b7f46caa4c8a8bdc972cc75781ad43cf8d8436a8640e24b03d34f02560643b70

General

Target

PO_007836547-DCAG 001_PDF.jar
Size

960KB
MD5

66054f63d4a48886cd03fd7915eed7f6
SHA1

b2024714631ce5dd5ff2e5a45b58b8c689d2c8c5
SHA256

b7f46caa4c8a8bdc972cc75781ad43cf8d8436a8640e24b03d34f02560643b70
SHA512

93b9138588da1aa0501f7498311002ce7ecf96bced09ec2796c64ef0070899246741f83bff1645d5c99e041fe9bc1f483735cb6e96d4527c8f6db7d317c1f3cb
SSDEEP

24576:pSd+wLAE4ZpkJKmUDvWtArQUEqMgSvNriU:lwS39vWaqqMNvNx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4376	javaw.exe
1876	java.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 1036	3364	java.exe	86
PID 3364 wrote to memory of 1036	3364	java.exe	86
PID 1036 wrote to memory of 4376	1036	wscript.exe	87
PID 1036 wrote to memory of 4376	1036	wscript.exe	87
PID 4376 wrote to memory of 1876	4376	javaw.exe	90
PID 4376 wrote to memory of 1876	4376	javaw.exe	90

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\PO_007836547-DCAG 001_PDF.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\erdhvdferx.js
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ursmgcqno.txt"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.374988210110932359164336263065837.class
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
a59e4f47b0f14dc45bc3137c67821d4d

SHA1
edd317e166fb3233a877e6686e216f084f651deb

SHA256
f2ca1cb46253c8efb98ec75fed105fa669e33b30919a8e239bf25eb6d833d2bd

SHA512
6e6c5385db325a3a141849cd6f975a37114dbe069a0af42e05c06450d795a5ccae898aaaf56e9929b08a200c40f9b23f07264f8dc1f886009550ba46ff6ca25d

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
5fb0cd784e33d50cf99c9574909bb18d

SHA1
087b21d88634367f690e8b670e12b147f38ed889

SHA256
f5af670f318537dd58036e1478f66e5ce7c87627f39962856dae8f0340fcb5f1

SHA512
afede44a17455e7db5ef874b6549d06e19406f751f0712cc25af68729d450d59062bfc797a6ca8cbba7f5b3171d3ae819a7c0588aa66c63afc89de879e0d86a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.374988210110932359164336263065837.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-144354903-2550862337-1367551827-1000\83aa4cc77f591dfc2374580bbd95f6ba_76cff8be-8f86-4613-9a47-5d5870acb67c

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\ursmgcqno.txt

Filesize
479KB

MD5
60c30fb124adfb6da82bf66a1f784926

SHA1
e711e91e84b0d26f305905fde683e1534e1e3980

SHA256
83a0a328d4a71e95c6a17cca54ba3ee4ae26a09d10cbdc8f689ad5325a070c80

SHA512
37d1e47274293d3710f36137effa6584240e8435ad1d83b59e64656fd09132adc3199e5660665dcdbee4f86f569bb0f905ddbe426dda8ebba3ab0cd1c1700e91

Download Submit
C:\Users\Admin\erdhvdferx.js

Filesize
4.0MB

MD5
dec1e41985af1924c4aed1fa8435f2cb

SHA1
73d000d16831db3b98719ec9b0384fb138893d96

SHA256
7c52b9f46b624904f71f6cd6e52cbfc63288cac14ccce282daa23d575a988bde

SHA512
342f595e5813825e384e6b222a564e1b2caf81107da21ee1c6393aa61ee238c4102fb59f4b9f1660555b390cbc38c173fbccb344fe8c0e82598d9ce458b40a69

Download Submit
memory/1876-185-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/1876-190-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/1876-234-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/1876-241-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/3364-146-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3364-152-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4376-170-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/4376-199-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/4376-218-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/4376-224-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing