Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20/01/2022, 08:09
Static task
static1
Behavioral task
behavioral1
Sample
RFQ _JTCEngineering_110355500342450_PDF.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
RFQ _JTCEngineering_110355500342450_PDF.js
Resource
win10v2004-en-20220113
General
-
Target
RFQ _JTCEngineering_110355500342450_PDF.js
-
Size
182KB
-
MD5
ce78d7595ff47d40be541be7ea67abca
-
SHA1
9df02d4e402d211326c047dafebc3a7932fb9356
-
SHA256
05e8a158081eeaf61480bc366266b9da128ced63ab253eba0f1a4c1278b9676f
-
SHA512
430853fa668966004b8e2aface3446731a5857a787f9cc6e3a31eee41129113c7fe1f994d16fe4d38085949abde58a598951aa17fe2c7090ff18c4a055bc8254
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqxvydfawf.txt java.exe -
Loads dropped DLL 2 IoCs
pid Process 1476 java.exe 1204 java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hqxvydfawf = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\hqxvydfawf.txt\"" java.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\hqxvydfawf = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\hqxvydfawf.txt\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1516 WMIC.exe Token: SeSecurityPrivilege 1516 WMIC.exe Token: SeTakeOwnershipPrivilege 1516 WMIC.exe Token: SeLoadDriverPrivilege 1516 WMIC.exe Token: SeSystemProfilePrivilege 1516 WMIC.exe Token: SeSystemtimePrivilege 1516 WMIC.exe Token: SeProfSingleProcessPrivilege 1516 WMIC.exe Token: SeIncBasePriorityPrivilege 1516 WMIC.exe Token: SeCreatePagefilePrivilege 1516 WMIC.exe Token: SeBackupPrivilege 1516 WMIC.exe Token: SeRestorePrivilege 1516 WMIC.exe Token: SeShutdownPrivilege 1516 WMIC.exe Token: SeDebugPrivilege 1516 WMIC.exe Token: SeSystemEnvironmentPrivilege 1516 WMIC.exe Token: SeRemoteShutdownPrivilege 1516 WMIC.exe Token: SeUndockPrivilege 1516 WMIC.exe Token: SeManageVolumePrivilege 1516 WMIC.exe Token: 33 1516 WMIC.exe Token: 34 1516 WMIC.exe Token: 35 1516 WMIC.exe Token: SeIncreaseQuotaPrivilege 1516 WMIC.exe Token: SeSecurityPrivilege 1516 WMIC.exe Token: SeTakeOwnershipPrivilege 1516 WMIC.exe Token: SeLoadDriverPrivilege 1516 WMIC.exe Token: SeSystemProfilePrivilege 1516 WMIC.exe Token: SeSystemtimePrivilege 1516 WMIC.exe Token: SeProfSingleProcessPrivilege 1516 WMIC.exe Token: SeIncBasePriorityPrivilege 1516 WMIC.exe Token: SeCreatePagefilePrivilege 1516 WMIC.exe Token: SeBackupPrivilege 1516 WMIC.exe Token: SeRestorePrivilege 1516 WMIC.exe Token: SeShutdownPrivilege 1516 WMIC.exe Token: SeDebugPrivilege 1516 WMIC.exe Token: SeSystemEnvironmentPrivilege 1516 WMIC.exe Token: SeRemoteShutdownPrivilege 1516 WMIC.exe Token: SeUndockPrivilege 1516 WMIC.exe Token: SeManageVolumePrivilege 1516 WMIC.exe Token: 33 1516 WMIC.exe Token: 34 1516 WMIC.exe Token: 35 1516 WMIC.exe Token: SeIncreaseQuotaPrivilege 612 WMIC.exe Token: SeSecurityPrivilege 612 WMIC.exe Token: SeTakeOwnershipPrivilege 612 WMIC.exe Token: SeLoadDriverPrivilege 612 WMIC.exe Token: SeSystemProfilePrivilege 612 WMIC.exe Token: SeSystemtimePrivilege 612 WMIC.exe Token: SeProfSingleProcessPrivilege 612 WMIC.exe Token: SeIncBasePriorityPrivilege 612 WMIC.exe Token: SeCreatePagefilePrivilege 612 WMIC.exe Token: SeBackupPrivilege 612 WMIC.exe Token: SeRestorePrivilege 612 WMIC.exe Token: SeShutdownPrivilege 612 WMIC.exe Token: SeDebugPrivilege 612 WMIC.exe Token: SeSystemEnvironmentPrivilege 612 WMIC.exe Token: SeRemoteShutdownPrivilege 612 WMIC.exe Token: SeUndockPrivilege 612 WMIC.exe Token: SeManageVolumePrivilege 612 WMIC.exe Token: 33 612 WMIC.exe Token: 34 612 WMIC.exe Token: 35 612 WMIC.exe Token: SeIncreaseQuotaPrivilege 612 WMIC.exe Token: SeSecurityPrivilege 612 WMIC.exe Token: SeTakeOwnershipPrivilege 612 WMIC.exe Token: SeLoadDriverPrivilege 612 WMIC.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1088 wrote to memory of 268 1088 wscript.exe 27 PID 1088 wrote to memory of 268 1088 wscript.exe 27 PID 1088 wrote to memory of 268 1088 wscript.exe 27 PID 268 wrote to memory of 1476 268 javaw.exe 28 PID 268 wrote to memory of 1476 268 javaw.exe 28 PID 268 wrote to memory of 1476 268 javaw.exe 28 PID 1476 wrote to memory of 1204 1476 java.exe 30 PID 1476 wrote to memory of 1204 1476 java.exe 30 PID 1476 wrote to memory of 1204 1476 java.exe 30 PID 1204 wrote to memory of 416 1204 java.exe 34 PID 1204 wrote to memory of 416 1204 java.exe 34 PID 1204 wrote to memory of 416 1204 java.exe 34 PID 416 wrote to memory of 1516 416 cmd.exe 36 PID 416 wrote to memory of 1516 416 cmd.exe 36 PID 416 wrote to memory of 1516 416 cmd.exe 36 PID 1204 wrote to memory of 1356 1204 java.exe 38 PID 1204 wrote to memory of 1356 1204 java.exe 38 PID 1204 wrote to memory of 1356 1204 java.exe 38 PID 1356 wrote to memory of 612 1356 cmd.exe 40 PID 1356 wrote to memory of 612 1356 cmd.exe 40 PID 1356 wrote to memory of 612 1356 cmd.exe 40 PID 1204 wrote to memory of 1688 1204 java.exe 41 PID 1204 wrote to memory of 1688 1204 java.exe 41 PID 1204 wrote to memory of 1688 1204 java.exe 41 PID 1688 wrote to memory of 1732 1688 cmd.exe 43 PID 1688 wrote to memory of 1732 1688 cmd.exe 43 PID 1688 wrote to memory of 1732 1688 cmd.exe 43 PID 1204 wrote to memory of 988 1204 java.exe 44 PID 1204 wrote to memory of 988 1204 java.exe 44 PID 1204 wrote to memory of 988 1204 java.exe 44 PID 988 wrote to memory of 1200 988 cmd.exe 46 PID 988 wrote to memory of 1200 988 cmd.exe 46 PID 988 wrote to memory of 1200 988 cmd.exe 46
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ _JTCEngineering_110355500342450_PDF.js"1⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\hqxvydfawf.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\hqxvydfawf.txt"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\hqxvydfawf.txt"4⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list6⤵
- Suspicious use of AdjustPrivilegeToken
PID:612
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list6⤵PID:1732
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"5⤵
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list6⤵PID:1200
-
-
-
-
-