Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-06-2022 01:03
Static task
static1
Behavioral task
behavioral1
Sample
Custom Clearance Doc. AWB#5305323204643.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Custom Clearance Doc. AWB#5305323204643.js
Resource
win10v2004-20220414-en
General
-
Target
Custom Clearance Doc. AWB#5305323204643.js
-
Size
616KB
-
MD5
33d87ba5f5667d83a06e8794e464e6e8
-
SHA1
b0b8207b5804987067391f6192b8c233dfccbae7
-
SHA256
1e24a6a3246bd6d1af9c3a90880b4518afe0bbaa40f8f922138e1d3f8a4f02de
-
SHA512
1ba63984598b1b6400e915dd026bd45e3d12553e7202c6577ca8f0d7f0e6215127ca3a4063a6256f18f956a5ee0f7580d9908084f191f6c8a94cf328fde07e88
Malware Config
Signatures
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeflow pid process 6 576 wscript.exe 19 576 wscript.exe 26 576 wscript.exe 36 576 wscript.exe 37 576 wscript.exe 41 576 wscript.exe 45 576 wscript.exe 46 576 wscript.exe 47 576 wscript.exe 50 576 wscript.exe 51 576 wscript.exe 52 576 wscript.exe 53 576 wscript.exe 54 576 wscript.exe 55 576 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LfLwlUUXXC.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LfLwlUUXXC.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\LfLwlUUXXC.js\"" wscript.exe -
Drops file in Program Files directory 12 IoCs
Processes:
java.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 4720 wrote to memory of 576 4720 wscript.exe wscript.exe PID 4720 wrote to memory of 576 4720 wscript.exe wscript.exe PID 4720 wrote to memory of 2336 4720 wscript.exe java.exe PID 4720 wrote to memory of 2336 4720 wscript.exe java.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Custom Clearance Doc. AWB#5305323204643.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\LfLwlUUXXC.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Local\Temp\SM.jar"2⤵
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SM.jarFilesize
164KB
MD5edf0e95033cb0df96be06c5088142288
SHA13972af92633203e7857ec0e4ae65246b32c83539
SHA2569712cb8921bc1aaf24f86d6a82ce59a332f6ad04eb1af0414f9bd51e0f35e049
SHA512b7086f0880328bfbb11f6a48a95bde9718318bec9a66c4d00dc16384a1c7ccae97685c7e50d8278c3a267431032d418c61acc9a9ca926d0bd948b79c722a562a
-
C:\Users\Admin\AppData\Roaming\LfLwlUUXXC.jsFilesize
117KB
MD55ec7e975e42079dacb58ad5e712df35f
SHA16c963b465c7ddc9081add19f0c99eac3e969f819
SHA2564be6ef286e027bd596340d08cc8640d213cff7fbf93638a2ccee267fa42512b8
SHA512ca38464e394d43a8320baa24163cf3921a66ce3a87a8f4da7d20718ab6248319cb6d08de61509b81061d353da23033412fa9b121c14c2c32df5aa2859a7e13a8
-
memory/576-130-0x0000000000000000-mapping.dmp
-
memory/2336-132-0x0000000000000000-mapping.dmp
-
memory/2336-138-0x0000000002E70000-0x0000000003E70000-memory.dmpFilesize
16.0MB
-
memory/2336-157-0x0000000002E70000-0x0000000003E70000-memory.dmpFilesize
16.0MB
-
memory/2336-158-0x0000000002E70000-0x0000000003E70000-memory.dmpFilesize
16.0MB