Overview

overview

7

Static

static

41b6970717...e2.jar

windows7_x64

7

41b6970717...e2.jar

windows10_x64

7

Analysis

  • max time kernel
    63s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    09-07-2020 12:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41b697071796cd939294fab1fb9a40e2.jar

  • Size

    405KB

  • MD5

    41b697071796cd939294fab1fb9a40e2

  • SHA1

    c9159d9a726a512ca1d183ceabcda0d424c2949d

  • SHA256

    e692c0ca92af826d8e9678a29b69fe6a3a88a0d704fd84f4ef39a2b9f971714e

  • SHA512

    a9874889f9295694bb700922b72a94706032f168b442b8ec48ae82d9c6f1d7a60e956a8ecfea09d506be6aedc50d0b2874aeecb00df5511e25825fc0cb83f2af

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Views/modifies file attributes 1 TTPs 8 IoCs
    evasion
  • Adds Run entry to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 126 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\41b697071796cd939294fab1fb9a40e2.jar
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Adds Run entry to start application
    • Drops desktop.ini file(s)
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:976
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe
      2⤵
        PID:1768
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3980
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3252
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:632
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:912
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +h C:\Users\Admin\Oracle
        2⤵
        • Views/modifies file attributes
        PID:968
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +h +r +s C:\Users\Admin\.ntusernt.ini
        2⤵
        • Views/modifies file attributes
        PID:1228
      • C:\Windows\SYSTEM32\attrib.exe
        attrib -s -r C:\Users\Admin\udFoQ\Desktop.ini
        2⤵
        • Views/modifies file attributes
        • Drops desktop.ini file(s)
        PID:1500
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +s +r C:\Users\Admin\udFoQ\Desktop.ini
        2⤵
        • Views/modifies file attributes
        • Drops desktop.ini file(s)
        PID:1020
      • C:\Windows\SYSTEM32\attrib.exe
        attrib -s -r C:\Users\Admin\udFoQ
        2⤵
        • Views/modifies file attributes
        PID:3632
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +s +r C:\Users\Admin\udFoQ
        2⤵
        • Views/modifies file attributes
        PID:1728
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +h C:\Users\Admin\udFoQ
        2⤵
        • Views/modifies file attributes
        PID:1644
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +h +s +r C:\Users\Admin\udFoQ\uGGbQ.class
        2⤵
        • Views/modifies file attributes
        PID:1756
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
          3⤵
            PID:2828

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\.ntusernt.ini
        Download Submit

      • C:\Users\Admin\udFoQ\Desktop.ini
        Download Submit

      • C:\Users\Admin\udFoQ\uGGbQ.class
        Download Submit

      • \Users\Admin\AppData\Local\Temp\aFDhxdqUWr1747249258539994973.xml
        Download Submit

      • memory/632-38-0x0000000000000000-mapping.dmp

        Download

      • memory/912-40-0x0000000000000000-mapping.dmp

        Download

      • memory/968-42-0x0000000000000000-mapping.dmp

        Download

      • memory/1020-48-0x0000000000000000-mapping.dmp

        Download

      • memory/1228-45-0x0000000000000000-mapping.dmp

        Download

      • memory/1500-47-0x0000000000000000-mapping.dmp

        Download

      • memory/1644-51-0x0000000000000000-mapping.dmp

        Download

      • memory/1728-50-0x0000000000000000-mapping.dmp

        Download

      • memory/1756-52-0x0000000000000000-mapping.dmp

        Download

      • memory/1768-35-0x0000000000000000-mapping.dmp

        Download

      • memory/2184-59-0x0000000000000000-mapping.dmp

        Download

      • memory/2828-60-0x0000000000000000-mapping.dmp

        Download

      • memory/3252-37-0x0000000000000000-mapping.dmp

        Download

      • memory/3632-49-0x0000000000000000-mapping.dmp

        Download

      • memory/3980-36-0x0000000000000000-mapping.dmp

        Download