Overview

overview

7

Static

static

5926701412...37.jar

windows7_x64

7

5926701412...37.jar

windows10_x64

7

Analysis

  • max time kernel
    86s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    30-06-2020 09:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    592670141212ce04a94fcd42025cb737.jar

  • Size

    398KB

  • MD5

    592670141212ce04a94fcd42025cb737

  • SHA1

    6715a31d0f2dad4c6eb693e3f85346878676a8cb

  • SHA256

    93a5114ba8e127e9764c5306a3de171bd0e500e4aff5c0d5d13c55850955d031

  • SHA512

    dcb53f6baaba7fbf8d4ceccf6c8b488086502c308a625960d8f7b22f7f5af05788c303afc5af8b573d57e3e33441090fb1dfbe05cf9d318648a185a462abcb58

Score
7/10
persistence

Malware Config

Signatures

  • Adds Run entry to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 120 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Views/modifies file attributes 1 TTPs 8 IoCs
    evasion

Processes

  • C:\Windows\system32\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\592670141212ce04a94fcd42025cb737.jar
    1⤵
    • Adds Run entry to start application
    • Drops desktop.ini file(s)
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    • Drops file in System32 directory
    PID:1492
    • C:\Windows\system32\cmd.exe
      cmd.exe
      2⤵
        PID:1028
      • C:\Windows\system32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:732
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1512
      • C:\Windows\system32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1784
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1768
      • C:\Windows\system32\attrib.exe
        attrib +h C:\Users\Admin\Oracle
        2⤵
        • Views/modifies file attributes
        PID:1848
      • C:\Windows\system32\attrib.exe
        attrib +h +r +s C:\Users\Admin\.ntusernt.ini
        2⤵
        • Views/modifies file attributes
        PID:1872
      • C:\Windows\system32\attrib.exe
        attrib -s -r C:\Users\Admin\ldeoi\Desktop.ini
        2⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:1892
      • C:\Windows\system32\attrib.exe
        attrib +s +r C:\Users\Admin\ldeoi\Desktop.ini
        2⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:1908
      • C:\Windows\system32\attrib.exe
        attrib -s -r C:\Users\Admin\ldeoi
        2⤵
        • Views/modifies file attributes
        PID:1340
      • C:\Windows\system32\attrib.exe
        attrib +s +r C:\Users\Admin\ldeoi
        2⤵
        • Views/modifies file attributes
        PID:1920
      • C:\Windows\system32\attrib.exe
        attrib +h C:\Users\Admin\ldeoi
        2⤵
        • Views/modifies file attributes
        PID:1820
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r C:\Users\Admin\ldeoi\DMLbH.class
        2⤵
        • Views/modifies file attributes
        PID:1832
      • C:\Windows\system32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
          3⤵
            PID:1568

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Hidden Files and Directories

      1
      T1158

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Hidden Files and Directories

      1
      T1158

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\.ntusernt.ini
        Download Submit
      • C:\Users\Admin\ldeoi\DMLbH.class
        Download Submit
      • C:\Users\Admin\ldeoi\Desktop.ini
        Download Submit
      • \Users\Admin\AppData\Local\Temp\RsWRlOZEph5842777760382939634.xml
        Download Submit
      • memory/732-2-0x0000000000000000-mapping.dmp
        Download
      • memory/1028-1-0x0000000000000000-mapping.dmp
        Download
      • memory/1340-12-0x0000000000000000-mapping.dmp
        Download
      • memory/1512-3-0x0000000000000000-mapping.dmp
        Download
      • memory/1568-19-0x0000000000000000-mapping.dmp
        Download
      • memory/1648-18-0x0000000000000000-mapping.dmp
        Download
      • memory/1768-5-0x0000000000000000-mapping.dmp
        Download
      • memory/1784-4-0x0000000000000000-mapping.dmp
        Download
      • memory/1820-15-0x0000000000000000-mapping.dmp
        Download
      • memory/1832-16-0x0000000000000000-mapping.dmp
        Download
      • memory/1848-6-0x0000000000000000-mapping.dmp
        Download
      • memory/1872-8-0x0000000000000000-mapping.dmp
        Download
      • memory/1892-10-0x0000000000000000-mapping.dmp
        Download
      • memory/1908-11-0x0000000000000000-mapping.dmp
        Download
      • memory/1920-14-0x0000000000000000-mapping.dmp
        Download