Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 01:37
Static task
static1
Behavioral task
behavioral1
Sample
b7f46caa4c8a8bdc972cc75781ad43cf8d8436a8640e24b03d34f02560643b70.jar
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
b7f46caa4c8a8bdc972cc75781ad43cf8d8436a8640e24b03d34f02560643b70.jar
Resource
win10v2004-20230220-en
General
-
Target
b7f46caa4c8a8bdc972cc75781ad43cf8d8436a8640e24b03d34f02560643b70.jar
-
Size
960KB
-
MD5
66054f63d4a48886cd03fd7915eed7f6
-
SHA1
b2024714631ce5dd5ff2e5a45b58b8c689d2c8c5
-
SHA256
b7f46caa4c8a8bdc972cc75781ad43cf8d8436a8640e24b03d34f02560643b70
-
SHA512
93b9138588da1aa0501f7498311002ce7ecf96bced09ec2796c64ef0070899246741f83bff1645d5c99e041fe9bc1f483735cb6e96d4527c8f6db7d317c1f3cb
-
SSDEEP
24576:pSd+wLAE4ZpkJKmUDvWtArQUEqMgSvNriU:lwS39vWaqqMNvNx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
javaw.exejava.exepid process 4968 javaw.exe 1360 java.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
java.exewscript.exejavaw.exedescription pid process target process PID 4632 wrote to memory of 2680 4632 java.exe wscript.exe PID 4632 wrote to memory of 2680 4632 java.exe wscript.exe PID 2680 wrote to memory of 4968 2680 wscript.exe javaw.exe PID 2680 wrote to memory of 4968 2680 wscript.exe javaw.exe PID 4968 wrote to memory of 1360 4968 javaw.exe java.exe PID 4968 wrote to memory of 1360 4968 javaw.exe java.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\b7f46caa4c8a8bdc972cc75781ad43cf8d8436a8640e24b03d34f02560643b70.jar1⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SYSTEM32\wscript.exewscript C:\Users\Admin\erdhvdferx.js2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\nfwdfnq.txt"3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.408462355819950834733559423992243997.class4⤵
- Suspicious use of SetWindowsHookEx
PID:1360
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD506c648e2a6477ec7c902e470adab9ca3
SHA10520db9c012dbe756b41e6e83d70fa625f52a554
SHA256e437a9056669bc612b7b4581476951223810e561334a01b7a133dd1aa88cb4f7
SHA512e8539f94bdad9331f023dd1bf28118948b72813a24c0f0bc41bd4f3d267e886c8767c5769d55157c4458207bc26acfa2a5e5887b15502ff4d56c88addb429a60
-
Filesize
50B
MD51a502dd280c9d9a055db8fc4b1810669
SHA11f7ed9f61385f5792cb073f6f6906a5a46773334
SHA256a376c5cc5df1943f3d4a3fa8e9b57f47aa6b476c31147e14c2d5a960aaa0b10f
SHA5125158753023288514e11850edc2b621b5715b28140b3b4548961854556ce827a5c1a7fc31f052ab7b77f00899dbe67bf91e95e3cc2633b19ed204f0556809c835
-
Filesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2275444769-3691835758-4097679484-1000\83aa4cc77f591dfc2374580bbd95f6ba_6d187d53-139c-415c-b71c-a4b59992e636
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
479KB
MD560c30fb124adfb6da82bf66a1f784926
SHA1e711e91e84b0d26f305905fde683e1534e1e3980
SHA25683a0a328d4a71e95c6a17cca54ba3ee4ae26a09d10cbdc8f689ad5325a070c80
SHA51237d1e47274293d3710f36137effa6584240e8435ad1d83b59e64656fd09132adc3199e5660665dcdbee4f86f569bb0f905ddbe426dda8ebba3ab0cd1c1700e91
-
Filesize
4.0MB
MD5dec1e41985af1924c4aed1fa8435f2cb
SHA173d000d16831db3b98719ec9b0384fb138893d96
SHA2567c52b9f46b624904f71f6cd6e52cbfc63288cac14ccce282daa23d575a988bde
SHA512342f595e5813825e384e6b222a564e1b2caf81107da21ee1c6393aa61ee238c4102fb59f4b9f1660555b390cbc38c173fbccb344fe8c0e82598d9ce458b40a69