0131f55b79672dffbb530d686209174d956c787b8e4895741084664a777837cc

General

Target

0131f55b79672dffbb530d686209174d956c787b8e4895741084664a777837cc.jar
Size

1.1MB
MD5

8b9550eae6cfbe4359a8dc4331038567
SHA1

15bb1028665c9e5998629bd1d6c5b2ad63bdd740
SHA256

0131f55b79672dffbb530d686209174d956c787b8e4895741084664a777837cc
SHA512

a24f384d06202de61c33871d801c5993b9a3a9674b2ab81039e6c53aa8267565ebc93b4fbd5a3031f1a25d9e5be83006ae731840e808d26615e612708781d030

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

840 schtasks.exe

pid	process
840	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

java.exewscript.exe

description	pid	process	target process
PID 2044 wrote to memory of 948	2044	java.exe	wscript.exe
PID 2044 wrote to memory of 948	2044	java.exe	wscript.exe
PID 2044 wrote to memory of 948	2044	java.exe	wscript.exe
PID 948 wrote to memory of 1752	948	wscript.exe	WScript.exe
PID 948 wrote to memory of 1752	948	wscript.exe	WScript.exe
PID 948 wrote to memory of 1752	948	wscript.exe	WScript.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\0131f55b79672dffbb530d686209174d956c787b8e4895741084664a777837cc.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\vtljjwvqbg.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\TLIolvyPBn.js"
    3⤵
    PID:1752
  - - C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\tnsraay.txt"
      4⤵
      PID:572
    - - C:\Program Files\Java\jre7\bin\javaw.exe
        
        "C:\Program Files\Java\jre7\bin\javaw" -jar "C:\Users\Admin\AppData\RoamingServer1648928050.jar"
        5⤵
        
        PID:1648
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\IyFfaseYOW.js"
      4⤵
      PID:1064
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\IyFfaseYOW.js
        5⤵
        Creates scheduled task(s)
        
        PID:840
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\rzdlfae.txt"
    3⤵
    PID:1384
  - - C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.18667712205219212864438996956018839.class
      4⤵
      PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_0.18667712205219212864438996956018839.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\RoamingServer1648928050.jar

Filesize
130KB

MD5
94744b9845e5f391cca7260098bbe1a2

SHA1
f297391b564b68d07739a1f9723e915777abc279

SHA256
171c05a83078824f27b9cb3ab2b152579edfefaea4c1dea5e690a5367c0e67d3

SHA512
d0d84b46cd586f3a020bf00ee2dedd8c33887337de6eac0c1936ad74c7b2c33343653d91067e4916a55def3d06b5b586cb5b1be38959963cad8c6632571b9168

Download Submit
C:\Users\Admin\AppData\Roaming\IyFfaseYOW.js

Filesize
18KB

MD5
9ad074e4b977d42b16bea24a940ffd32

SHA1
38b9ca30670d8dd3f6b25ebda0d7a8256642b379

SHA256
077d7fe9434715f0c9e979bc4b9d347a3d07a3cbec8be282dc0f9c2d0c52bba1

SHA512
6c2a7f01bb37776c68eab8f2535c0e9901f7c4f72af9a503d09b8fd6a909a30fd8632d183f472b8de26c0ce4c0eb736e0e16381be933b4c21e47614542cde2eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1083475884-596052423-1669053738-1000\83aa4cc77f591dfc2374580bbd95f6ba_206ac020-9434-4197-af4e-48c8ff9cae6c

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\TLIolvyPBn.js

Filesize
439KB

MD5
053ed27b5bd479f8d0e4e76399c39430

SHA1
aee93c1e6bd9afc0989e6299f97f796bdc7515b5

SHA256
ff6bfd9ed665b99c77182b6c166d37114de00d8829975387653eff794303a1f1

SHA512
8e3abbb1e3f60c6c6cbb12aff489024266c8f7cd01dea11280c24549020d18a96ffc283b7ea6c5a0b0eb602876a9d633b820824bd66fa87122ad76e39060f560

Download Submit
C:\Users\Admin\AppData\Roaming\rzdlfae.txt

Filesize
473KB

MD5
635ebeaa68c4aeaae2a54ba5faf3f1b7

SHA1
265360f03bcc39b483985a8c3fe9e4877043e0b7

SHA256
70d13f75995405181c186017fff7830e7b3b6434392a2cec33fe8be6f9c989c0

SHA512
9606ad090416553d88a9e508ad4782855f6c97ec835909178c69ef2f3e6f49bbb88ca1bc4a8171f0fe0c9f8675ea6c61c2aa04437a77f7375b74b07ca2a36388

Download Submit
C:\Users\Admin\AppData\Roaming\tnsraay.txt

Filesize
146KB

MD5
37b1429e7e0671bd1a61e99dd86cff71

SHA1
5b5f0c6bf438775a6d9966013dead771138e03e6

SHA256
f5b8ca4d2d55cd0fbd08ac098fc5ebf2f588881976605c91b50433e4cf4c5ccb

SHA512
2b30b03922086e6da383fadfc2e2e1ee529eced47d9a1a3763948b22cd312dd65d56c60e01c97e8fd4e6eb9b82c6a02342868e3c4057809cac8adb95ed4069c7

Download Submit
C:\Users\Admin\vtljjwvqbg.js

Filesize
706KB

MD5
d8ec9df903d66ed5099ea20f386e9dea

SHA1
b3dda1d2ab4f0a7b8ff0c41e2471bf5108038d42

SHA256
2a66cc04585a9c86a270440e8645a69ece10e526b79772bc13995095ad3768a8

SHA512
0a16825df66ea0d0f7f78a7ee613252ce08a4f90913f72184a821ed8211d7eed2e1c47484141ac9278ebb0089bca79b57ff21cfb141b5d0a2a1dc58880a33290

Download Submit
memory/572-74-0x0000000000000000-mapping.dmp

Download
memory/572-90-0x00000000022C0000-0x00000000052C0000-memory.dmp

Filesize
48.0MB

Download
memory/840-115-0x0000000000000000-mapping.dmp

Download
memory/948-65-0x0000000000000000-mapping.dmp

Download
memory/1064-72-0x0000000000000000-mapping.dmp

Download
memory/1384-94-0x00000000020F0000-0x00000000050F0000-memory.dmp

Filesize
48.0MB

Download
memory/1384-71-0x0000000000000000-mapping.dmp

Download
memory/1628-105-0x0000000000000000-mapping.dmp

Download
memory/1628-130-0x0000000002020000-0x0000000005020000-memory.dmp

Filesize
48.0MB

Download
memory/1648-99-0x0000000000000000-mapping.dmp

Download
memory/1648-111-0x00000000020F0000-0x00000000050F0000-memory.dmp

Filesize
48.0MB

Download
memory/1752-68-0x0000000000000000-mapping.dmp

Download
memory/2044-54-0x000007FEFBFD1000-0x000007FEFBFD3000-memory.dmp

Filesize
8KB

Download
memory/2044-64-0x0000000002290000-0x0000000005290000-memory.dmp

Filesize
48.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads