Overview

overview

7

Static

static

5926701412...37.jar

windows7_x64

7

5926701412...37.jar

windows10_x64

7

Analysis

  • max time kernel
    95s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    30-06-2020 09:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    592670141212ce04a94fcd42025cb737.jar

  • Size

    398KB

  • MD5

    592670141212ce04a94fcd42025cb737

  • SHA1

    6715a31d0f2dad4c6eb693e3f85346878676a8cb

  • SHA256

    93a5114ba8e127e9764c5306a3de171bd0e500e4aff5c0d5d13c55850955d031

  • SHA512

    dcb53f6baaba7fbf8d4ceccf6c8b488086502c308a625960d8f7b22f7f5af05788c303afc5af8b573d57e3e33441090fb1dfbe05cf9d318648a185a462abcb58

Score
7/10
persistence

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 126 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Views/modifies file attributes 1 TTPs 8 IoCs
    evasion
  • Adds Run entry to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\592670141212ce04a94fcd42025cb737.jar
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Adds Run entry to start application
    • Drops desktop.ini file(s)
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe
      2⤵
        PID:1704
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1768
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2588
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +h C:\Users\Admin\Oracle
        2⤵
        • Views/modifies file attributes
        PID:2820
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +h +r +s C:\Users\Admin\.ntusernt.ini
        2⤵
        • Views/modifies file attributes
        PID:3900
      • C:\Windows\SYSTEM32\attrib.exe
        attrib -s -r C:\Users\Admin\ldeoi\Desktop.ini
        2⤵
        • Views/modifies file attributes
        • Drops desktop.ini file(s)
        PID:3324
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +s +r C:\Users\Admin\ldeoi\Desktop.ini
        2⤵
        • Views/modifies file attributes
        • Drops desktop.ini file(s)
        PID:3884
      • C:\Windows\SYSTEM32\attrib.exe
        attrib -s -r C:\Users\Admin\ldeoi
        2⤵
        • Views/modifies file attributes
        PID:3956
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +s +r C:\Users\Admin\ldeoi
        2⤵
        • Views/modifies file attributes
        PID:3848
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +h C:\Users\Admin\ldeoi
        2⤵
        • Views/modifies file attributes
        PID:2960
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +h +s +r C:\Users\Admin\ldeoi\DMLbH.class
        2⤵
        • Views/modifies file attributes
        PID:3584
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4000
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
          3⤵
            PID:2880

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Hidden Files and Directories

      1
      T1158

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Hidden Files and Directories

      1
      T1158

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\.ntusernt.ini
        Download Submit
      • C:\Users\Admin\ldeoi\DMLbH.class
        Download Submit
      • C:\Users\Admin\ldeoi\Desktop.ini
        Download Submit
      • \Users\Admin\AppData\Local\Temp\ZyNwHCDvAH8627028277258410659.xml
        Download Submit
      • memory/1704-34-0x0000000000000000-mapping.dmp
        Download
      • memory/1768-36-0x0000000000000000-mapping.dmp
        Download
      • memory/1816-35-0x0000000000000000-mapping.dmp
        Download
      • memory/2100-37-0x0000000000000000-mapping.dmp
        Download
      • memory/2588-38-0x0000000000000000-mapping.dmp
        Download
      • memory/2820-41-0x0000000000000000-mapping.dmp
        Download
      • memory/2880-59-0x0000000000000000-mapping.dmp
        Download
      • memory/2960-50-0x0000000000000000-mapping.dmp
        Download
      • memory/3324-46-0x0000000000000000-mapping.dmp
        Download
      • memory/3584-51-0x0000000000000000-mapping.dmp
        Download
      • memory/3848-49-0x0000000000000000-mapping.dmp
        Download
      • memory/3884-47-0x0000000000000000-mapping.dmp
        Download
      • memory/3900-44-0x0000000000000000-mapping.dmp
        Download
      • memory/3956-48-0x0000000000000000-mapping.dmp
        Download
      • memory/4000-58-0x0000000000000000-mapping.dmp
        Download