Analysis
-
max time kernel
149s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22/09/2022, 07:57
Static task
static1
Behavioral task
behavioral1
Sample
Records-TODAY-XrupywHKMp_AccRecords-TODAY.jar
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Records-TODAY-XrupywHKMp_AccRecords-TODAY.jar
Resource
win10v2004-20220812-en
General
-
Target
Records-TODAY-XrupywHKMp_AccRecords-TODAY.jar
-
Size
614KB
-
MD5
39bfad1c0e675b72788f75a71ddf343d
-
SHA1
2d4f0a03145fbc26fdcc79f2dd626b2bdb1a2291
-
SHA256
890361d45c787bbc8add4fcf0af3cfa05eeff5eb7469db9f260e9e19710d693d
-
SHA512
929b3b40c76597607bc4b8ef9d8acda8a506f86d9589340d74cf5d1507aedc39ebb705863a13bca98d5896d18df66316a3fd09cb6d621b749fdb5016baf6e815
-
SSDEEP
12288:ql7kWN0aYpWYag4xzNahUnlCfTecOP0+7yDHFzJgKd6enKq:qwWNP9nAUnlITecOc+wHk8nV
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1016 wrote to memory of 1452 1016 java.exe 29 PID 1016 wrote to memory of 1452 1016 java.exe 29 PID 1016 wrote to memory of 1452 1016 java.exe 29 PID 1452 wrote to memory of 1476 1452 wscript.exe 30 PID 1452 wrote to memory of 1476 1452 wscript.exe 30 PID 1452 wrote to memory of 1476 1452 wscript.exe 30 PID 1452 wrote to memory of 820 1452 wscript.exe 31 PID 1452 wrote to memory of 820 1452 wscript.exe 31 PID 1452 wrote to memory of 820 1452 wscript.exe 31 PID 820 wrote to memory of 1624 820 javaw.exe 33 PID 820 wrote to memory of 1624 820 javaw.exe 33 PID 820 wrote to memory of 1624 820 javaw.exe 33
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\Records-TODAY-XrupywHKMp_AccRecords-TODAY.jar1⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\wscript.exewscript C:\Users\Admin\uiycfwtfza.js2⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\oKaiMIpJcF.js"3⤵PID:1476
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\kegdrxumpj.txt"3⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.46402853107794266562020696027687167.class4⤵PID:1624
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
Filesize
473KB
MD540209b34c5b89a21ca9f7e32d4ab7c71
SHA17cbfd5987a05d3ebc4d92d379ff3a74e8634abf7
SHA2561d30d57917c1c4a2b1ae256a5b747ca1917d7a96956c1afe13a21a7f2fae6d11
SHA5128230e556fe255d15691f12512ebb17039dfaaae5fed389e84205204a89e4d175103e509b54a0930419cbbd5babcbdfb02192d650aba77a2e4d1d25105acb68bb
-
Filesize
5KB
MD59aac1a6411abcacfb801c5c5e37a9e99
SHA12255abc8cd695f4bb7ce97dcc6b7135e869e2574
SHA25601c17f10a45f4fc2d6c9f815004ee8774a257acbf23fcf516658be92dd330209
SHA51280ca794a5b106cc61c08c7d331f34d0381d5190bf744b81c9cb3c982eee97bb18c29449a3b79b7df7520371234bace236ce538eab5bb15eb6230e2a2f30c0319
-
Filesize
888KB
MD56ba6702a8c6c8790f6729861605d52b8
SHA1d9316941adbbab43b9e6f66bb7b1a61299ffe059
SHA256c873455fa0418e20440da4f179cd0a27469fa59d9e7278ba3dfbacf1df6f1e05
SHA51295c557cf12c88d264a006785750ff75a6e341007a6991e8a4a28ef2eed8797dbb5bcf508bae64b0c50b9d2c3da9f65482cee6ab618842462378cb6cff2db218b