Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-06-2022 15:20
Static task
static1
Behavioral task
behavioral1
Sample
Faktura 22062022105025.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Faktura 22062022105025.js
Resource
win10v2004-20220414-en
General
-
Target
Faktura 22062022105025.js
-
Size
453KB
-
MD5
e0ee6501ff7c833e22e405f0a3add213
-
SHA1
bb2685e7c70428de5848f1b1f53d5b687b9610f8
-
SHA256
5e691b3588f4bcffbe60656a23ee0bb46081c4b7d18d0f600af6508a2dcf7768
-
SHA512
f3c6eae4a7b33e86c167d2fb3cef9437bb3d3f9beee3c105e4693facca06b38e60322f0e285b2b1d9753d42c1450ff9d5302365c3d81e28f6687bf707a49bdf4
Malware Config
Signatures
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 5 2820 wscript.exe 9 2820 wscript.exe 17 2820 wscript.exe 25 2820 wscript.exe 32 2820 wscript.exe 39 2820 wscript.exe 45 2820 wscript.exe 47 2820 wscript.exe 48 2820 wscript.exe 51 2820 wscript.exe 54 2820 wscript.exe 55 2820 wscript.exe 56 2820 wscript.exe 57 2820 wscript.exe 58 2820 wscript.exe 59 2820 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hHhUMQQaEJ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hHhUMQQaEJ.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\hHhUMQQaEJ.js\"" wscript.exe -
Drops file in Program Files directory 12 IoCs
Processes:
java.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 2176 wrote to memory of 2820 2176 wscript.exe wscript.exe PID 2176 wrote to memory of 2820 2176 wscript.exe wscript.exe PID 2176 wrote to memory of 3340 2176 wscript.exe java.exe PID 2176 wrote to memory of 3340 2176 wscript.exe java.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Faktura 22062022105025.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\hHhUMQQaEJ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Local\Temp\SM.jar"2⤵
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SM.jarFilesize
164KB
MD5edf0e95033cb0df96be06c5088142288
SHA13972af92633203e7857ec0e4ae65246b32c83539
SHA2569712cb8921bc1aaf24f86d6a82ce59a332f6ad04eb1af0414f9bd51e0f35e049
SHA512b7086f0880328bfbb11f6a48a95bde9718318bec9a66c4d00dc16384a1c7ccae97685c7e50d8278c3a267431032d418c61acc9a9ca926d0bd948b79c722a562a
-
C:\Users\Admin\AppData\Roaming\hHhUMQQaEJ.jsFilesize
58KB
MD56e19c9be0455699d39ecac41f332827c
SHA1ac1be0bad3bf9c19d5927408809dd7c70ce7ac26
SHA2565bc218e50e5fd2027ff0467989a4972c63a1478eae5ae918728d3b4213df202e
SHA51205ba615f7444271a30da4ffb93faed0b88f4897338ca891df8e834cb79973fdcdd534a8d398757346a7e33de761316d0ae7764abfda3bd9b8170d695aa7ca59d
-
memory/2820-130-0x0000000000000000-mapping.dmp
-
memory/3340-132-0x0000000000000000-mapping.dmp
-
memory/3340-138-0x0000000003140000-0x0000000004140000-memory.dmpFilesize
16.0MB
-
memory/3340-151-0x0000000003140000-0x0000000004140000-memory.dmpFilesize
16.0MB
-
memory/3340-154-0x0000000003140000-0x0000000004140000-memory.dmpFilesize
16.0MB
-
memory/3340-155-0x0000000003140000-0x0000000004140000-memory.dmpFilesize
16.0MB
-
memory/3340-159-0x0000000003140000-0x0000000004140000-memory.dmpFilesize
16.0MB
-
memory/3340-161-0x0000000003140000-0x0000000004140000-memory.dmpFilesize
16.0MB
-
memory/3340-162-0x0000000003140000-0x0000000004140000-memory.dmpFilesize
16.0MB
-
memory/3340-163-0x0000000003140000-0x0000000004140000-memory.dmpFilesize
16.0MB