7c7d68c4590327e3c3b7ca47d8d1b6b6554a07940e4a7dadeb65534babd5d866

General

Target

5.jar
Size

630KB
MD5

085dc6e275b50f45fc1e7973d44af68e
SHA1

94cc43999b1104829fa0ddf16710fcc65f221731
SHA256

7c7d68c4590327e3c3b7ca47d8d1b6b6554a07940e4a7dadeb65534babd5d866
SHA512

188b37b6ae96d27e29377da18da4faabc0bceeeb82baf53b9e0fbcf99d02a14b5ddbd8220d2a5fb762d5b0bbea474587c75ee572f8673f46eb343dae0ea17905

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings wscript.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

4272 regedit.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

java.exejavaw.exe

pid process

1068 java.exe
648 javaw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	wscript.exe

pid	process
4272	regedit.exe

pid	process
1068	java.exe
648	javaw.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

java.exewscript.exejavaw.exe

description	pid	process	target process
PID 4652 wrote to memory of 2204	4652	java.exe	wscript.exe
PID 4652 wrote to memory of 2204	4652	java.exe	wscript.exe
PID 2204 wrote to memory of 4272	2204	wscript.exe	regedit.exe
PID 2204 wrote to memory of 4272	2204	wscript.exe	regedit.exe
PID 2204 wrote to memory of 648	2204	wscript.exe	javaw.exe
PID 2204 wrote to memory of 648	2204	wscript.exe	javaw.exe
PID 648 wrote to memory of 1068	648	javaw.exe	java.exe
PID 648 wrote to memory of 1068	648	javaw.exe	java.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\5.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\zfbgeiosgd.js
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\regedit.exe
    "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4272
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\lsugqiiuk.txt"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.89725917730115055505510968248455488.class
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5
c868e98aa4da559da14c7dabbef4cdb1

SHA1
5b9c81de9bd98c44d9429c75ef4a7e1a21ad2ca7

SHA256
4b5478636190ecbe5b514cb0b21c3068f846203514dfa259310fdad04f91fe59

SHA512
bcbe2466aa63c9395368afb56f40864d9616068bb895834f07055d27c83f8825f9295e5e46f4697dce63c4336708620eeb6c4a19962ea191f7f2924a14b657a9

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5
3d884905a875add212ce954d0a2b329d

SHA1
90d9c062218b37670493c504b5f9bc0ebdca27c3

SHA256
c61cdee9bf71523f065e1d78535ab34ca75b479d7ff7e0dcacf20c19ed5386e0

SHA512
69cbc9eb1426c71ea21f7fee9b7e0e8e9170c4e97d3770cfdaa8de118eea7c7b7e6a0bfdd97513b7c4973d49366d2a842b9642c550b8b7c95b6b835107eba5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.89725917730115055505510968248455488.class

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg

MD5
0e5411d7ecba9a435afda71c6c39d8fd

SHA1
2d6812052bf7be1b5e213e1d813ae39faa07284c

SHA256
cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2

SHA512
903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1594587808-2047097707-2163810515-1000\83aa4cc77f591dfc2374580bbd95f6ba_cc51e87d-bda7-4ef7-80cf-c431fec6b805

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\lsugqiiuk.txt

MD5
5386ab97e1f8e6d079eba23149de7e47

SHA1
341fe0494f31c6af8cf7690fa02dacd1c21907f2

SHA256
85011ef9bc53b6d692e1e4cea0ba0a99dce82a53f3b0710c34b042a335150bb4

SHA512
db4d391a2b49adedcba61a077a795a3f5c14441fdd76a6848df2c0a1a505178097ae1facdef2de844dbd826b7b20d767131e1b963bb6f273a7f4eed31ec570d3

Download Submit
C:\Users\Admin\zfbgeiosgd.js

MD5
a5011c0d79c897d84526c43e6c48c5c5

SHA1
51c4825a5ae17ffffae32dee5b7cf42b51cf20a2

SHA256
094ddd437277579bf1c6d593ce40012222d8cea094159081cb9d8dc28a928b5a

SHA512
77a6ab5890d2890241cd1fd2ae6316aee8458387ff4ad04f88c3407a386c8639199d32119b88b92f85b94bc4a05d8a9bdcb97a2bf2e8b3089a2c9aeb839cd5e8

Download Submit
memory/648-168-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/648-120-0x0000000000000000-mapping.dmp

Download
memory/648-123-0x0000000002600000-0x0000000002870000-memory.dmp

Filesize
2.4MB

Download
memory/648-170-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download
memory/648-137-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/648-151-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/648-126-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/648-147-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/648-146-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/648-145-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/648-132-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/648-139-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/1068-136-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/1068-129-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1068-138-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/1068-135-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/1068-140-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

Filesize
64KB

Download
memory/1068-141-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/1068-124-0x0000000000000000-mapping.dmp

Download
memory/1068-150-0x0000000002F00000-0x0000000002F10000-memory.dmp

Filesize
64KB

Download
memory/1068-144-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1068-128-0x0000000002C40000-0x0000000002EB0000-memory.dmp

Filesize
2.4MB

Download
memory/1068-148-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2204-115-0x0000000000000000-mapping.dmp

Download
memory/4272-118-0x0000000000000000-mapping.dmp

Download
memory/4652-116-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/4652-114-0x0000000002ED0000-0x0000000003140000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing