Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24/09/2022, 07:49
Static task
static1
Behavioral task
behavioral1
Sample
New Order for October.js
Resource
win7-20220812-en
General
-
Target
New Order for October.js
-
Size
118KB
-
MD5
1b49c83a07fbe0fa71a60bdacdab0cfc
-
SHA1
ed1d8842b27f9d5252700562b256f336aa3f6424
-
SHA256
ed6dfe0b4ad2bdc90dc8f0498d26db8ffbc8f498b9e50bd78832e2cc5c41886e
-
SHA512
b6ca707d6508b1f40e88c5f7ea9647ae8174530dc55cbbe1e7494115765b6a161e637f6439c632f8027e476b34f970f026cb95258233814228caa1b6d7e3eabe
-
SSDEEP
3072:BG3zxdEtOiN5e3HaZqVcZrdPaQ5JYXLXmMFsG:BGjxCtNMqlZlF5JYXDbt
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 5 5008 WScript.exe 22 5008 WScript.exe 38 5008 WScript.exe 41 5008 WScript.exe 43 5008 WScript.exe 44 5008 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1452 dl-14557345408854760970946257096.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defiZZUuQa.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\defiZZUuQa.js WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings wscript.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1452 dl-14557345408854760970946257096.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4968 javaw.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1716 wrote to memory of 5008 1716 wscript.exe 81 PID 1716 wrote to memory of 5008 1716 wscript.exe 81 PID 1716 wrote to memory of 4968 1716 wscript.exe 82 PID 1716 wrote to memory of 4968 1716 wscript.exe 82 PID 4968 wrote to memory of 1452 4968 javaw.exe 83 PID 4968 wrote to memory of 1452 4968 javaw.exe 83 PID 4968 wrote to memory of 1452 4968 javaw.exe 83
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\New Order for October.js"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\defiZZUuQa.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:5008
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ygmkskfjyh.txt"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\dl-14557345408854760970946257096.exeC:\Users\Admin\AppData\Local\Temp\dl-14557345408854760970946257096.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD52febb58744b8f59fe8fcdce3bd4f4aa8
SHA1629cf9935873f774f9c3115a59109253ece7cd00
SHA256b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284
SHA512854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619
-
Filesize
7KB
MD52febb58744b8f59fe8fcdce3bd4f4aa8
SHA1629cf9935873f774f9c3115a59109253ece7cd00
SHA256b0a8c5dd26ed95dc30f3ad761fef82317011f357c6bc78634331a74cff7d7284
SHA512854935f36be0317641598b8a25e31e170b311c3106fb94ce6d77d89b8a7080b5bce42357b450b4529b57f6834d40bd221a021a511b3ed12e8ebae43edbac3619
-
Filesize
7KB
MD598d232bcf565c9a3c5ff09ed4b2364b7
SHA153a54e4c6966c9fb39595bd894e1b5c30ab6eb5d
SHA25680853e9a1aabaa758853c4708f7aa5833038cc528f978c054a0e4b7fdfb6803c
SHA51200208ded48b462e2bb45825994aa7e3d7a9bad78282bbeba4bf04aa7141d1773af1b7a85e4bd4585294a32195943a188c1c64798995ae51ade2c91c11cdf779d
-
Filesize
51KB
MD5cb149aabfbfca9669536c2ad4bdec4c4
SHA142077d0d29634eb7f6034fdf9c69b858d8a399b2
SHA256d5976ed8b73fa654dfdcb9a46ddf033d38097f34b93548f8cd509eb33d9de4b0
SHA512a7e143c6ccaa44d62cec7332220e428b368b085853d7b7f2d08d2196518c3079ffe405b3b2ee48ae5679519d6a74ac50dd8d0b01d6e8c4d0a30ff8b1774395b3