Analysis
-
max time kernel
33s -
max time network
74s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2022 09:15
Static task
static1
Behavioral task
behavioral1
Sample
New Order Listed.jar
Resource
win7-20220812-en
General
-
Target
New Order Listed.jar
-
Size
625KB
-
MD5
ef7060fe19f235609456617c5db29960
-
SHA1
e92579699aa45c0c220a60ab2e44d404cf8406e2
-
SHA256
8a630d18544d49c354ac9298489bc83ee6f8185b09f526dac5b054147c825d15
-
SHA512
93f38f85aa8037493c79d64719a76bda272156c180f8f84f8ec5f6ee546c354e06c4a8dd37062db8af33e90c9212d2fa571a034340930928937be3a9fa5a1717
-
SSDEEP
12288:qr0SunF/IyJ/mMzn6IjWlI1ArKW4QQRwv0Ca//b87Bw:qr0LiyUynOl/rK7RWa//YW
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
javaw.exejava.exepid process 3328 javaw.exe 1600 java.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
java.exewscript.exejavaw.execmd.exejava.execmd.exedescription pid process target process PID 5020 wrote to memory of 3880 5020 java.exe wscript.exe PID 5020 wrote to memory of 3880 5020 java.exe wscript.exe PID 3880 wrote to memory of 3328 3880 wscript.exe javaw.exe PID 3880 wrote to memory of 3328 3880 wscript.exe javaw.exe PID 3328 wrote to memory of 1600 3328 javaw.exe java.exe PID 3328 wrote to memory of 1600 3328 javaw.exe java.exe PID 3328 wrote to memory of 1412 3328 javaw.exe cmd.exe PID 3328 wrote to memory of 1412 3328 javaw.exe cmd.exe PID 1412 wrote to memory of 1316 1412 cmd.exe cscript.exe PID 1412 wrote to memory of 1316 1412 cmd.exe cscript.exe PID 1600 wrote to memory of 400 1600 java.exe cmd.exe PID 1600 wrote to memory of 400 1600 java.exe cmd.exe PID 400 wrote to memory of 2404 400 cmd.exe cscript.exe PID 400 wrote to memory of 2404 400 cmd.exe cscript.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\New Order Listed.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SYSTEM32\wscript.exewscript C:\Users\Admin\aujwikagze.js2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\bgsejcq.txt"3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.0079580254936900691939279284758675590.class4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2982255793416034850.vbs5⤵
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2982255793416034850.vbs6⤵PID:2404
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3341669900387687107.vbs5⤵PID:4088
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3341669900387687107.vbs6⤵PID:1068
-
C:\Windows\SYSTEM32\xcopy.exexcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e5⤵PID:2848
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive298018498673715162.vbs4⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive298018498673715162.vbs5⤵PID:1316
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3351153088998629481.vbs4⤵PID:4932
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3351153088998629481.vbs5⤵PID:852
-
C:\Windows\SYSTEM32\xcopy.exexcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e4⤵PID:4884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5f746d50d452d00098d8bd2ab9e183530
SHA1d177dbc5ddc9a618fbdf59aefec44ff0bd716d84
SHA256fe6238b9cf25e463365771cff2763cfcfe7397f97e1228053ab909872838b29a
SHA5126adcd3c35a5c96d0a472d794716dfce240cf0cba0420316fe78f73cb128fc56764cfcbf74a240469adbf2aa39307138d869f0f17a42cf8a0be3111d7cd436f6a
-
Filesize
50B
MD51871421dddbe6963d6c54d2261bb6df0
SHA1362334e647a22c8986a07358dd1739b99106d084
SHA2561fc465f92a6ca5db811c8176152e157d6eeb2d455246c43718d46d9b17f3122d
SHA512adcb8aa405328c803186a03881e73226cdfaeb0c7e3fc9e7a30ff3818fb3252888426debc1f114d3c55fb770b607485367e2cfdcfd08cd8da524741c94be5359
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
Filesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
Filesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
Filesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629973501-4017243118-3254762364-1000\83aa4cc77f591dfc2374580bbd95f6ba_e32e1c79-b88e-4709-94fb-81034ca3398e
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
473KB
MD56737bfe4fcbd42c5c2523f9a2c1e2bd0
SHA12717a70cd27e1efa7a7cc133859c23165c690546
SHA256e7205e4ac04d9429510d0afa66acc703cf20fd608b19b8202e9a211dae6a4214
SHA51262a752a5a5af6dcc9643b29fe72a2f64704d4bf780ab0c80707c82691b6ed8ff762aaf353703402d40d0df0c0966fc5ce3377a17ceafc7a2c7c5eee7051a2209
-
Filesize
954KB
MD5237be564da213a0734ed20cfb241314e
SHA1504356d3ce33f34a6f8b5881dfcb4e414e959ff8
SHA256a7ed32d026c18626190178e21c7e8626b65d689215a20cca80a79b203ea262f6
SHA51231b18244c803973fb4f4842556b164c26626d23cae50638e899d115275c4e3dc4c760ee85c1df1600d41b6294d2037ee498201ad55133678455f7e0406aee6ce