Analysis
-
max time kernel
146s -
max time network
186s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
17-05-2021 16:24
Static task
static1
Behavioral task
behavioral1
Sample
ORYX RefNo 210880_opt.jar
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ORYX RefNo 210880_opt.jar
Resource
win10v20210410
General
-
Target
ORYX RefNo 210880_opt.jar
-
Size
124KB
-
MD5
13c4f3b9f92fa63f48b292fd6fbdd33c
-
SHA1
05a59493ce264b62452623388d5545382fb13a1a
-
SHA256
5aeeae4166befce91729c0d886d2bd9c681f94b2edbd7ac4753b0b79572071fa
-
SHA512
ab26bfbf3a5819ffabc975cdd1f2339b69b4039580b47664aef4c14ffef46b17fee8ccd828d6ca466bcb6b561f9969c66ce489372a1c75d5b90fcf827eecccea
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 1000 regedit.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
java.exewscript.exedescription pid process target process PID 368 wrote to memory of 1604 368 java.exe wscript.exe PID 368 wrote to memory of 1604 368 java.exe wscript.exe PID 368 wrote to memory of 1604 368 java.exe wscript.exe PID 1604 wrote to memory of 1000 1604 wscript.exe regedit.exe PID 1604 wrote to memory of 1000 1604 wscript.exe regedit.exe PID 1604 wrote to memory of 1000 1604 wscript.exe regedit.exe PID 1604 wrote to memory of 748 1604 wscript.exe javaw.exe PID 1604 wrote to memory of 748 1604 wscript.exe javaw.exe PID 1604 wrote to memory of 748 1604 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\ORYX RefNo 210880_opt.jar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript C:\Users\Admin\sfbwchswsl.js2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"3⤵
- Runs .reg file with regedit
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ktctyez.txt"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.regMD5
0e5411d7ecba9a435afda71c6c39d8fd
SHA12d6812052bf7be1b5e213e1d813ae39faa07284c
SHA256cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2
SHA512903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1
-
C:\Users\Admin\AppData\Roaming\ktctyez.txtMD5
bfa41b97b438a48a3a2943eee4ab9d7b
SHA136a1a0d2b0125b87b0841d1db0ca18cf3aac4b0e
SHA2561036b983cd81fe9134e2c1b2c72a4c29c111b5983a61324e5cadee33d479452c
SHA512237a1b5fd74d753f431c38d3437fb75006059788ec72085035020d19631c987bb7f2b2823729d5c7d84accb75f782e0aa89322f4a88019f5fc14dcc2e9938c29
-
C:\Users\Admin\sfbwchswsl.jsMD5
17695573d1e32497683ac04c5882ff4b
SHA1459477393bf657292f568084048b37eaa662052a
SHA256b2f1c8ae1c9fa670fc550e608a8195066cb36b34342872707c7d7ffa8c045f29
SHA512522036d4335ce86f0bcd7d450ef4bb6e07ab3167e819f8ce601d0d9a5c57ebf2c817ec3b1dad96db08ad2dee040d9dbf9b6b6b929463e14a1e00a156ac050722
-
memory/368-60-0x00000000021E0000-0x0000000002450000-memory.dmpFilesize
2.4MB
-
memory/368-62-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/368-59-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmpFilesize
8KB
-
memory/748-68-0x0000000000000000-mapping.dmp
-
memory/748-71-0x0000000002220000-0x0000000002490000-memory.dmpFilesize
2.4MB
-
memory/748-73-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/748-75-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/748-80-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/748-81-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/748-83-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/1000-66-0x0000000001B40000-0x0000000001B41000-memory.dmpFilesize
4KB
-
memory/1000-64-0x0000000000000000-mapping.dmp
-
memory/1604-61-0x0000000000000000-mapping.dmp