8ab87e7fcf49648efa256ca90e9907c46b7c67a46de01630c97477a1b0d0025f

Analysis

max time kernel
9s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
27-06-2022 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JUSTIFICANTE PAGO .jar
Size

623KB
MD5

8f2e219434282e43f8fa9386081c898b
SHA1

d749418ec454764bf243c73fb28d36a83118cc35
SHA256

8ab87e7fcf49648efa256ca90e9907c46b7c67a46de01630c97477a1b0d0025f
SHA512

bdffa5e00006868e68fc1afae57c26939797b9413b457e0d2f392f0aa72c902c81144bcf4f3645dfaa230fab8cd5c9dec1dd2541ffaab5f9e22aceb69a313533

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

java.exewscript.exe

description	pid	process	target process
PID 568 wrote to memory of 4244	568	java.exe	wscript.exe
PID 568 wrote to memory of 4244	568	java.exe	wscript.exe
PID 4244 wrote to memory of 224	4244	wscript.exe	WScript.exe
PID 4244 wrote to memory of 224	4244	wscript.exe	WScript.exe
PID 4244 wrote to memory of 1580	4244	wscript.exe	javaw.exe
PID 4244 wrote to memory of 1580	4244	wscript.exe	javaw.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE PAGO .jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\lqafkoorma.js
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ihkZAambeh.js"
3⤵
PID:224

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\zqdxmxmfbv.txt"
3⤵
PID:1580

C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.97193636960247521040776429322268906.class
4⤵
PID:2200

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8930039223799923814.vbs
4⤵
PID:4312

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8930039223799923814.vbs
5⤵
PID:3184

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2924260088210250142.vbs
4⤵
PID:2440

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2924260088210250142.vbs
5⤵
PID:4388

C:\Windows\SYSTEM32\xcopy.exe
xcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
4⤵
PID:3668

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
4⤵
PID:884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
aade94bdcf6a8eea59e38b7ce38a18c0

SHA1
2df79f1641fc759bc7858ff9b4576a6569543a72

SHA256
44610c5bcba977e3053653300bcc6990cace317728fa40dbd211f72d78206e5f

SHA512
f0270ec0cbbb6374e28272ed62820ecb41ddf49eab96a477d12a8d2b93ab639dea4c7f9d8404a419fa33d06da6272b4e87271486d49a05c3fcab76540b287c03

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
fbd86350227e6cb56ad6ee8a0923a774

SHA1
5531baab919f3f6d9c0d0d99b2a2e28ca5ad557c

SHA256
9dfde7e81d5a0a74c35c016ad454feddc38d256c82c8256b6185ef5467121560

SHA512
b9c4481c4b2e04ed8121c2036c57c01aa48d4abc509d232b6638649c9a228323e41b2376205f6377164d00e93ff1c8d78b19fcda843fef544512ffd03ce751a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive2924260088210250142.vbs
Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive8930039223799923814.vbs
Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.97193636960247521040776429322268906.class
Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1809750270-3141839489-3074374771-1000\83aa4cc77f591dfc2374580bbd95f6ba_2c7a2658-1166-4e8e-b7f6-c01b4ff97801
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\ihkZAambeh.js
Filesize
5KB

MD5
2d579ee4a8e19705e3f683f1b6036c58

SHA1
99123ecbe2e183d5c10c1b4895ce8d75eb51c5ea

SHA256
5564fe9635277dc1e4c791cfd20edb5f71209d8ddeb6e0bb014a6b9c617a11cf

SHA512
341db97474c252a0fccd47242618782df872c2a3b285a4971129cb734a6bea4ae9210ce3ebb8a8bc1b066c63943765237383066714e4078e186ffb2510a35f40

Download Submit
C:\Users\Admin\AppData\Roaming\zqdxmxmfbv.txt
Filesize
479KB

MD5
0af2ffb0e3a810f556a0eef909a5ecc7

SHA1
641fe60bfa8569a0a13dc9279ea1cafb5cb912ad

SHA256
9d05feba177ac6b9433f0a28bf9e6ba9828f1621f625f7ca80009a1cf5b5374b

SHA512
883f01a0d0c2ed6ada0dd3d2b4548d01b54f6cf4fcfd6a39f9a61511147fefc4ea8ad4392873fd54e4d7c1c04adc01c94bf99447ddfcde925340ae4ea409b1c9

Download Submit
C:\Users\Admin\lqafkoorma.js
Filesize
900KB

MD5
47bc0c266c7c3edf919e8e7e3b8c0a38

SHA1
ed6f5ed1fb381756d174e96f9ce0eda30236771c

SHA256
c42a9f324cae355593c84c46ddb8c13e1c5fb98032214c900d71454bae2b655a

SHA512
6278dd67d71b1bf44b4f18c7d40dacb4ed5d4b43e06b166c903ce2f0c16dae7ab67b1a9832b379b93c7777452456cc01e21841fc75c8dc9e2540e125a5bfe35c

Download Submit
memory/224-143-0x0000000000000000-mapping.dmp

Download
memory/568-134-0x0000000002D20000-0x0000000003D20000-memory.dmp

Filesize
16.0MB

Download
memory/884-194-0x0000000000000000-mapping.dmp

Download
memory/1580-178-0x0000000002330000-0x0000000003330000-memory.dmp

Filesize
16.0MB

Download
memory/1580-195-0x0000000002330000-0x0000000003330000-memory.dmp

Filesize
16.0MB

Download
memory/1580-192-0x0000000002330000-0x0000000003330000-memory.dmp

Filesize
16.0MB

Download
memory/1580-181-0x0000000002330000-0x0000000003330000-memory.dmp

Filesize
16.0MB

Download
memory/1580-145-0x0000000000000000-mapping.dmp

Download
memory/1580-188-0x0000000002330000-0x0000000003330000-memory.dmp

Filesize
16.0MB

Download
memory/1580-156-0x0000000002330000-0x0000000003330000-memory.dmp

Filesize
16.0MB

Download
memory/1580-186-0x0000000002330000-0x0000000003330000-memory.dmp

Filesize
16.0MB

Download
memory/2200-170-0x0000000002930000-0x0000000003930000-memory.dmp

Filesize
16.0MB

Download
memory/2200-158-0x0000000000000000-mapping.dmp

Download
memory/2440-187-0x0000000000000000-mapping.dmp

Download
memory/3184-184-0x0000000000000000-mapping.dmp

Download
memory/3668-191-0x0000000000000000-mapping.dmp

Download
memory/4244-140-0x0000000000000000-mapping.dmp

Download
memory/4312-182-0x0000000000000000-mapping.dmp

Download
memory/4388-189-0x0000000000000000-mapping.dmp

Download