Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20/01/2022, 08:09

General

  • Target

    RFQ _JTCEngineering_110355500342450_PDF.js

  • Size

    182KB

  • MD5

    ce78d7595ff47d40be541be7ea67abca

  • SHA1

    9df02d4e402d211326c047dafebc3a7932fb9356

  • SHA256

    05e8a158081eeaf61480bc366266b9da128ced63ab253eba0f1a4c1278b9676f

  • SHA512

    430853fa668966004b8e2aface3446731a5857a787f9cc6e3a31eee41129113c7fe1f994d16fe4d38085949abde58a598951aa17fe2c7090ff18c4a055bc8254

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\RFQ _JTCEngineering_110355500342450_PDF.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\hqxvydfawf.txt"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Program Files\Java\jre7\bin\java.exe
        "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\hqxvydfawf.txt"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1476
        • C:\Program Files\Java\jre7\bin\java.exe
          "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\hqxvydfawf.txt"
          4⤵
          • Drops startup file
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:416
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1516
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1356
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:612
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1688
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
              6⤵
                PID:1732
            • C:\Windows\system32\cmd.exe
              cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:988
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
                6⤵
                  PID:1200

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/268-67-0x0000000000110000-0x0000000000111000-memory.dmp

              Filesize

              4KB

            • memory/268-62-0x0000000000110000-0x0000000000111000-memory.dmp

              Filesize

              4KB

            • memory/268-59-0x0000000002350000-0x0000000005350000-memory.dmp

              Filesize

              48.0MB

            • memory/268-74-0x0000000000110000-0x0000000000111000-memory.dmp

              Filesize

              4KB

            • memory/268-69-0x0000000000110000-0x0000000000111000-memory.dmp

              Filesize

              4KB

            • memory/268-68-0x0000000000110000-0x0000000000111000-memory.dmp

              Filesize

              4KB

            • memory/268-60-0x0000000000110000-0x0000000000111000-memory.dmp

              Filesize

              4KB

            • memory/268-63-0x0000000000110000-0x0000000000111000-memory.dmp

              Filesize

              4KB

            • memory/268-65-0x0000000000110000-0x0000000000111000-memory.dmp

              Filesize

              4KB

            • memory/268-66-0x0000000000110000-0x0000000000111000-memory.dmp

              Filesize

              4KB

            • memory/1088-55-0x000007FEFC241000-0x000007FEFC243000-memory.dmp

              Filesize

              8KB

            • memory/1204-93-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1204-92-0x0000000002330000-0x0000000005330000-memory.dmp

              Filesize

              48.0MB

            • memory/1204-101-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1204-122-0x0000000000220000-0x0000000000221000-memory.dmp

              Filesize

              4KB

            • memory/1476-81-0x00000000001B0000-0x00000000001B1000-memory.dmp

              Filesize

              4KB

            • memory/1476-88-0x00000000001B0000-0x00000000001B1000-memory.dmp

              Filesize

              4KB

            • memory/1476-80-0x0000000002150000-0x0000000005150000-memory.dmp

              Filesize

              48.0MB