Analysis
-
max time kernel
86s -
max time network
89s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 10:45
Static task
static1
Behavioral task
behavioral1
Sample
PO.220471.jar
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO.220471.jar
Resource
win10v2004-20220414-en
General
-
Target
PO.220471.jar
-
Size
627KB
-
MD5
b715cb0f045aacb762f59d4b837b9cee
-
SHA1
fdbf3dbc872a3a3654807ca955de5af4d4091dfb
-
SHA256
df96f72858f4c3c10abee7f9dbb1ae38eb9cff069450bf87547c6cd2a7ef8754
-
SHA512
e8332c5937e9aa989b20b6e443c31ec56c4b032e92ab6fc972ce5926bdaeef5384d262d543e4c19552e72710648133b5e353f98c726df2c26eb0844521c06f15
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings wscript.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
java.exewscript.exejavaw.exedescription pid Process procid_target PID 1044 wrote to memory of 5060 1044 java.exe 83 PID 1044 wrote to memory of 5060 1044 java.exe 83 PID 5060 wrote to memory of 5036 5060 wscript.exe 84 PID 5060 wrote to memory of 5036 5060 wscript.exe 84 PID 5060 wrote to memory of 3088 5060 wscript.exe 85 PID 5060 wrote to memory of 3088 5060 wscript.exe 85 PID 3088 wrote to memory of 4668 3088 javaw.exe 86 PID 3088 wrote to memory of 4668 3088 javaw.exe 86
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\PO.220471.jar1⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SYSTEM32\wscript.exewscript C:\Users\Admin\tfvufrkjag.js2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\jsKFpuMqvB.js"3⤵PID:5036
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\abqamamjej.txt"3⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.22287821019885593391296998441226663.class4⤵PID:4668
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD575b8bd4ba46cfcc48923a0b73dbf688e
SHA11238c791f6ce55840f459639188a526f941f672d
SHA256ab817498312f567b192f380f5a2dd3d428b9eae89e0c5a62eefd7f905dd91a58
SHA512b74b801f27bcbc45618eeb3b29d739df9c5503fbd5da95d616f18411e63172e9e70ae3d04d84ceea5530fa1e07f784a8c64cfd6ada77febd9fe6e919de8595bb
-
Filesize
50B
MD552ddb330898fd4b1aee34c34f3470da1
SHA1f1183ab2a8158ea4d380bbe24a0086d982f60776
SHA256ee03e5aba5fb097b057da5301d717b536c3a979a97ca166bd3ecf94ee9bce8e9
SHA512b7abf23847aa8061f4eae91edc4becd26928668aa2ad12a6251f30707ff34ab80b1acb76f57628783fc0274af3b390fafc5bc071f3c85abb79d0eddb916b8cb3
-
Filesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3751123196-3323558407-1869646069-1000\83aa4cc77f591dfc2374580bbd95f6ba_6bb404a8-25bc-4cef-a831-797f8d1e89c0
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
479KB
MD54d9a717a9d3bb25ed5fd107ec7795e3a
SHA1341ff4f74c807650c0a81ca0c2711caceddbed44
SHA256d4532757afd5774d841e830196ce2d5812f3443785f693d57e5c5d7d4ca3288a
SHA512ca6445a628a057895bd62028a2353a12b008e28b6bcf11d4277ffb18a51c5282bdd74864eb4412512387282dd43b2f5b915f4ec0df8e3f74ba2fab3905a197ce
-
Filesize
9KB
MD5fee0122aedf23a9751ff45273333c428
SHA1c946203d5cbeb8d93c4a3cc8c6c61463a671b90d
SHA25662b7edb1c394fcc1dcf1d7fecc368ec15cd3038a84fe67978b9fecc6025d8e0e
SHA512d2b02c13143c4ff017be7668ba17281e061eaccf824fbd43da55b8bcffa54054b1449d32a970d4eda42b5e07ecea82fe16c76015b0c812c6bb7f8abb7c51a6fa
-
Filesize
916KB
MD5ed6475d7ebbbba360940904aa683e697
SHA15984a814730dfa0a4bcb4fec1040cb4c02ec1321
SHA256dcdec034dace11b4911bcbb12a2ac1f7c98571e46904f60d3e4000a7d0b7ae12
SHA512bc73513fef1c2a0c0dee3b481d3a1630d0593902ef986bd2a7a0a7cec74408a3f6fc15f2085f77fa44cea0bf98522c9c100eedd75d4ac456f3809ac5257a7b57