Analysis
-
max time kernel
95s -
max time network
137s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 09:04
Static task
static1
Behavioral task
behavioral1
Sample
592670141212ce04a94fcd42025cb737.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
592670141212ce04a94fcd42025cb737.jar
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
592670141212ce04a94fcd42025cb737.jar
-
Size
398KB
-
MD5
592670141212ce04a94fcd42025cb737
-
SHA1
6715a31d0f2dad4c6eb693e3f85346878676a8cb
-
SHA256
93a5114ba8e127e9764c5306a3de171bd0e500e4aff5c0d5d13c55850955d031
-
SHA512
dcb53f6baaba7fbf8d4ceccf6c8b488086502c308a625960d8f7b22f7f5af05788c303afc5af8b573d57e3e33441090fb1dfbe05cf9d318648a185a462abcb58
Score
7/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 126 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1768 WMIC.exe Token: SeSecurityPrivilege 1768 WMIC.exe Token: SeTakeOwnershipPrivilege 1768 WMIC.exe Token: SeLoadDriverPrivilege 1768 WMIC.exe Token: SeSystemProfilePrivilege 1768 WMIC.exe Token: SeSystemtimePrivilege 1768 WMIC.exe Token: SeProfSingleProcessPrivilege 1768 WMIC.exe Token: SeIncBasePriorityPrivilege 1768 WMIC.exe Token: SeCreatePagefilePrivilege 1768 WMIC.exe Token: SeBackupPrivilege 1768 WMIC.exe Token: SeRestorePrivilege 1768 WMIC.exe Token: SeShutdownPrivilege 1768 WMIC.exe Token: SeDebugPrivilege 1768 WMIC.exe Token: SeSystemEnvironmentPrivilege 1768 WMIC.exe Token: SeRemoteShutdownPrivilege 1768 WMIC.exe Token: SeUndockPrivilege 1768 WMIC.exe Token: SeManageVolumePrivilege 1768 WMIC.exe Token: 33 1768 WMIC.exe Token: 34 1768 WMIC.exe Token: 35 1768 WMIC.exe Token: 36 1768 WMIC.exe Token: SeIncreaseQuotaPrivilege 1768 WMIC.exe Token: SeSecurityPrivilege 1768 WMIC.exe Token: SeTakeOwnershipPrivilege 1768 WMIC.exe Token: SeLoadDriverPrivilege 1768 WMIC.exe Token: SeSystemProfilePrivilege 1768 WMIC.exe Token: SeSystemtimePrivilege 1768 WMIC.exe Token: SeProfSingleProcessPrivilege 1768 WMIC.exe Token: SeIncBasePriorityPrivilege 1768 WMIC.exe Token: SeCreatePagefilePrivilege 1768 WMIC.exe Token: SeBackupPrivilege 1768 WMIC.exe Token: SeRestorePrivilege 1768 WMIC.exe Token: SeShutdownPrivilege 1768 WMIC.exe Token: SeDebugPrivilege 1768 WMIC.exe Token: SeSystemEnvironmentPrivilege 1768 WMIC.exe Token: SeRemoteShutdownPrivilege 1768 WMIC.exe Token: SeUndockPrivilege 1768 WMIC.exe Token: SeManageVolumePrivilege 1768 WMIC.exe Token: 33 1768 WMIC.exe Token: 34 1768 WMIC.exe Token: 35 1768 WMIC.exe Token: 36 1768 WMIC.exe Token: SeIncreaseQuotaPrivilege 2588 WMIC.exe Token: SeSecurityPrivilege 2588 WMIC.exe Token: SeTakeOwnershipPrivilege 2588 WMIC.exe Token: SeLoadDriverPrivilege 2588 WMIC.exe Token: SeSystemProfilePrivilege 2588 WMIC.exe Token: SeSystemtimePrivilege 2588 WMIC.exe Token: SeProfSingleProcessPrivilege 2588 WMIC.exe Token: SeIncBasePriorityPrivilege 2588 WMIC.exe Token: SeCreatePagefilePrivilege 2588 WMIC.exe Token: SeBackupPrivilege 2588 WMIC.exe Token: SeRestorePrivilege 2588 WMIC.exe Token: SeShutdownPrivilege 2588 WMIC.exe Token: SeDebugPrivilege 2588 WMIC.exe Token: SeSystemEnvironmentPrivilege 2588 WMIC.exe Token: SeRemoteShutdownPrivilege 2588 WMIC.exe Token: SeUndockPrivilege 2588 WMIC.exe Token: SeManageVolumePrivilege 2588 WMIC.exe Token: 33 2588 WMIC.exe Token: 34 2588 WMIC.exe Token: 35 2588 WMIC.exe Token: 36 2588 WMIC.exe Token: SeIncreaseQuotaPrivilege 2588 WMIC.exe -
Loads dropped DLL 1 IoCs
Processes:
java.exepid process 2536 java.exe -
Drops file in System32 directory 2 IoCs
Processes:
java.exedescription ioc process File opened for modification C:\Windows\System32\DXOwn java.exe File created C:\Windows\System32\DXOwn java.exe -
Views/modifies file attributes 1 TTPs 8 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 3584 attrib.exe 2820 attrib.exe 3900 attrib.exe 3324 attrib.exe 3884 attrib.exe 3956 attrib.exe 3848 attrib.exe 2960 attrib.exe -
Adds Run entry to start application 2 TTPs 4 IoCs
Processes:
