Analysis
-
max time kernel
128s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24/09/2022, 07:49
Static task
static1
Behavioral task
behavioral1
Sample
New Order for October.js
Resource
win7-20220812-en
General
-
Target
New Order for October.js
-
Size
118KB
-
MD5
1b49c83a07fbe0fa71a60bdacdab0cfc
-
SHA1
ed1d8842b27f9d5252700562b256f336aa3f6424
-
SHA256
ed6dfe0b4ad2bdc90dc8f0498d26db8ffbc8f498b9e50bd78832e2cc5c41886e
-
SHA512
b6ca707d6508b1f40e88c5f7ea9647ae8174530dc55cbbe1e7494115765b6a161e637f6439c632f8027e476b34f970f026cb95258233814228caa1b6d7e3eabe
-
SSDEEP
3072:BG3zxdEtOiN5e3HaZqVcZrdPaQ5JYXLXmMFsG:BGjxCtNMqlZlF5JYXDbt
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 4 560 WScript.exe 7 560 WScript.exe 9 560 WScript.exe 15 560 WScript.exe 16 560 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2032 dl-18691602584445390368362084239.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defiZZUuQa.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defiZZUuQa.js WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2032 dl-18691602584445390368362084239.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1120 javaw.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 740 wrote to memory of 560 740 wscript.exe 27 PID 740 wrote to memory of 560 740 wscript.exe 27 PID 740 wrote to memory of 560 740 wscript.exe 27 PID 740 wrote to memory of 1120 740 wscript.exe 28 PID 740 wrote to memory of 1120 740 wscript.exe 28 PID 740 wrote to memory of 1120 740 wscript.exe 28 PID 1120 wrote to memory of 2032 1120 javaw.exe 32 PID 1120 wrote to memory of 2032 1120 javaw.exe 32 PID 1120 wrote to memory of 2032 1120 javaw.exe 32 PID 1120 wrote to memory of 2032 1120 javaw.exe 32
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\New Order for October.js"1⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\defiZZUuQa.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:560
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\jseapxsk.txt"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\dl-18691602584445390368362084239.exeC:\Users\Admin\AppData\Local\Temp\dl-18691602584445390368362084239.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD52febb58744b8f59fe8fcdce3bd4f4aa8
SHA1629cf9935873f774f9c3115a59109253ece7cd00
SHA256b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284
SHA512854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619
-
Filesize
7KB
MD52febb58744b8f59fe8fcdce3bd4f4aa8
SHA1629cf9935873f774f9c3115a59109253ece7cd00
SHA256b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284
SHA512854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619
-
Filesize
7KB
MD598d232bcf565c9a3c5ff09ed4b2364b7
SHA153a54e4c6966c9fb39595bd894e1b5c30ab6eb5d
SHA25680853e9a1aabaa758853c4708f7aa5833038cc528f978c054a0e4b7fdfb6803c
SHA51200208ded48b462e2bb45825994aa7e3d7a9bad78282bbeba4bf04aa7141d1773af1b7a85e4bd4585294a32195943a188c1c64798995ae51ade2c91c11cdf779d
-
Filesize
51KB
MD5cb149aabfbfca9669536c2ad4bdec4c4
SHA142077d0d29634eb7f6034fdf9c69b858d8a399b2
SHA256d5976ed8b73fa654dfdcb9a46ddf033d38097f34b93548f8cd509eb33d9de4b0
SHA512a7e143c6ccaa44d62cec7332220e428b368b085853d7b7f2d08d2196518c3079ffe405b3b2ee48ae5679519d6a74ac50dd8d0b01d6e8c4d0a30ff8b1774395b3