Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
15-03-2022 14:23
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.js
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
Quotation.js
Resource
win10v2004-en-20220113
General
-
Target
Quotation.js
-
Size
1.3MB
-
MD5
69c06fd94a073383b9435c801ebb62eb
-
SHA1
0fae62beac98d2806118a831eb0eca04bf351b65
-
SHA256
925d5dec4f50c6ce6eb8bd56a51cdb123e8639f282292e3ed1b6cdd4f37e504b
-
SHA512
e24e74c11f78a6c8f27c4ba5279ca5012577a493966f883ab5c2481e88a657ad0f50ff05cef37eebd4e1e888a797d7038398b520577174cc51bd909b54eedd31
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
WScript.exeflow pid process 8 4212 WScript.exe 28 4212 WScript.exe 44 4212 WScript.exe 45 4212 WScript.exe 52 4212 WScript.exe 53 4212 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jZWRVkiZOm.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jZWRVkiZOm.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\jZWRVkiZOm.js\"" WScript.exe -
Drops file in Program Files directory 12 IoCs
Processes:
javaw.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings wscript.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 4288 wrote to memory of 4212 4288 wscript.exe WScript.exe PID 4288 wrote to memory of 4212 4288 wscript.exe WScript.exe PID 4288 wrote to memory of 3540 4288 wscript.exe javaw.exe PID 4288 wrote to memory of 3540 4288 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Quotation.js1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\jZWRVkiZOm.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\xzzjliqum.txt"2⤵
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\jZWRVkiZOm.jsMD5
400d402ce0dc1bbd5cea36de09b25379
SHA1e6a5f40cbf010f440922612eb469a0a0a2f8e7c7
SHA25648afd1b8a96cf82de1dd7d4533fdabcd66edf957f354902a999f3b23a823958b
SHA51213f0b3cffb22ca53e8a0f8e41d81a808f030b355f05fca37d34e4ba1fd5d54a41ad2e520ba5d0fdf058cc2653e61a31304d2d736de0b838cb735194a320ab595
-
C:\Users\Admin\AppData\Roaming\xzzjliqum.txtMD5
391907cc91179ada8c93dfb70cf2fa56
SHA1da55acbf6aafe2f376bf4ebd3ff8fbf99cf4966d
SHA25620ad6197b8d0b6b2764f90ef38bace3e230cb2878db9a30778db0e4ef042a039
SHA512931c419c6fff67cc0973eaa67c771aafa573ad5875b1db93ed4ec52e1f20f7e567a0f7c44d916de1d8e77407fe83eb2418fc9c0ba457bd05ef1f742bc4ed0afc
-
memory/3540-135-0x0000000002C40000-0x0000000002C41000-memory.dmpFilesize
4KB
-
memory/3540-139-0x0000000002C40000-0x0000000002C41000-memory.dmpFilesize
4KB
-
memory/3540-153-0x0000000003120000-0x0000000012120000-memory.dmpFilesize
240.0MB
-
memory/3540-162-0x0000000002C40000-0x0000000002C41000-memory.dmpFilesize
4KB
-
memory/3540-169-0x0000000003120000-0x0000000012120000-memory.dmpFilesize
240.0MB
-
memory/3540-170-0x0000000003120000-0x0000000012120000-memory.dmpFilesize
240.0MB