Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-03-2023 01:37

General

  • Target

    b7f46caa4c8a8bdc972cc75781ad43cf8d8436a8640e24b03d34f02560643b70.jar

  • Size

    960KB

  • MD5

    66054f63d4a48886cd03fd7915eed7f6

  • SHA1

    b2024714631ce5dd5ff2e5a45b58b8c689d2c8c5

  • SHA256

    b7f46caa4c8a8bdc972cc75781ad43cf8d8436a8640e24b03d34f02560643b70

  • SHA512

    93b9138588da1aa0501f7498311002ce7ecf96bced09ec2796c64ef0070899246741f83bff1645d5c99e041fe9bc1f483735cb6e96d4527c8f6db7d317c1f3cb

  • SSDEEP

    24576:pSd+wLAE4ZpkJKmUDvWtArQUEqMgSvNriU:lwS39vWaqqMNvNx

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\b7f46caa4c8a8bdc972cc75781ad43cf8d8436a8640e24b03d34f02560643b70.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4632
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\erdhvdferx.js
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
        "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\nfwdfnq.txt"
        3⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4968
        • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
          "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.408462355819950834733559423992243997.class
          4⤵
          • Suspicious use of SetWindowsHookEx
          PID:1360

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

    Filesize

    50B

    MD5

    06c648e2a6477ec7c902e470adab9ca3

    SHA1

    0520db9c012dbe756b41e6e83d70fa625f52a554

    SHA256

    e437a9056669bc612b7b4581476951223810e561334a01b7a133dd1aa88cb4f7

    SHA512

    e8539f94bdad9331f023dd1bf28118948b72813a24c0f0bc41bd4f3d267e886c8767c5769d55157c4458207bc26acfa2a5e5887b15502ff4d56c88addb429a60

  • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

    Filesize

    50B

    MD5

    1a502dd280c9d9a055db8fc4b1810669

    SHA1

    1f7ed9f61385f5792cb073f6f6906a5a46773334

    SHA256

    a376c5cc5df1943f3d4a3fa8e9b57f47aa6b476c31147e14c2d5a960aaa0b10f

    SHA512

    5158753023288514e11850edc2b621b5715b28140b3b4548961854556ce827a5c1a7fc31f052ab7b77f00899dbe67bf91e95e3cc2633b19ed204f0556809c835

  • C:\Users\Admin\AppData\Local\Temp\_0.408462355819950834733559423992243997.class

    Filesize

    241KB

    MD5

    781fb531354d6f291f1ccab48da6d39f

    SHA1

    9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

    SHA256

    97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

    SHA512

    3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2275444769-3691835758-4097679484-1000\83aa4cc77f591dfc2374580bbd95f6ba_6d187d53-139c-415c-b71c-a4b59992e636

    Filesize

    45B

    MD5

    c8366ae350e7019aefc9d1e6e6a498c6

    SHA1

    5731d8a3e6568a5f2dfbbc87e3db9637df280b61

    SHA256

    11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

    SHA512

    33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

  • C:\Users\Admin\AppData\Roaming\nfwdfnq.txt

    Filesize

    479KB

    MD5

    60c30fb124adfb6da82bf66a1f784926

    SHA1

    e711e91e84b0d26f305905fde683e1534e1e3980

    SHA256

    83a0a328d4a71e95c6a17cca54ba3ee4ae26a09d10cbdc8f689ad5325a070c80

    SHA512

    37d1e47274293d3710f36137effa6584240e8435ad1d83b59e64656fd09132adc3199e5660665dcdbee4f86f569bb0f905ddbe426dda8ebba3ab0cd1c1700e91

  • C:\Users\Admin\erdhvdferx.js

    Filesize

    4.0MB

    MD5

    dec1e41985af1924c4aed1fa8435f2cb

    SHA1

    73d000d16831db3b98719ec9b0384fb138893d96

    SHA256

    7c52b9f46b624904f71f6cd6e52cbfc63288cac14ccce282daa23d575a988bde

    SHA512

    342f595e5813825e384e6b222a564e1b2caf81107da21ee1c6393aa61ee238c4102fb59f4b9f1660555b390cbc38c173fbccb344fe8c0e82598d9ce458b40a69

  • memory/1360-183-0x0000000001550000-0x0000000001551000-memory.dmp

    Filesize

    4KB

  • memory/1360-209-0x0000000001550000-0x0000000001551000-memory.dmp

    Filesize

    4KB

  • memory/4632-147-0x0000000002990000-0x0000000002991000-memory.dmp

    Filesize

    4KB

  • memory/4632-143-0x0000000002990000-0x0000000002991000-memory.dmp

    Filesize

    4KB

  • memory/4968-165-0x0000000002440000-0x0000000002441000-memory.dmp

    Filesize

    4KB

  • memory/4968-167-0x0000000002440000-0x0000000002441000-memory.dmp

    Filesize

    4KB

  • memory/4968-206-0x0000000002440000-0x0000000002441000-memory.dmp

    Filesize

    4KB

  • memory/4968-210-0x0000000002440000-0x0000000002441000-memory.dmp

    Filesize

    4KB

  • memory/4968-224-0x0000000002440000-0x0000000002441000-memory.dmp

    Filesize

    4KB