Analysis
-
max time kernel
14s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
13-02-2023 11:51
Static task
static1
Behavioral task
behavioral1
Sample
HK SEMI CORPORATION CO,,Ltd.js
Resource
win7-20220812-en
General
-
Target
HK SEMI CORPORATION CO,,Ltd.js
-
Size
4.6MB
-
MD5
3cbcc574b184d5719059b21b9786bbf0
-
SHA1
9ed29659b5b54cdf60cf2b9495224aec1a261e67
-
SHA256
00b6a46542f80c34df42fe3d9e369eb7c39566e902e9ac92238dc90166446a6c
-
SHA512
68d5c2e058f28c9f1760f40af8fce6b0f786a0ed4aa99cc86df227415c66688e6de1264929d937ed20d111d7551b7ec0944791a5753045ce821167b09ddac9c7
-
SSDEEP
3072:2GRbdyiMKBDjY086keLyVXiQp7IayQ6Q/27SSi8s2ag6N8TiwzccqhWM307KIiWW:R06HV4dbI+eeHbESp
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 6 4116 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SrdqnzeXbF.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SrdqnzeXbF.js WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings wscript.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 920 wrote to memory of 4116 920 wscript.exe WScript.exe PID 920 wrote to memory of 4116 920 wscript.exe WScript.exe PID 920 wrote to memory of 3168 920 wscript.exe javaw.exe PID 920 wrote to memory of 3168 920 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\HK SEMI CORPORATION CO,,Ltd.js"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\SrdqnzeXbF.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\rjyukyvuwo.txt"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SrdqnzeXbF.jsFilesize
346KB
MD54e73d37c3f3e7adab48a636d20e7b4a5
SHA1b7148b18df8df7e731694043ceb2050e3463f99c
SHA2567a4ae69336738bf3431e38c7a1abf0190f1f074b13447914cd42604c7174254e
SHA5126a3565af24a0e8a4a2e046752ea0f1d966013d3e6bc10a755b3f13eb33c63487fef2698217e54f87d2c314d38760fe079004798d1c7b860b1960d75b5798b1b9
-
C:\Users\Admin\AppData\Roaming\rjyukyvuwo.txtFilesize
164KB
MD5da535bbab93f526e10242ab516b0288b
SHA1d8b7c7075828195a0c63850d226e2b01492536b4
SHA2569323684aebe7748204540c226f533dc327074e3aa4b238970d9484a1c8abc426
SHA5120d2025ab35e533d2ca1142006326c1573055560bea5b311fec5ddf129d5bce3be2778264e58bf183ee6fa9ee681cf3c652f20ab3aae789e96cb3796f7ed65af8
-
memory/3168-134-0x0000000000000000-mapping.dmp
-
memory/3168-138-0x0000000002B10000-0x0000000003B10000-memory.dmpFilesize
16.0MB
-
memory/3168-162-0x0000000002B10000-0x0000000003B10000-memory.dmpFilesize
16.0MB
-
memory/3168-169-0x0000000002B10000-0x0000000003B10000-memory.dmpFilesize
16.0MB
-
memory/3168-175-0x0000000002B10000-0x0000000003B10000-memory.dmpFilesize
16.0MB
-
memory/3168-176-0x0000000002B10000-0x0000000003B10000-memory.dmpFilesize
16.0MB
-
memory/4116-132-0x0000000000000000-mapping.dmp