Analysis
-
max time kernel
30s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22/09/2022, 07:57
Static task
static1
Behavioral task
behavioral1
Sample
Records-TODAY-XrupywHKMp_AccRecords-TODAY.jar
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Records-TODAY-XrupywHKMp_AccRecords-TODAY.jar
Resource
win10v2004-20220812-en
General
-
Target
Records-TODAY-XrupywHKMp_AccRecords-TODAY.jar
-
Size
614KB
-
MD5
39bfad1c0e675b72788f75a71ddf343d
-
SHA1
2d4f0a03145fbc26fdcc79f2dd626b2bdb1a2291
-
SHA256
890361d45c787bbc8add4fcf0af3cfa05eeff5eb7469db9f260e9e19710d693d
-
SHA512
929b3b40c76597607bc4b8ef9d8acda8a506f86d9589340d74cf5d1507aedc39ebb705863a13bca98d5896d18df66316a3fd09cb6d621b749fdb5016baf6e815
-
SSDEEP
12288:ql7kWN0aYpWYag4xzNahUnlCfTecOP0+7yDHFzJgKd6enKq:qwWNP9nAUnlITecOc+wHk8nV
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings wscript.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4772 wrote to memory of 4124 4772 java.exe 82 PID 4772 wrote to memory of 4124 4772 java.exe 82 PID 4124 wrote to memory of 4300 4124 wscript.exe 83 PID 4124 wrote to memory of 4300 4124 wscript.exe 83 PID 4124 wrote to memory of 3340 4124 wscript.exe 84 PID 4124 wrote to memory of 3340 4124 wscript.exe 84
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\Records-TODAY-XrupywHKMp_AccRecords-TODAY.jar1⤵
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SYSTEM32\wscript.exewscript C:\Users\Admin\uiycfwtfza.js2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\oKaiMIpJcF.js"3⤵PID:4300
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\hdkmovgs.txt"3⤵PID:3340
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.37347711247580747199496433508202152.class4⤵PID:4028
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8164507331004910708.vbs5⤵PID:4844
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8164507331004910708.vbs6⤵PID:2968
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive758505856353628500.vbs5⤵PID:4012
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive758505856353628500.vbs6⤵PID:5016
-
-
-
C:\Windows\SYSTEM32\xcopy.exexcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e5⤵PID:1524
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1319556694481891182.vbs4⤵PID:2364
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1319556694481891182.vbs5⤵PID:1984
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3550843395460824288.vbs4⤵PID:4512
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3550843395460824288.vbs5⤵PID:5092
-
-
-
C:\Windows\SYSTEM32\xcopy.exexcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e4⤵PID:4908
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD508e0df603eb649bf6e9e7c8041f7cc03
SHA15709cb7772e557c7dd8976c3a85192917d9955c0
SHA256885f5d2f6e50304413821d6a113bb3cd238775d68bd0b5ba7f03a68142673e2a
SHA512b1f7bcf280ab7f540d02181ed72864624ee87e7dea25242ec6bad5db00a14d2f07201a6c4a82a5f6536856eed91320bbf395a687e470d88baac673ae1bfd95ae
-
Filesize
50B
MD5b30b7537d790ed0104d97cbeb8a3a64f
SHA12362eedd01363912bd77beb571c66cbe9d075a30
SHA256120da4e51c216c8660db217e5648b1d6365b4ec974cf11823284bb2375609ef2
SHA51272d1208d7c6decb3a82c50b196ab11c9af19b05109836ab0be0347dc0defdf7c8b9c24ed96543e191b92fc0004ccf422ea274b24637d17e952649f3489136ad4
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
Filesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
Filesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
Filesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2295526160-1155304984-640977766-1000\83aa4cc77f591dfc2374580bbd95f6ba_4b401a7f-b7c1-4c1c-a9cf-2b1aa260545d
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
473KB
MD540209b34c5b89a21ca9f7e32d4ab7c71
SHA17cbfd5987a05d3ebc4d92d379ff3a74e8634abf7
SHA2561d30d57917c1c4a2b1ae256a5b747ca1917d7a96956c1afe13a21a7f2fae6d11
SHA5128230e556fe255d15691f12512ebb17039dfaaae5fed389e84205204a89e4d175103e509b54a0930419cbbd5babcbdfb02192d650aba77a2e4d1d25105acb68bb
-
Filesize
5KB
MD59aac1a6411abcacfb801c5c5e37a9e99
SHA12255abc8cd695f4bb7ce97dcc6b7135e869e2574
SHA25601c17f10a45f4fc2d6c9f815004ee8774a257acbf23fcf516658be92dd330209
SHA51280ca794a5b106cc61c08c7d331f34d0381d5190bf744b81c9cb3c982eee97bb18c29449a3b79b7df7520371234bace236ce538eab5bb15eb6230e2a2f30c0319
-
Filesize
888KB
MD56ba6702a8c6c8790f6729861605d52b8
SHA1d9316941adbbab43b9e6f66bb7b1a61299ffe059
SHA256c873455fa0418e20440da4f179cd0a27469fa59d9e7278ba3dfbacf1df6f1e05
SHA51295c557cf12c88d264a006785750ff75a6e341007a6991e8a4a28ef2eed8797dbb5bcf508bae64b0c50b9d2c3da9f65482cee6ab618842462378cb6cff2db218b