Analysis
-
max time kernel
4264953s -
max time network
5s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/01/2022, 10:28
Static task
static1
Behavioral task
behavioral1
Sample
Request For Quotation.js
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Request For Quotation.js
Resource
win10v2004-en-20220113
0 signatures
0 seconds
General
-
Target
Request For Quotation.js
-
Size
446KB
-
MD5
0afce07b69b1f5e065f36c00b44802b0
-
SHA1
412b7f715e1c325330d51d5eeae0f166e8a0497d
-
SHA256
9608362f4713abe6fe636520a1f55218350d6ff78794aa432d45eef1c95e04e7
-
SHA512
3d1d6099cfc633415f27a08a378e3b96c20e6a193034724f943c5f19807a3a99ff7fcf22190b76ed8b2a6713204c28cb2442c22dfdb13ba9499c2e75da634040
Score
10/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\JRzXjjDHaa.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings wscript.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1888 wrote to memory of 2860 1888 wscript.exe 53 PID 1888 wrote to memory of 2860 1888 wscript.exe 53 PID 1888 wrote to memory of 2996 1888 wscript.exe 55 PID 1888 wrote to memory of 2996 1888 wscript.exe 55
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Request For Quotation.js"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\JRzXjjDHaa.js"2⤵
- Adds Run key to start application
PID:2860
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\nevdkkoe.txt"2⤵PID:2996
-