2fa5e4ba5cf948e81cb98805d518dd138a6e37c3468edbfd4b4453d4b727e609

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2022, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a559a94db8c05582df7cb6f5f1ba78d5cd24ea3b4b2aa46774dcd0caa933a203.js
Size

103KB
MD5

cca726890dc96c8e4c2e7a1046919673
SHA1

ea73666e4958ac826a40cff15897d7c3f57296dd
SHA256

a559a94db8c05582df7cb6f5f1ba78d5cd24ea3b4b2aa46774dcd0caa933a203
SHA512

b9f3bf6baee1edd5ffa63c0b72e8f48d7104c22d80184e1fd0f718920fb5fdb1a6cb7bc24d365b3e7b159a2c01eae55e8c69f60d7133066d1c4b8f14c03b3082
SSDEEP

1536:Xz8n0APEJjnb32DAhUwAdwnk11/qCakPqldWHazCU0guDznDNOqFsp7wElusE:Xw0cElnZWGk11/3aOccHsCGEDLR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	wscript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1976	javaw.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4356	4880	wscript.exe	84
PID 4880 wrote to memory of 4356	4880	wscript.exe	84
PID 4356 wrote to memory of 4840	4356	java.exe	87
PID 4356 wrote to memory of 4840	4356	java.exe	87
PID 4840 wrote to memory of 4492	4840	wscript.exe	88
PID 4840 wrote to memory of 4492	4840	wscript.exe	88
PID 4840 wrote to memory of 1976	4840	wscript.exe	89
PID 4840 wrote to memory of 1976	4840	wscript.exe	89

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\a559a94db8c05582df7cb6f5f1ba78d5cd24ea3b4b2aa46774dcd0caa933a203.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Program Files\Java\jre1.8.0_66\bin\java.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\fWcSaqFtrV_joshh.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\SYSTEM32\wscript.exe
    wscript C:\Users\Admin\bhyhnagjke.js
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\QHTxGiGEkN.js"
      4⤵
      PID:4492
  - - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ujzxklve.txt"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
28da5a77419e2ab27dd5f164b4b2c94a

SHA1
e8233d17e728c92dd5213696c499d210a04a3875

SHA256
704334895497a19ca9f5dadcd93fdeee4cdc1a1156d5df7f7f71f0dd2ad995a8

SHA512
f6122deca1227ad18aff7b3d68f3b12723cea43a8cf9865ec9fa6e120ae0d6259ddefc675933a1ee1626aa23f4a69547f06f73ebfafeadcbb3a1c0fd8a7de855

Download Submit
C:\Users\Admin\AppData\Roaming\QHTxGiGEkN.js

Filesize
5KB

MD5
29d07d51b50bd02c9ea861947aef094e

SHA1
8c7644147a6ba7df15eafc5d9eb0af36d3a7c12a

SHA256
8a36c228e4504ef2b5ad351c33b33dc16bc38928a76e080b1771cb8da3e98b8e

SHA512
1e242e59575ba6d4c7a37fa392eecfd9b5320b459daf52296efc09db56423ff9131a376ed7060e5db6a550a5aa36a46bd87fc7d88acd55776a262d36feacdda2

Download Submit
C:\Users\Admin\AppData\Roaming\fWcSaqFtrV_joshh.jar

Filesize
76KB

MD5
732e9b52bc467471dd11ea19d53019f3

SHA1
89d460d4d681fc414251be91593b1ed8e4479e4a

SHA256
3dfd620871224e7859cac24f9015ac113c71d565ff772e105b681faa56456367

SHA512
e9d76a5fb509bbb4b089ba0bec09b072b2deaeef8d40a01bcb27a30fa78af5c6fa71e7e9b3fb4d3a15e7259ec30fb525dc867ce5a7550860eec10a1f28d7c4cf

Download Submit
C:\Users\Admin\AppData\Roaming\ujzxklve.txt

Filesize
51KB

MD5
9a0bc9a1a7c150bf1be23681096dbf4d

SHA1
5caaaa9371e018dd2f3b6f2544e635d868bfe22f

SHA256
50e23d069187744a2d3f5d1acfde6506d30e304f0f3d92c57efba9aa061de3a3

SHA512
4de80535f01bdc4ddd74bdb584e388b6f8ff3d37c69229829bee084807244d14bd6a28a5fa46f5dcbde1094ba761509a7684039368a7dd0744ac8b2f6f375118

Download Submit
C:\Users\Admin\bhyhnagjke.js

Filesize
117KB

MD5
94ca09268c0488ec944811dabb245c3f

SHA1
5ef967be13f98d14fa21eb75b9aec270e42565d8

SHA256
a574ae4f26865b4b8756a7289692a240a2bde2a54170c8ed5ccbf1e1e1775a12

SHA512
5ccf9930f61e3e03d8f89db72f3295053e378578bf4936c87d15f539ede204104cb56404f98fcaaa8838dd4973f425e34ef7f6a5b671a744aaba9b48a1de2ea2

Download Submit
memory/1976-160-0x0000000003080000-0x0000000004080000-memory.dmp

Filesize
16.0MB

Download
memory/1976-163-0x0000000003080000-0x0000000004080000-memory.dmp

Filesize
16.0MB

Download
memory/1976-167-0x0000000003080000-0x0000000004080000-memory.dmp

Filesize
16.0MB

Download
memory/4356-138-0x0000000002800000-0x0000000003800000-memory.dmp

Filesize
16.0MB

Download