Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/10/2022, 15:10

General

  • Target

    a559a94db8c05582df7cb6f5f1ba78d5cd24ea3b4b2aa46774dcd0caa933a203.js

  • Size

    103KB

  • MD5

    cca726890dc96c8e4c2e7a1046919673

  • SHA1

    ea73666e4958ac826a40cff15897d7c3f57296dd

  • SHA256

    a559a94db8c05582df7cb6f5f1ba78d5cd24ea3b4b2aa46774dcd0caa933a203

  • SHA512

    b9f3bf6baee1edd5ffa63c0b72e8f48d7104c22d80184e1fd0f718920fb5fdb1a6cb7bc24d365b3e7b159a2c01eae55e8c69f60d7133066d1c4b8f14c03b3082

  • SSDEEP

    1536:Xz8n0APEJjnb32DAhUwAdwnk11/qCakPqldWHazCU0guDznDNOqFsp7wElusE:Xw0cElnZWGk11/3aOccHsCGEDLR

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\a559a94db8c05582df7cb6f5f1ba78d5cd24ea3b4b2aa46774dcd0caa933a203.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\fWcSaqFtrV_joshh.jar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Windows\SYSTEM32\wscript.exe
        wscript C:\Users\Admin\bhyhnagjke.js
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4840
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\QHTxGiGEkN.js"
          4⤵
            PID:4492
          • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
            "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ujzxklve.txt"
            4⤵
            • Suspicious use of SetWindowsHookEx
            PID:1976

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

      Filesize

      50B

      MD5

      28da5a77419e2ab27dd5f164b4b2c94a

      SHA1

      e8233d17e728c92dd5213696c499d210a04a3875

      SHA256

      704334895497a19ca9f5dadcd93fdeee4cdc1a1156d5df7f7f71f0dd2ad995a8

      SHA512

      f6122deca1227ad18aff7b3d68f3b12723cea43a8cf9865ec9fa6e120ae0d6259ddefc675933a1ee1626aa23f4a69547f06f73ebfafeadcbb3a1c0fd8a7de855

    • C:\Users\Admin\AppData\Roaming\QHTxGiGEkN.js

      Filesize

      5KB

      MD5

      29d07d51b50bd02c9ea861947aef094e

      SHA1

      8c7644147a6ba7df15eafc5d9eb0af36d3a7c12a

      SHA256

      8a36c228e4504ef2b5ad351c33b33dc16bc38928a76e080b1771cb8da3e98b8e

      SHA512

      1e242e59575ba6d4c7a37fa392eecfd9b5320b459daf52296efc09db56423ff9131a376ed7060e5db6a550a5aa36a46bd87fc7d88acd55776a262d36feacdda2

    • C:\Users\Admin\AppData\Roaming\fWcSaqFtrV_joshh.jar

      Filesize

      76KB

      MD5

      732e9b52bc467471dd11ea19d53019f3

      SHA1

      89d460d4d681fc414251be91593b1ed8e4479e4a

      SHA256

      3dfd620871224e7859cac24f9015ac113c71d565ff772e105b681faa56456367

      SHA512

      e9d76a5fb509bbb4b089ba0bec09b072b2deaeef8d40a01bcb27a30fa78af5c6fa71e7e9b3fb4d3a15e7259ec30fb525dc867ce5a7550860eec10a1f28d7c4cf

    • C:\Users\Admin\AppData\Roaming\ujzxklve.txt

      Filesize

      51KB

      MD5

      9a0bc9a1a7c150bf1be23681096dbf4d

      SHA1

      5caaaa9371e018dd2f3b6f2544e635d868bfe22f

      SHA256

      50e23d069187744a2d3f5d1acfde6506d30e304f0f3d92c57efba9aa061de3a3

      SHA512

      4de80535f01bdc4ddd74bdb584e388b6f8ff3d37c69229829bee084807244d14bd6a28a5fa46f5dcbde1094ba761509a7684039368a7dd0744ac8b2f6f375118

    • C:\Users\Admin\bhyhnagjke.js

      Filesize

      117KB

      MD5

      94ca09268c0488ec944811dabb245c3f

      SHA1

      5ef967be13f98d14fa21eb75b9aec270e42565d8

      SHA256

      a574ae4f26865b4b8756a7289692a240a2bde2a54170c8ed5ccbf1e1e1775a12

      SHA512

      5ccf9930f61e3e03d8f89db72f3295053e378578bf4936c87d15f539ede204104cb56404f98fcaaa8838dd4973f425e34ef7f6a5b671a744aaba9b48a1de2ea2

    • memory/1976-160-0x0000000003080000-0x0000000004080000-memory.dmp

      Filesize

      16.0MB

    • memory/1976-163-0x0000000003080000-0x0000000004080000-memory.dmp

      Filesize

      16.0MB

    • memory/1976-167-0x0000000003080000-0x0000000004080000-memory.dmp

      Filesize

      16.0MB

    • memory/4356-138-0x0000000002800000-0x0000000003800000-memory.dmp

      Filesize

      16.0MB