2fa5e4ba5cf948e81cb98805d518dd138a6e37c3468edbfd4b4453d4b727e609

Analysis

max time kernel
143s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17/10/2022, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a559a94db8c05582df7cb6f5f1ba78d5cd24ea3b4b2aa46774dcd0caa933a203.js
Size

103KB
MD5

cca726890dc96c8e4c2e7a1046919673
SHA1

ea73666e4958ac826a40cff15897d7c3f57296dd
SHA256

a559a94db8c05582df7cb6f5f1ba78d5cd24ea3b4b2aa46774dcd0caa933a203
SHA512

b9f3bf6baee1edd5ffa63c0b72e8f48d7104c22d80184e1fd0f718920fb5fdb1a6cb7bc24d365b3e7b159a2c01eae55e8c69f60d7133066d1c4b8f14c03b3082
SSDEEP

1536:Xz8n0APEJjnb32DAhUwAdwnk11/qCakPqldWHazCU0guDznDNOqFsp7wElusE:Xw0cElnZWGk11/3aOccHsCGEDLR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1740	javaw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 964	896	wscript.exe	27
PID 896 wrote to memory of 964	896	wscript.exe	27
PID 896 wrote to memory of 964	896	wscript.exe	27
PID 964 wrote to memory of 524	964	java.exe	29
PID 964 wrote to memory of 524	964	java.exe	29
PID 964 wrote to memory of 524	964	java.exe	29
PID 524 wrote to memory of 760	524	wscript.exe	30
PID 524 wrote to memory of 760	524	wscript.exe	30
PID 524 wrote to memory of 760	524	wscript.exe	30
PID 524 wrote to memory of 1740	524	wscript.exe	31
PID 524 wrote to memory of 1740	524	wscript.exe	31
PID 524 wrote to memory of 1740	524	wscript.exe	31

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\a559a94db8c05582df7cb6f5f1ba78d5cd24ea3b4b2aa46774dcd0caa933a203.js
1⤵
- Suspicious use of WriteProcessMemory
PID:896
- C:\Windows\System32\java.exe
  "C:\Windows\System32\java.exe" -jar "C:\Users\Admin\AppData\Roaming\fWcSaqFtrV_joshh.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\System32\wscript.exe
    wscript C:\Users\Admin\bhyhnagjke.js
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\QHTxGiGEkN.js"
      4⤵
      PID:760
  - - C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\wqnvpijnou.txt"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\QHTxGiGEkN.js

Filesize
5KB

MD5
29d07d51b50bd02c9ea861947aef094e

SHA1
8c7644147a6ba7df15eafc5d9eb0af36d3a7c12a

SHA256
8a36c228e4504ef2b5ad351c33b33dc16bc38928a76e080b1771cb8da3e98b8e

SHA512
1e242e59575ba6d4c7a37fa392eecfd9b5320b459daf52296efc09db56423ff9131a376ed7060e5db6a550a5aa36a46bd87fc7d88acd55776a262d36feacdda2

Download Submit
C:\Users\Admin\AppData\Roaming\fWcSaqFtrV_joshh.jar

Filesize
76KB

MD5
732e9b52bc467471dd11ea19d53019f3

SHA1
89d460d4d681fc414251be91593b1ed8e4479e4a

SHA256
3dfd620871224e7859cac24f9015ac113c71d565ff772e105b681faa56456367

SHA512
e9d76a5fb509bbb4b089ba0bec09b072b2deaeef8d40a01bcb27a30fa78af5c6fa71e7e9b3fb4d3a15e7259ec30fb525dc867ce5a7550860eec10a1f28d7c4cf

Download Submit
C:\Users\Admin\AppData\Roaming\wqnvpijnou.txt

Filesize
51KB

MD5
9a0bc9a1a7c150bf1be23681096dbf4d

SHA1
5caaaa9371e018dd2f3b6f2544e635d868bfe22f

SHA256
50e23d069187744a2d3f5d1acfde6506d30e304f0f3d92c57efba9aa061de3a3

SHA512
4de80535f01bdc4ddd74bdb584e388b6f8ff3d37c69229829bee084807244d14bd6a28a5fa46f5dcbde1094ba761509a7684039368a7dd0744ac8b2f6f375118

Download Submit
C:\Users\Admin\bhyhnagjke.js

Filesize
117KB

MD5
94ca09268c0488ec944811dabb245c3f

SHA1
5ef967be13f98d14fa21eb75b9aec270e42565d8

SHA256
a574ae4f26865b4b8756a7289692a240a2bde2a54170c8ed5ccbf1e1e1775a12

SHA512
5ccf9930f61e3e03d8f89db72f3295053e378578bf4936c87d15f539ede204104cb56404f98fcaaa8838dd4973f425e34ef7f6a5b671a744aaba9b48a1de2ea2

Download Submit
memory/896-54-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/964-65-0x0000000002290000-0x0000000005290000-memory.dmp

Filesize
48.0MB

Download
memory/1740-89-0x00000000021E0000-0x00000000051E0000-memory.dmp

Filesize
48.0MB

Download
memory/1740-90-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1740-91-0x00000000021E0000-0x00000000051E0000-memory.dmp

Filesize
48.0MB

Download
memory/1740-93-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download