2b4db73f2e681b7f7d5b0b4cee46453428c4dd3c9c94070ef8840fc73a54d58a

Analysis

max time kernel
9s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-06-2022 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

justificante.jar
Size

647KB
MD5

f2862159a6e80713e03cf09ad149b4e3
SHA1

740f32542b8e53908e02f3db0234736648085236
SHA256

2b4db73f2e681b7f7d5b0b4cee46453428c4dd3c9c94070ef8840fc73a54d58a
SHA512

8c62ee4181f42f66004dd15317842d9bd56fbceecd6628a7146c0774605bc6ba157f5028eb4900618f38d0308304252081eabf21a419a8befb7c03774b9318a6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

java.exewscript.exe

description	pid	process	target process
PID 5012 wrote to memory of 4876	5012	java.exe	wscript.exe
PID 5012 wrote to memory of 4876	5012	java.exe	wscript.exe
PID 4876 wrote to memory of 2660	4876	wscript.exe	WScript.exe
PID 4876 wrote to memory of 2660	4876	wscript.exe	WScript.exe
PID 4876 wrote to memory of 868	4876	wscript.exe	javaw.exe
PID 4876 wrote to memory of 868	4876	wscript.exe	javaw.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\justificante.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\oddlcjbdnx.js
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\tKNFBZAbcx.js"
3⤵
PID:2660

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\eshehdqwc.txt"
3⤵
PID:868

C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.72709693629456055531469728943655516.class
4⤵
PID:2096

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive731692836177338778.vbs
5⤵
PID:4712

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive731692836177338778.vbs
6⤵
PID:4692

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5516255629706292180.vbs
5⤵
PID:4880

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3956977541534481935.vbs
4⤵
PID:3148

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3956977541534481935.vbs
5⤵
PID:4812

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2094860766618857276.vbs
4⤵
PID:3568

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2094860766618857276.vbs
5⤵
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
ce84ec52a35038955b1cfbc0a034de70

SHA1
8305644ac0e0fa479c7f5b2120b2fc373fc65dc9

SHA256
9bf73301b0863587f35dfe124165e2f4406310819e1b38fb8c981aa3f4bd74f6

SHA512
61c1f1e74baacd95a952a28880a2228a482cfeff37f95b70739af5ff2728dc58d98d7834d14eac5401d39d1faf21ab7061c5cc32c390cfa6df2de270405f075c

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
ea3706cda12b4b363227751cc0676662

SHA1
fbac2a19c15616c8797eddf1711712ecfc88f689

SHA256
688a0c69e39742bbe3219f8d6ba7e5db709ff50a70982bfa0755d907672c9efa

SHA512
8d74293acdb00f780c2d962d43219f1211a5c32e39a4fc4e2b53142bd835e88846c3e315429ac9beb23f7877a141da385a26d1f802d7bcffa5f4f834fbf8e62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive3956977541534481935.vbs
Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive731692836177338778.vbs
Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.72709693629456055531469728943655516.class
Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1809750270-3141839489-3074374771-1000\83aa4cc77f591dfc2374580bbd95f6ba_2c7a2658-1166-4e8e-b7f6-c01b4ff97801
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\eshehdqwc.txt
Filesize
479KB

MD5
0af2ffb0e3a810f556a0eef909a5ecc7

SHA1
641fe60bfa8569a0a13dc9279ea1cafb5cb912ad

SHA256
9d05feba177ac6b9433f0a28bf9e6ba9828f1621f625f7ca80009a1cf5b5374b

SHA512
883f01a0d0c2ed6ada0dd3d2b4548d01b54f6cf4fcfd6a39f9a61511147fefc4ea8ad4392873fd54e4d7c1c04adc01c94bf99447ddfcde925340ae4ea409b1c9

Download Submit
C:\Users\Admin\AppData\Roaming\tKNFBZAbcx.js
Filesize
30KB

MD5
fa3fd06cbfb568048b94746fe7846ac6

SHA1
242538e1e09cb9d5342441e981946a12d111860d

SHA256
f827c5ccc625f33515de3e7019cca67c06066ebf460288b47c464002ef0390a1

SHA512
5e4d960cc58256d4a9f94dbb2556d19aa362be0a4e26133f0a42e9392457f405a3d0c68235e1781a33dc625c03777b28970a6a10aea8e3a1ef7e92bf3cf7dab7

Download Submit
C:\Users\Admin\oddlcjbdnx.js
Filesize
969KB

MD5
06a575d37fb3ed9c959b6f5ee7d4794c

SHA1
bad9d9875c3ea3e50bf0b111dc54fef104162afb

SHA256
d7c9739a75f4218fd75acf6c86d04e55b5d5d618bd99ee3cd34b57e52e2de4b9

SHA512
d686fc32aba72091387cb89a2ab9f1b8e31aad47085fea0f017e7a94a25dfef1ba5f064859333dfebfc405750077f893d06b53438f60d1cc0c4c7b32853fa289

Download Submit
memory/868-145-0x0000000000000000-mapping.dmp

Download
memory/868-155-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/868-179-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/868-189-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/868-177-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download
memory/1780-198-0x0000000000000000-mapping.dmp

Download
memory/2096-170-0x0000000002FC0000-0x0000000003FC0000-memory.dmp

Filesize
16.0MB

Download
memory/2096-158-0x0000000000000000-mapping.dmp

Download
memory/2096-196-0x0000000002FC0000-0x0000000003FC0000-memory.dmp

Filesize
16.0MB

Download
memory/2660-143-0x0000000000000000-mapping.dmp

Download
memory/3148-185-0x0000000000000000-mapping.dmp

Download
memory/3568-195-0x0000000000000000-mapping.dmp

Download
memory/4692-192-0x0000000000000000-mapping.dmp

Download
memory/4712-190-0x0000000000000000-mapping.dmp

Download
memory/4812-191-0x0000000000000000-mapping.dmp

Download
memory/4876-140-0x0000000000000000-mapping.dmp

Download
memory/4880-197-0x0000000000000000-mapping.dmp

Download
memory/5012-134-0x0000000003020000-0x0000000004020000-memory.dmp

Filesize
16.0MB

Download