0dd2914c7d8afce5153d8b1c96bc1645b91407dd636184bc13c8b6a367ef7a26

Analysis

max time kernel
63s
max time network
132s
platform
windows7_x64
resource
win7
submitted
10/07/2020, 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0a88a803f35ab00b35171aaf61e6f17.jar
Size

437KB
MD5

b0a88a803f35ab00b35171aaf61e6f17
SHA1

f3987e79b8d2f890bd6304e19887ca08dc3e8b17
SHA256

0dd2914c7d8afce5153d8b1c96bc1645b91407dd636184bc13c8b6a367ef7a26
SHA512

9e8a618be9d12de7758210dff2b27df1b7b1eda2b109c456ad4a8188b37f5efc5dc7e3653dcff51d63bbe71e2a711c6ddfdc09475da8fb5fd2c76097ef45df60

Score

7^/10

persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 108	1088	java.exe	25
PID 1088 wrote to memory of 108	1088	java.exe	25
PID 1088 wrote to memory of 108	1088	java.exe	25
PID 1088 wrote to memory of 304	1088	java.exe	26
PID 1088 wrote to memory of 304	1088	java.exe	26
PID 1088 wrote to memory of 304	1088	java.exe	26
PID 304 wrote to memory of 792	304	cmd.exe	27
PID 304 wrote to memory of 792	304	cmd.exe	27
PID 304 wrote to memory of 792	304	cmd.exe	27
PID 1088 wrote to memory of 1632	1088	java.exe	28
PID 1088 wrote to memory of 1632	1088	java.exe	28
PID 1088 wrote to memory of 1632	1088	java.exe	28
PID 1632 wrote to memory of 1040	1632	cmd.exe	29
PID 1632 wrote to memory of 1040	1632	cmd.exe	29
PID 1632 wrote to memory of 1040	1632	cmd.exe	29
PID 1088 wrote to memory of 1664	1088	java.exe	30
PID 1088 wrote to memory of 1664	1088	java.exe	30
PID 1088 wrote to memory of 1664	1088	java.exe	30
PID 1088 wrote to memory of 1780	1088	java.exe	31
PID 1088 wrote to memory of 1780	1088	java.exe	31
PID 1088 wrote to memory of 1780	1088	java.exe	31
PID 1088 wrote to memory of 1788	1088	java.exe	32
PID 1088 wrote to memory of 1788	1088	java.exe	32
PID 1088 wrote to memory of 1788	1088	java.exe	32
PID 1088 wrote to memory of 1816	1088	java.exe	33
PID 1088 wrote to memory of 1816	1088	java.exe	33
PID 1088 wrote to memory of 1816	1088	java.exe	33
PID 1088 wrote to memory of 1832	1088	java.exe	34
PID 1088 wrote to memory of 1832	1088	java.exe	34
PID 1088 wrote to memory of 1832	1088	java.exe	34
PID 1088 wrote to memory of 1344	1088	java.exe	35
PID 1088 wrote to memory of 1344	1088	java.exe	35
PID 1088 wrote to memory of 1344	1088	java.exe	35
PID 1088 wrote to memory of 1176	1088	java.exe	36
PID 1088 wrote to memory of 1176	1088	java.exe	36
PID 1088 wrote to memory of 1176	1088	java.exe	36
PID 1088 wrote to memory of 1840	1088	java.exe	37
PID 1088 wrote to memory of 1840	1088	java.exe	37
PID 1088 wrote to memory of 1840	1088	java.exe	37
PID 1088 wrote to memory of 1612	1088	java.exe	38
PID 1088 wrote to memory of 1612	1088	java.exe	38
PID 1088 wrote to memory of 1612	1088	java.exe	38
PID 1612 wrote to memory of 1576	1612	cmd.exe	39
PID 1612 wrote to memory of 1576	1612	cmd.exe	39
PID 1612 wrote to memory of 1576	1612	cmd.exe	39