java.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce java.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hcoOPuR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ldeoi\\DMLbH.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run java.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\hcoOPuR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ldeoi\\DMLbH.class\"" java.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
java.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Users\Admin\ldeoi\Desktop.ini java.exe File created C:\Users\Admin\ldeoi\Desktop.ini java.exe File opened for modification C:\Users\Admin\ldeoi\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\ldeoi\Desktop.ini attrib.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
java.exepid process 2536 java.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
java.execmd.execmd.execmd.exedescription pid process target process PID 2536 wrote to memory of 1704 2536 java.exe cmd.exe PID 2536 wrote to memory of 1704 2536 java.exe cmd.exe PID 2536 wrote to memory of 1816 2536 java.exe cmd.exe PID 2536 wrote to memory of 1816 2536 java.exe cmd.exe PID 1816 wrote to memory of 1768 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 1768 1816 cmd.exe WMIC.exe PID 2536 wrote to memory of 2100 2536 java.exe cmd.exe PID 2536 wrote to memory of 2100 2536 java.exe cmd.exe PID 2100 wrote to memory of 2588 2100 cmd.exe WMIC.exe PID 2100 wrote to memory of 2588 2100 cmd.exe WMIC.exe PID 2536 wrote to memory of 2820 2536 java.exe attrib.exe PID 2536 wrote to memory of 2820 2536 java.exe attrib.exe PID 2536 wrote to memory of 3900 2536 java.exe attrib.exe PID 2536 wrote to memory of 3900 2536 java.exe attrib.exe PID 2536 wrote to memory of 3324 2536 java.exe attrib.exe PID 2536 wrote to memory of 3324 2536 java.exe attrib.exe PID 2536 wrote to memory of 3884 2536 java.exe attrib.exe PID 2536 wrote to memory of 3884 2536 java.exe attrib.exe PID 2536 wrote to memory of 3956 2536 java.exe attrib.exe PID 2536 wrote to memory of 3956 2536 java.exe attrib.exe PID 2536 wrote to memory of 3848 2536 java.exe attrib.exe PID 2536 wrote to memory of 3848 2536 java.exe attrib.exe PID 2536 wrote to memory of 2960 2536 java.exe attrib.exe PID 2536 wrote to memory of 2960 2536 java.exe attrib.exe PID 2536 wrote to memory of 3584 2536 java.exe attrib.exe PID 2536 wrote to memory of 3584 2536 java.exe attrib.exe PID 2536 wrote to memory of 4000 2536 java.exe cmd.exe PID 2536 wrote to memory of 4000 2536 java.exe cmd.exe PID 4000 wrote to memory of 2880 4000 cmd.exe WMIC.exe PID 4000 wrote to memory of 2880 4000 cmd.exe WMIC.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\592670141212ce04a94fcd42025cb737.jar1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Adds Run entry to start application
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib -s -r C:\Users\Admin\ldeoi\Desktop.ini2⤵
- Views/modifies file attributes
- Drops desktop.ini file(s)
-
C:\Windows\SYSTEM32\attrib.exeattrib +s +r C:\Users\Admin\ldeoi\Desktop.ini2⤵
- Views/modifies file attributes
- Drops desktop.ini file(s)
-
C:\Windows\SYSTEM32\attrib.exeattrib -s -r C:\Users\Admin\ldeoi2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib +s +r C:\Users\Admin\ldeoi2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib +h C:\Users\Admin\ldeoi2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib +h +s +r C:\Users\Admin\ldeoi\DMLbH.class2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.ntusernt.ini
-
C:\Users\Admin\ldeoi\DMLbH.class
-
C:\Users\Admin\ldeoi\Desktop.ini
-
\Users\Admin\AppData\Local\Temp\ZyNwHCDvAH8627028277258410659.xml
-
memory/1704-34-0x0000000000000000-mapping.dmp
-
memory/1768-36-0x0000000000000000-mapping.dmp
-
memory/1816-35-0x0000000000000000-mapping.dmp
-
memory/2100-37-0x0000000000000000-mapping.dmp
-
memory/2588-38-0x0000000000000000-mapping.dmp
-
memory/2820-41-0x0000000000000000-mapping.dmp
-
memory/2880-59-0x0000000000000000-mapping.dmp
-
memory/2960-50-0x0000000000000000-mapping.dmp
-
memory/3324-46-0x0000000000000000-mapping.dmp
-
memory/3584-51-0x0000000000000000-mapping.dmp
-
memory/3848-49-0x0000000000000000-mapping.dmp
-
memory/3884-47-0x0000000000000000-mapping.dmp
-
memory/3900-44-0x0000000000000000-mapping.dmp
-
memory/3956-48-0x0000000000000000-mapping.dmp
-
memory/4000-58-0x0000000000000000-mapping.dmp