory of 1700 1996 java.exe 35 PID 1996 wrote to memory of 1700 1996 java.exe 35 PID 1996 wrote to memory of 1700 1996 java.exe 35 PID 1996 wrote to memory of 832 1996 java.exe 34 PID 1996 wrote to memory of 832 1996 java.exe 34 PID 1996 wrote to memory of 832 1996 java.exe 34 PID 1700 wrote to memory of 308 1700 cmd.exe 40 PID 1700 wrote to memory of 308 1700 cmd.exe 40 PID 1700 wrote to memory of 308 1700 cmd.exe 40
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"1⤵
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\JRzXjjDHaa.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:580
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\yrpncbicwi.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\yrpncbicwi.txt"3⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\yrpncbicwi.txt"4⤵PID:832
-
-
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\yrpncbicwi.txt"4⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\yrpncbicwi.txt"5⤵
- Creates scheduled task(s)
PID:308
-
-
-
-