Suspicious use of AdjustPrivilegeToken 120 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	792	WMIC.exe
Token: SeSecurityPrivilege	792	WMIC.exe
Token: SeTakeOwnershipPrivilege	792	WMIC.exe
Token: SeLoadDriverPrivilege	792	WMIC.exe
Token: SeSystemProfilePrivilege	792	WMIC.exe
Token: SeSystemtimePrivilege	792	WMIC.exe
Token: SeProfSingleProcessPrivilege	792	WMIC.exe
Token: SeIncBasePriorityPrivilege	792	WMIC.exe
Token: SeCreatePagefilePrivilege	792	WMIC.exe
Token: SeBackupPrivilege	792	WMIC.exe
Token: SeRestorePrivilege	792	WMIC.exe
Token: SeShutdownPrivilege	792	WMIC.exe
Token: SeDebugPrivilege	792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	792	WMIC.exe
Token: SeRemoteShutdownPrivilege	792	WMIC.exe
Token: SeUndockPrivilege	792	WMIC.exe
Token: SeManageVolumePrivilege	792	WMIC.exe
Token: 33	792	WMIC.exe
Token: 34	792	WMIC.exe
Token: 35	792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	792	WMIC.exe
Token: SeSecurityPrivilege	792	WMIC.exe
Token: SeTakeOwnershipPrivilege	792	WMIC.exe
Token: SeLoadDriverPrivilege	792	WMIC.exe
Token: SeSystemProfilePrivilege	792	WMIC.exe
Token: SeSystemtimePrivilege	792	WMIC.exe
Token: SeProfSingleProcessPrivilege	792	WMIC.exe
Token: SeIncBasePriorityPrivilege	792	WMIC.exe
Token: SeCreatePagefilePrivilege	792	WMIC.exe
Token: SeBackupPrivilege	792	WMIC.exe
Token: SeRestorePrivilege	792	WMIC.exe
Token: SeShutdownPrivilege	792	WMIC.exe
Token: SeDebugPrivilege	792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	792	WMIC.exe
Token: SeRemoteShutdownPrivilege	792	WMIC.exe
Token: SeUndockPrivilege	792	WMIC.exe
Token: SeManageVolumePrivilege	792	WMIC.exe
Token: 33	792	WMIC.exe
Token: 34	792	WMIC.exe
Token: 35	792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1040	WMIC.exe
Token: SeSecurityPrivilege	1040	WMIC.exe
Token: SeTakeOwnershipPrivilege	1040	WMIC.exe
Token: SeLoadDriverPrivilege	1040	WMIC.exe
Token: SeSystemProfilePrivilege	1040	WMIC.exe
Token: SeSystemtimePrivilege	1040	WMIC.exe
Token: SeProfSingleProcessPrivilege	1040	WMIC.exe
Token: SeIncBasePriorityPrivilege	1040	WMIC.exe
Token: SeCreatePagefilePrivilege	1040	WMIC.exe
Token: SeBackupPrivilege	1040	WMIC.exe
Token: SeRestorePrivilege	1040	WMIC.exe
Token: SeShutdownPrivilege	1040	WMIC.exe
Token: SeDebugPrivilege	1040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1040	WMIC.exe
Token: SeRemoteShutdownPrivilege	1040	WMIC.exe
Token: SeUndockPrivilege	1040	WMIC.exe
Token: SeManageVolumePrivilege	1040	WMIC.exe
Token: 33	1040	WMIC.exe
Token: 34	1040	WMIC.exe
Token: 35	1040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1040	WMIC.exe
Token: SeSecurityPrivilege	1040	WMIC.exe
Token: SeTakeOwnershipPrivilege	1040	WMIC.exe
Token: SeLoadDriverPrivilege	1040	WMIC.exe
Token: SeSystemProfilePrivilege	1040	WMIC.exe
Token: SeSystemtimePrivilege	1040	WMIC.exe
Token: SeProfSingleProcessPrivilege	1040	WMIC.exe
Token: SeIncBasePriorityPrivilege	1040	WMIC.exe
Token: SeCreatePagefilePrivilege	1040	WMIC.exe
Token: SeBackupPrivilege	1040	WMIC.exe
Token: SeRestorePrivilege	1040	WMIC.exe
Token: SeShutdownPrivilege	1040	WMIC.exe
Token: SeDebugPrivilege	1040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1040	WMIC.exe
Token: SeRemoteShutdownPrivilege	1040	WMIC.exe
Token: SeUndockPrivilege	1040	WMIC.exe
Token: SeManageVolumePrivilege	1040	WMIC.exe
Token: 33	1040	WMIC.exe
Token: 34	1040	WMIC.exe
Token: 35	1040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1576	WMIC.exe
Token: SeSecurityPrivilege	1576	WMIC.exe
Token: SeTakeOwnershipPrivilege	1576	WMIC.exe
Token: SeLoadDriverPrivilege	1576	WMIC.exe
Token: SeSystemProfilePrivilege	1576	WMIC.exe
Token: SeSystemtimePrivilege	1576	WMIC.exe
Token: SeProfSingleProcessPrivilege	1576	WMIC.exe
Token: SeIncBasePriorityPrivilege	1576	WMIC.exe
Token: SeCreatePagefilePrivilege	1576	WMIC.exe
Token: SeBackupPrivilege	1576	WMIC.exe
Token: SeRestorePrivilege	1576	WMIC.exe
Token: SeShutdownPrivilege	1576	WMIC.exe
Token: SeDebugPrivilege	1576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1576	WMIC.exe
Token: SeRemoteShutdownPrivilege	1576	WMIC.exe
Token: SeUndockPrivilege	1576	WMIC.exe
Token: SeManageVolumePrivilege	1576	WMIC.exe
Token: 33	1576	WMIC.exe
Token: 34	1576	WMIC.exe
Token: 35	1576	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1576	WMIC.exe
Token: SeSecurityPrivilege	1576	WMIC.exe
Token: SeTakeOwnershipPrivilege	1576	WMIC.exe
Token: SeLoadDriverPrivilege	1576	WMIC.exe
Token: SeSystemProfilePrivilege	1576	WMIC.exe
Token: SeSystemtimePrivilege	1576	WMIC.exe
Token: SeProfSingleProcessPrivilege	1576	WMIC.exe
Token: SeIncBasePriorityPrivilege	1576	WMIC.exe
Token: SeCreatePagefilePrivilege	1576	WMIC.exe
Token: SeBackupPrivilege	1576	WMIC.exe
Token: SeRestorePrivilege	1576	WMIC.exe
Token: SeShutdownPrivilege	1576	WMIC.exe
Token: SeDebugPrivilege	1576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1576	WMIC.exe
Token: SeRemoteShutdownPrivilege	1576	WMIC.exe
Token: SeUndockPrivilege	1576	WMIC.exe
Token: SeManageVolumePrivilege	1576	WMIC.exe
Token: 33	1576	WMIC.exe
Token: 34	1576	WMIC.exe
Token: 35	1576	WMIC.exe

