5aeeae4166befce91729c0d886d2bd9c681f94b2edbd7ac4753b0b79572071fa

General

Target

ORYX RefNo 210880_opt.jar
Size

124KB
MD5

13c4f3b9f92fa63f48b292fd6fbdd33c
SHA1

05a59493ce264b62452623388d5545382fb13a1a
SHA256

5aeeae4166befce91729c0d886d2bd9c681f94b2edbd7ac4753b0b79572071fa
SHA512

ab26bfbf3a5819ffabc975cdd1f2339b69b4039580b47664aef4c14ffef46b17fee8ccd828d6ca466bcb6b561f9969c66ce489372a1c75d5b90fcf827eecccea

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

1000 regedit.exe

pid	process
1000	regedit.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

java.exewscript.exe

description	pid	process	target process
PID 368 wrote to memory of 1604	368	java.exe	wscript.exe
PID 368 wrote to memory of 1604	368	java.exe	wscript.exe
PID 368 wrote to memory of 1604	368	java.exe	wscript.exe
PID 1604 wrote to memory of 1000	1604	wscript.exe	regedit.exe
PID 1604 wrote to memory of 1000	1604	wscript.exe	regedit.exe
PID 1604 wrote to memory of 1000	1604	wscript.exe	regedit.exe
PID 1604 wrote to memory of 748	1604	wscript.exe	javaw.exe
PID 1604 wrote to memory of 748	1604	wscript.exe	javaw.exe
PID 1604 wrote to memory of 748	1604	wscript.exe	javaw.exe

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\ORYX RefNo 210880_opt.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\system32\wscript.exe
wscript C:\Users\Admin\sfbwchswsl.js
2⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
3⤵
- Runs .reg file with regedit
PID:1000

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ktctyez.txt"
3⤵
PID:748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg
MD5
0e5411d7ecba9a435afda71c6c39d8fd

SHA1
2d6812052bf7be1b5e213e1d813ae39faa07284c

SHA256
cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2

SHA512
903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1

Download Submit
C:\Users\Admin\AppData\Roaming\ktctyez.txt
MD5
bfa41b97b438a48a3a2943eee4ab9d7b

SHA1
36a1a0d2b0125b87b0841d1db0ca18cf3aac4b0e

SHA256
1036b983cd81fe9134e2c1b2c72a4c29c111b5983a61324e5cadee33d479452c

SHA512
237a1b5fd74d753f431c38d3437fb75006059788ec72085035020d19631c987bb7f2b2823729d5c7d84accb75f782e0aa89322f4a88019f5fc14dcc2e9938c29

Download Submit
C:\Users\Admin\sfbwchswsl.js
MD5
17695573d1e32497683ac04c5882ff4b

SHA1
459477393bf657292f568084048b37eaa662052a

SHA256
b2f1c8ae1c9fa670fc550e608a8195066cb36b34342872707c7d7ffa8c045f29

SHA512
522036d4335ce86f0bcd7d450ef4bb6e07ab3167e819f8ce601d0d9a5c57ebf2c817ec3b1dad96db08ad2dee040d9dbf9b6b6b929463e14a1e00a156ac050722

Download Submit
memory/368-60-0x00000000021E0000-0x0000000002450000-memory.dmp

Filesize
2.4MB

Download
memory/368-62-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/368-59-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/748-68-0x0000000000000000-mapping.dmp

Download
memory/748-71-0x0000000002220000-0x0000000002490000-memory.dmp

Filesize
2.4MB

Download
memory/748-73-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/748-75-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/748-80-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/748-81-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/748-83-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1000-66-0x0000000001B40000-0x0000000001B41000-memory.dmp

Filesize
4KB

Download
memory/1000-64-0x0000000000000000-mapping.dmp

Download
memory/1604-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing