Analysis
-
max time kernel
13s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-05-2021 21:07
Static task
static1
Behavioral task
behavioral1
Sample
74143635_by_Libranalysis.jar
Resource
win7v20210410
Behavioral task
behavioral2
Sample
74143635_by_Libranalysis.jar
Resource
win10v20210410
General
-
Target
74143635_by_Libranalysis.jar
-
Size
116KB
-
MD5
74143635e4ccd866da6da37710e828c0
-
SHA1
ea4892ef439b805ce0c8dc477cbb324b66a74d57
-
SHA256
fcc120cbbbf66a71a9c0e82d20ecfc6c5721b8ccb806755126c321545fd98d38
-
SHA512
994fd142fda9cc83f15368c6a8793b94099b8ba186f6bd1a5365dbfe6f5308ded20cd2d32eb8bdec3dbdb00d600d67c90512381fb99f2a69b1db4fa3043875d0
Malware Config
Signatures
-
Drops file in Program Files directory 12 IoCs
Processes:
javaw.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
java.exewscript.exedescription pid process target process PID 780 wrote to memory of 2848 780 java.exe wscript.exe PID 780 wrote to memory of 2848 780 java.exe wscript.exe PID 2848 wrote to memory of 2888 2848 wscript.exe javaw.exe PID 2848 wrote to memory of 2888 2848 wscript.exe javaw.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\74143635_by_Libranalysis.jar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\wscript.exewscript C:\Users\Admin\kpywlflrwi.js2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\iygaixctun.txt"3⤵
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampMD5
0a0d74abe5bb2f16215ab380202c509b
SHA152138e3fdee8bb1708d5c627a7ef103b452897e0
SHA25690e8fb427cd53c776e92d511a518a4fcbe56d06a8fe5a8711bd05e329579e237
SHA51249d0b0c7fbd435850fda1528cd88f816f16f53e8f85cb98e8aa7cce9b569c7272a49c931ab81639d87c540d4281a3bae598b632ed55f0c2a97ec7b4559d1f3ab
-
C:\Users\Admin\AppData\Roaming\iygaixctun.txtMD5
0aec03b268633786fa562a31a28c4dd5
SHA12ab19c64e5d12eac367aae2c2330c6d2c222b69f
SHA25687da378f8e00529e1db5e7be0f577e7bb5f379cf7c1fc3585c719a8cb5aadfc0
SHA512c84d39405ca909a0627c62dfec3f21350dbf272a4059372203433a5945d4e63d0b6dc206b20b9ec37caefd11e127055ac1acf076e1b90cba7e769c45b2fc9f63
-
C:\Users\Admin\kpywlflrwi.jsMD5
dba4a2c273da67cd0079d88ff5ed2c4c
SHA1cd0f69e3fa4c57801ffa65064677c17455827e99
SHA256eba8b7356da43b24b7e62f362ada126596043a38bc5d8d3a9138a9b484d36e3e
SHA51239d5e4e883206fa4b5c03875d4d9ab7fbfc0d481e1dab4a32a5acfe25df15de193d4aac6b9f9e20ec4d8e492f65550c1e60acee78eaea99d99e9f77d78ba0376
-
memory/780-114-0x00000000025D0000-0x0000000002840000-memory.dmpFilesize
2.4MB
-
memory/780-116-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/2848-115-0x0000000000000000-mapping.dmp
-
memory/2888-118-0x0000000000000000-mapping.dmp
-
memory/2888-120-0x00000000029E0000-0x0000000002C50000-memory.dmpFilesize
2.4MB
-
memory/2888-122-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/2888-123-0x0000000002C50000-0x0000000002C60000-memory.dmpFilesize
64KB
-
memory/2888-124-0x0000000002C60000-0x0000000002C70000-memory.dmpFilesize
64KB