Loads dropped DLL 1 IoCs

pid	Process
1088	java.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\AkwOK	java.exe
File opened for modification	C:\Windows\System32\AkwOK	java.exe

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1664	attrib.exe
1780	attrib.exe
1788	attrib.exe
1816	attrib.exe
1832	attrib.exe
1344	attrib.exe
1176	attrib.exe
1840	attrib.exe

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BcHSiEX = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\PLSnk\\AMQaB.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\BcHSiEX = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\PLSnk\\AMQaB.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\PLSnk\Desktop.ini	java.exe
File created	C:\Users\Admin\PLSnk\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\PLSnk\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\PLSnk\Desktop.ini	attrib.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1088	java.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\b0a88a803f35ab00b35171aaf61e6f17.jar
1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Drops file in System32 directory
- Adds Run entry to start application
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
PID:1088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:792
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1664
- C:\Windows\system32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:1780
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\PLSnk\Desktop.ini
  2⤵
  - Views/modifies file attributes
  - Drops desktop.ini file(s)
  PID:1788
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\PLSnk\Desktop.ini
  2⤵
  - Views/modifies file attributes
  - Drops desktop.ini file(s)
  PID:1816
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\PLSnk
  2⤵
  - Views/modifies file attributes
  PID:1832
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\PLSnk
  2⤵
  - Views/modifies file attributes
  PID:1344
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\PLSnk
  2⤵
  - Views/modifies file attributes
  PID:1176
- C:\Windows\system32\attrib.exe
  attrib +h +s +r C:\Users\Admin\PLSnk\AMQaB.class
  2⤵
  - Views/modifies file attributes
  PID:1840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads