e1d6f319e4b448e3e487d6c6ab0b7b4172e2059abc90f7e8156fd661cbb1d513

General

Target

ATTACHED DRAWING AND SPECIFICATION.jar
Size

125KB
MD5

18031dda20407c7250768c264e747e4d
SHA1

c29d744f9b26f6940215c1aae50fcd5de99fa55f
SHA256

e1d6f319e4b448e3e487d6c6ab0b7b4172e2059abc90f7e8156fd661cbb1d513
SHA512

d0327d53d82b9f1eebdf80ca5e5e33d6e4f60fd7d3d1ec0c7011ef4ab71b7dea73d25b7e1dd97d0a7a6d6ab68f2bc0292ec07224b48cd88abc00d8eb26a80021

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 12 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings wscript.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

3768 regedit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	wscript.exe

pid	process
3768	regedit.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

java.exewscript.exe

description	pid	process	target process
PID 4044 wrote to memory of 3656	4044	java.exe	wscript.exe
PID 4044 wrote to memory of 3656	4044	java.exe	wscript.exe
PID 3656 wrote to memory of 3768	3656	wscript.exe	regedit.exe
PID 3656 wrote to memory of 3768	3656	wscript.exe	regedit.exe
PID 3656 wrote to memory of 2112	3656	wscript.exe	javaw.exe
PID 3656 wrote to memory of 2112	3656	wscript.exe	javaw.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\ATTACHED DRAWING AND SPECIFICATION.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\hzppuzylpb.js
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
3⤵
- Runs .reg file with regedit
PID:3768

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\nawqiccje.txt"
3⤵
- Drops file in Program Files directory
PID:2112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg
MD5
0e5411d7ecba9a435afda71c6c39d8fd

SHA1
2d6812052bf7be1b5e213e1d813ae39faa07284c

SHA256
cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2

SHA512
903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1

Download Submit
C:\Users\Admin\AppData\Roaming\nawqiccje.txt
MD5
bfa41b97b438a48a3a2943eee4ab9d7b

SHA1
36a1a0d2b0125b87b0841d1db0ca18cf3aac4b0e

SHA256
1036b983cd81fe9134e2c1b2c72a4c29c111b5983a61324e5cadee33d479452c

SHA512
237a1b5fd74d753f431c38d3437fb75006059788ec72085035020d19631c987bb7f2b2823729d5c7d84accb75f782e0aa89322f4a88019f5fc14dcc2e9938c29

Download Submit
C:\Users\Admin\hzppuzylpb.js
MD5
a627bab6b75c0dfff09ee951974926ff

SHA1
e8c596f89f222137fcbdc99c613cfa5f57f6c82b

SHA256
d84782f48d629c19d022c75401669ef44bdd5b1464ddee6170fcf568845a8ddd

SHA512
fc97dee9193fc9ba6836d10daf8e9dcb900f5a05ccacfcfa337d05c3281691c6f7e4e1b17ebd75332b2574aa868fd7d7d0f99c9febd454a971666670fff74fd0

Download Submit
memory/2112-132-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/2112-133-0x0000000003270000-0x0000000003280000-memory.dmp

Filesize
64KB

Download
memory/2112-120-0x0000000000000000-mapping.dmp

Download
memory/2112-150-0x0000000003370000-0x0000000003380000-memory.dmp

Filesize
64KB

Download
memory/2112-148-0x0000000003350000-0x0000000003360000-memory.dmp

Filesize
64KB

Download
memory/2112-123-0x0000000002F80000-0x00000000031F0000-memory.dmp

Filesize
2.4MB

Download
memory/2112-124-0x0000000001480000-0x0000000001481000-memory.dmp

Filesize
4KB

Download
memory/2112-125-0x00000000031F0000-0x0000000003200000-memory.dmp

Filesize
64KB

Download
memory/2112-126-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/2112-127-0x0000000003210000-0x0000000003220000-memory.dmp

Filesize
64KB

Download
memory/2112-128-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/2112-129-0x0000000003230000-0x0000000003240000-memory.dmp

Filesize
64KB

Download
memory/2112-130-0x0000000003240000-0x0000000003250000-memory.dmp

Filesize
64KB

Download
memory/2112-131-0x0000000003250000-0x0000000003260000-memory.dmp

Filesize
64KB

Download
memory/2112-149-0x0000000003360000-0x0000000003370000-memory.dmp

Filesize
64KB

Download
memory/2112-147-0x0000000003340000-0x0000000003350000-memory.dmp

Filesize
64KB

Download
memory/2112-134-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download
memory/2112-135-0x00000000032A0000-0x00000000032B0000-memory.dmp

Filesize
64KB

Download
memory/2112-136-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/2112-137-0x0000000003280000-0x0000000003290000-memory.dmp

Filesize
64KB

Download
memory/2112-138-0x00000000032C0000-0x00000000032D0000-memory.dmp

Filesize
64KB

Download
memory/2112-139-0x00000000032D0000-0x00000000032E0000-memory.dmp

Filesize
64KB

Download
memory/2112-140-0x00000000032E0000-0x00000000032F0000-memory.dmp

Filesize
64KB

Download
memory/2112-141-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/2112-142-0x0000000003300000-0x0000000003310000-memory.dmp

Filesize
64KB

Download
memory/2112-144-0x0000000003310000-0x0000000003320000-memory.dmp

Filesize
64KB

Download
memory/2112-145-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/2112-146-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/3656-115-0x0000000000000000-mapping.dmp

Download
memory/3768-118-0x0000000000000000-mapping.dmp

Download
memory/4044-114-0x0000000002AC0000-0x0000000002D30000-memory.dmp

Filesize
2.4MB

Download
memory/4044-116-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing