Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-05-2021 07:05
Static task
static1
Behavioral task
behavioral1
Sample
68398465-INVOICE-PO-IMG.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
68398465-INVOICE-PO-IMG.js
Resource
win10v20210410
General
-
Target
68398465-INVOICE-PO-IMG.js
-
Size
697KB
-
MD5
0216db9911053cc419ad92f7f35062a4
-
SHA1
5f8efa0c0b9f0205a581da9d6247143ab643e515
-
SHA256
ff3ba1d8de5361dda0d4398fb797cc9e4def93c38485a80a0ac5ed98bb9fdc2a
-
SHA512
aa52161bc7f379ce1f5d66436ae85d06c191fc7272dfa5d3c2412f82aab8a9a83edc6987cb2fabf60379a93d5fd27d56323a8a3589a0ca46942d3df778dd6401
Malware Config
Signatures
-
Drops file in Program Files directory 12 IoCs
Processes:
javaw.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 3872 wrote to memory of 636 3872 wscript.exe javaw.exe PID 3872 wrote to memory of 636 3872 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\68398465-INVOICE-PO-IMG.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\fqxtfeudwg.txt"2⤵
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\fqxtfeudwg.txtMD5
1790be5a1c36a97ffe2748cd5aacfec8
SHA1dca15819696e41c693b7ba0be5924ac07e621e71
SHA256b9884e0aa737d1ad75d5fc130a9a38dbda6cf7fe225cbb80ee22b8bccd67e255
SHA512e62e7db2e3dd30207b6b5cefa7896340645f82988d7317209ecd1b96143d2e9b487a9054d77ae25eebf29e75c23851cb7f9eae452dd93d092bb70429280c0c99
-
memory/636-114-0x0000000000000000-mapping.dmp
-
memory/636-116-0x0000000002E60000-0x00000000030D0000-memory.dmpFilesize
2.4MB
-
memory/636-117-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB