Analysis
-
max time kernel
162s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-06-2022 05:56
Static task
static1
Behavioral task
behavioral1
Sample
Custom Clearance Doc. AWB#5305323204643.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Custom Clearance Doc. AWB#5305323204643.js
Resource
win10v2004-20220414-en
General
-
Target
Custom Clearance Doc. AWB#5305323204643.js
-
Size
616KB
-
MD5
33d87ba5f5667d83a06e8794e464e6e8
-
SHA1
b0b8207b5804987067391f6192b8c233dfccbae7
-
SHA256
1e24a6a3246bd6d1af9c3a90880b4518afe0bbaa40f8f922138e1d3f8a4f02de
-
SHA512
1ba63984598b1b6400e915dd026bd45e3d12553e7202c6577ca8f0d7f0e6215127ca3a4063a6256f18f956a5ee0f7580d9908084f191f6c8a94cf328fde07e88
Malware Config
Signatures
-
Blocklisted process makes network request 14 IoCs
Processes:
wscript.exeflow pid process 8 2832 wscript.exe 35 2832 wscript.exe 38 2832 wscript.exe 40 2832 wscript.exe 41 2832 wscript.exe 44 2832 wscript.exe 46 2832 wscript.exe 47 2832 wscript.exe 48 2832 wscript.exe 49 2832 wscript.exe 50 2832 wscript.exe 51 2832 wscript.exe 52 2832 wscript.exe 53 2832 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LfLwlUUXXC.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LfLwlUUXXC.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\LfLwlUUXXC.js\"" wscript.exe -
Drops file in Program Files directory 12 IoCs
Processes:
java.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 2396 wrote to memory of 2832 2396 wscript.exe wscript.exe PID 2396 wrote to memory of 2832 2396 wscript.exe wscript.exe PID 2396 wrote to memory of 2516 2396 wscript.exe java.exe PID 2396 wrote to memory of 2516 2396 wscript.exe java.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Custom Clearance Doc. AWB#5305323204643.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\LfLwlUUXXC.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Local\Temp\SM.jar"2⤵
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SM.jarFilesize
164KB
MD5edf0e95033cb0df96be06c5088142288
SHA13972af92633203e7857ec0e4ae65246b32c83539
SHA2569712cb8921bc1aaf24f86d6a82ce59a332f6ad04eb1af0414f9bd51e0f35e049
SHA512b7086f0880328bfbb11f6a48a95bde9718318bec9a66c4d00dc16384a1c7ccae97685c7e50d8278c3a267431032d418c61acc9a9ca926d0bd948b79c722a562a
-
C:\Users\Admin\AppData\Roaming\LfLwlUUXXC.jsFilesize
117KB
MD55ec7e975e42079dacb58ad5e712df35f
SHA16c963b465c7ddc9081add19f0c99eac3e969f819
SHA2564be6ef286e027bd596340d08cc8640d213cff7fbf93638a2ccee267fa42512b8
SHA512ca38464e394d43a8320baa24163cf3921a66ce3a87a8f4da7d20718ab6248319cb6d08de61509b81061d353da23033412fa9b121c14c2c32df5aa2859a7e13a8
-
memory/2516-132-0x0000000000000000-mapping.dmp
-
memory/2516-141-0x00000000029A0000-0x00000000039A0000-memory.dmpFilesize
16.0MB
-
memory/2516-158-0x00000000029A0000-0x00000000039A0000-memory.dmpFilesize
16.0MB
-
memory/2516-159-0x00000000029A0000-0x00000000039A0000-memory.dmpFilesize
16.0MB
-
memory/2516-160-0x00000000029A0000-0x00000000039A0000-memory.dmpFilesize
16.0MB
-
memory/2832-130-0x0000000000000000-mapping.dmp