Analysis
-
max time kernel
86s -
max time network
143s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 09:04
Static task
static1
Behavioral task
behavioral1
Sample
592670141212ce04a94fcd42025cb737.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
592670141212ce04a94fcd42025cb737.jar
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
592670141212ce04a94fcd42025cb737.jar
-
Size
398KB
-
MD5
592670141212ce04a94fcd42025cb737
-
SHA1
6715a31d0f2dad4c6eb693e3f85346878676a8cb
-
SHA256
93a5114ba8e127e9764c5306a3de171bd0e500e4aff5c0d5d13c55850955d031
-
SHA512
dcb53f6baaba7fbf8d4ceccf6c8b488086502c308a625960d8f7b22f7f5af05788c303afc5af8b573d57e3e33441090fb1dfbe05cf9d318648a185a462abcb58
Score
7/10
Malware Config
Signatures
-
Adds Run entry to start application 2 TTPs 4 IoCs
Processes:
java.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce java.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hcoOPuR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ldeoi\\DMLbH.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run java.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\hcoOPuR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ldeoi\\DMLbH.class\"" java.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
java.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Users\Admin\ldeoi\Desktop.ini java.exe File created C:\Users\Admin\ldeoi\Desktop.ini java.exe File opened for modification C:\Users\Admin\ldeoi\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\ldeoi\Desktop.ini attrib.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
java.exepid process 1492 java.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
java.execmd.execmd.execmd.exedescription pid process target process PID 1492 wrote to memory of 1028 1492 java.exe cmd.exe PID 1492 wrote to memory of 1028 1492 java.exe cmd.exe PID 1492 wrote to memory of 1028 1492 java.exe cmd.exe PID 1492 wrote to memory of 732 1492 java.exe cmd.exe PID 1492 wrote to memory of 732 1492 java.exe cmd.exe PID 1492 wrote to memory of 732 1492 java.exe cmd.exe PID 732 wrote to memory of 1512 732 cmd.exe WMIC.exe PID 732 wrote to memory of 1512 732 cmd.exe WMIC.exe PID 732 wrote to memory of 1512 732 cmd.exe WMIC.exe PID 1492 wrote to memory of 1784 1492 java.exe cmd.exe PID 1492 wrote to memory of 1784 1492 java.exe cmd.exe PID 1492 wrote to memory of 1784 1492 java.exe cmd.exe PID 1784 wrote to memory of 1768 1784 cmd.exe WMIC.exe PID 1784 wrote to memory of 1768 1784 cmd.exe WMIC.exe PID 1784 wrote to memory of 1768 1784 cmd.exe WMIC.exe PID 1492 wrote to memory of 1848 1492 java.exe attrib.exe PID 1492 wrote to memory of 1848 1492 java.exe attrib.exe PID 1492 wrote to memory of 1848 1492 java.exe attrib.exe PID 1492 wrote to memory of 1872 1492 java.exe attrib.exe PID 1492 wrote to memory of 1872 1492 java.exe attrib.exe PID 1492 wrote to memory of 1872 1492 java.exe attrib.exe PID 1492 wrote to memory of 1892 1492 java.exe attrib.exe PID 1492 wrote to memory of 1892 1492 java.exe attrib.exe PID 1492 wrote to memory of 1892 1492 java.exe attrib.exe PID 1492 wrote to memory of 1908 1492 java.exe attrib.exe PID 1492 wrote to memory of 1908 1492 java.exe attrib.exe PID 1492 wrote to memory of 1908 1492 java.exe attrib.exe PID 1492 wrote to memory of 1340 1492 java.exe attrib.exe PID 1492 wrote to memory of 1340 1492 java.exe attrib.exe PID 1492 wrote to memory of 1340 1492 java.exe attrib.exe PID 1492 wrote to memory of 1920 1492 java.exe attrib.exe PID 1492 wrote to memory of 1920 1492 java.exe attrib.exe PID 1492 wrote to memory of 1920 1492 java.exe attrib.exe PID 1492 wrote to memory of 1820 1492 java.exe attrib.exe PID 1492 wrote to memory of 1820 1492 java.exe attrib.exe PID 1492 wrote to memory of 1820 1492 java.exe attrib.exe PID 1492 wrote to memory of 1832 1492 java.exe attrib.exe PID 1492 wrote to memory of 1832 1492 java.exe attrib.exe PID 1492 wrote to memory of 1832 1492 java.exe attrib.exe PID 1492 wrote to memory of 1648 1492 java.exe cmd.exe PID 1492 wrote to memory of 1648 1492 java.exe cmd.exe PID 1492 wrote to memory of 1648 1492 java.exe cmd.exe PID 1648 wrote to memory of 1568 1648 cmd.exe WMIC.exe PID 1648 wrote to memory of 1568 1648 cmd.exe WMIC.exe PID 1648 wrote to memory of 1568 1648 cmd.exe WMIC.exe -
Suspicious use of AdjustPrivilegeToken 120 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1512 WMIC.exe Token: SeSecurityPrivilege 1512 WMIC.exe Token: SeTakeOwnershipPrivilege 1512 WMIC.exe Token: SeLoadDriverPrivilege 1512 WMIC.exe Token: SeSystemProfilePrivilege 1512 WMIC.exe Token: SeSystemtimePrivilege 1512 WMIC.exe Token: SeProfSingleProcessPrivilege 1512 WMIC.exe Token: SeIncBasePriorityPrivilege 1512 WMIC.exe Token: SeCreatePagefilePrivilege 1512 WMIC.exe Token: SeBackupPrivilege 1512 WMIC.exe Token: SeRestorePrivilege 1512 WMIC.exe Token: SeShutdownPrivilege 1512 WMIC.exe Token: SeDebugPrivilege 1512 WMIC.exe Token: SeSystemEnvironmentPrivilege 1512 WMIC.exe Token: SeRemoteShutdownPrivilege 1512 WMIC.exe Token: SeUndockPrivilege 1512 WMIC.exe Token: SeManageVolumePrivilege 1512 WMIC.exe Token: 33 1512 WMIC.exe Token: 34 1512 WMIC.exe Token: 35 1512 WMIC.exe Token: SeIncreaseQuotaPrivilege 1512 WMIC.exe Token: SeSecurityPrivilege 1512 WMIC.exe Token: SeTakeOwnershipPrivilege 1512 WMIC.exe Token: SeLoadDriverPrivilege 1512 WMIC.exe Token: SeSystemProfilePrivilege 1512 WMIC.exe Token: SeSystemtimePrivilege 1512 WMIC.exe Token: SeProfSingleProcessPrivilege 1512 WMIC.exe Token: SeIncBasePriorityPrivilege 1512 WMIC.exe Token: SeCreatePagefilePrivilege 1512 WMIC.exe Token: SeBackupPrivilege 1512 WMIC.exe Token: SeRestorePrivilege 1512 WMIC.exe Token: SeShutdownPrivilege 1512 WMIC.exe Token: SeDebugPrivilege 1512 WMIC.exe Token: SeSystemEnvironmentPrivilege 1512 WMIC.exe Token: SeRemoteShutdownPrivilege 1512 WMIC.exe Token: SeUndockPrivilege 1512 WMIC.exe Token: SeManageVolumePrivilege 1512 WMIC.exe Token: 33 1512 WMIC.exe Token: 34 1512 WMIC.exe Token: 35 1512 WMIC.exe Token: SeIncreaseQuotaPrivilege 1768 WMIC.exe Token: SeSecurityPrivilege 1768 WMIC.exe Token: SeTakeOwnershipPrivilege 1768 WMIC.exe Token: SeLoadDriverPrivilege 1768 WMIC.exe Token: SeSystemProfilePrivilege 1768 WMIC.exe Token: SeSystemtimePrivilege 1768 WMIC.exe Token: SeProfSingleProcessPrivilege 1768 WMIC.exe Token: SeIncBasePriorityPrivilege 1768 WMIC.exe Token: SeCreatePagefilePrivilege 1768 WMIC.exe Token: SeBackupPrivilege 1768 WMIC.exe Token: SeRestorePrivilege 1768 WMIC.exe Token: SeShutdownPrivilege 1768 WMIC.exe Token: SeDebugPrivilege 1768 WMIC.exe Token: SeSystemEnvironmentPrivilege 1768 WMIC.exe Token: SeRemoteShutdownPrivilege 1768 WMIC.exe Token: SeUndockPrivilege 1768 WMIC.exe Token: SeManageVolumePrivilege 1768 WMIC.exe Token: 33 1768 WMIC.exe Token: 34 1768 WMIC.exe Token: 35 1768 WMIC.exe Token: SeIncreaseQuotaPrivilege 1768 WMIC.exe Token: SeSecurityPrivilege 1768 WMIC.exe Token: SeTakeOwnershipPrivilege 1768 WMIC.exe Token: SeLoadDriverPrivilege 1768 WMIC.exe -
Loads dropped DLL 1 IoCs
Processes:
java.exepid process 1492 java.exe -
Drops file in System32 directory 2 IoCs
Processes:
java.exedescription ioc process File created C:\Windows\System32\MwgCk java.exe File opened for modification C:\Windows\System32\MwgCk java.exe -
Views/modifies file attributes 1 TTPs 8 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 1832 attrib.exe 1848 attrib.exe 1872 attrib.exe 1892 attrib.exe 1908 attrib.exe 1340 attrib.exe 1920 attrib.exe 1820 attrib.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\592670141212ce04a94fcd42025cb737.jar1⤵
- Adds Run entry to start application
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\ldeoi\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\ldeoi\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\ldeoi2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\ldeoi2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\ldeoi2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +h +s +r C:\Users\Admin\ldeoi\DMLbH.class2⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.ntusernt.ini
-
C:\Users\Admin\ldeoi\DMLbH.class
-
C:\Users\Admin\ldeoi\Desktop.ini
-
\Users\Admin\AppData\Local\Temp\RsWRlOZEph5842777760382939634.xml
-
memory/732-2-0x0000000000000000-mapping.dmp
-
memory/1028-1-0x0000000000000000-mapping.dmp
-
memory/1340-12-0x0000000000000000-mapping.dmp
-
memory/1512-3-0x0000000000000000-mapping.dmp
-
memory/1568-19-0x0000000000000000-mapping.dmp
-
memory/1648-18-0x0000000000000000-mapping.dmp
-
memory/1768-5-0x0000000000000000-mapping.dmp
-
memory/1784-4-0x0000000000000000-mapping.dmp
-
memory/1820-15-0x0000000000000000-mapping.dmp
-
memory/1832-16-0x0000000000000000-mapping.dmp
-
memory/1848-6-0x0000000000000000-mapping.dmp
-
memory/1872-8-0x0000000000000000-mapping.dmp
-
memory/1892-10-0x0000000000000000-mapping.dmp
-
memory/1908-11-0x0000000000000000-mapping.dmp
-
memory/1920-14-0x0000000000000000-mapping.dmp