Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 17:50
Static task
static1
Behavioral task
behavioral1
Sample
PO-RY 001-21 Accuri.jar
Resource
win7v20201028
General
-
Target
PO-RY 001-21 Accuri.jar
-
Size
372KB
-
MD5
c57bb7c025860397afdef61c676ead90
-
SHA1
6b2195e0b140ad27c5fd909f4944b5a63c2a6e08
-
SHA256
63b3402660ff4a015ff3bf516ece2da73234e315f5b0b7235ef3c4523d846152
-
SHA512
7f1ddd540b4cb316101e1facb8a217047d607b7bcd9e888f020d2ca4fa46f0e04747fc465424f87c7e1a4c8713aa84bb34b33f4e2b97edb16d4c66392f90f6bd
Malware Config
Extracted
formbook
http://www.dmvantalya.com/bnuw/
amgggma.com
reptilerus.com
degearboss.com
jennaelsbakeshop.com
invisablescreen.com
beingsingleda.com
2nsupplements.online
12862.xyz
expand.care
romeoalchimistefullmental.com
7750166.com
brendonellis.com
sprayfoamharlemny.com
bukannyaterbuai30.com
boatpiz.com
stylistrx.com
decorationhaven.com
stockaro.com
state728.com
secretlairtoys.com
davenportnsons.com
gofetchable.com
xn--vhqqb859bnjqul4b7fg.com
jsmcareers.com
czb878.com
reformadventist.com
nishagile.com
rotalablog.com
beachesvr.com
ekpays.com
triphousestudio.com
kusytekrealities.com
madhabicorp.com
husum-ferienwohnungen.com
mitbss.com
farmersly.com
appcaoya.com
ninjawhatsapp.club
creuatrue.com
watsonmedi.com
purposelyproductivelab.com
alliswell.info
narichan01.com
racevx.xyz
swiftappliancessc.com
aiguapea.com
xn--kok-j59d107t.net
informaprofiles.com
denetimlitakip.net
xtremesupplies.com
motion-mill-tv.com
thealtxmvmt.com
sexeighty.com
kiiteblog.com
aoey.ink
tiendastags.com
politicalrefs.com
lifeinsuranceyourway.com
rozellrealtynj.com
newsparika.com
kettel.net
taxandbookkeepingsolutions.com
fashiongraphia.com
coredigit.net
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1384-11-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/3980-25-0x00000000006C0000-0x00000000006E8000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
UjbG.exeUjbG.exepid process 3356 UjbG.exe 1384 UjbG.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
UjbG.exeUjbG.exemsdt.exedescription pid process target process PID 3356 set thread context of 1384 3356 UjbG.exe UjbG.exe PID 1384 set thread context of 3048 1384 UjbG.exe Explorer.EXE PID 3980 set thread context of 3048 3980 msdt.exe Explorer.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE -
Modifies registry class 1 IoCs
Processes:
java.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings java.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 540 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
UjbG.exemsdt.exepid process 1384 UjbG.exe 1384 UjbG.exe 1384 UjbG.exe 1384 UjbG.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe 3980 msdt.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
UjbG.exeUjbG.exemsdt.exepid process 3356 UjbG.exe 1384 UjbG.exe 1384 UjbG.exe 1384 UjbG.exe 3980 msdt.exe 3980 msdt.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
UjbG.exeExplorer.EXEmsdt.exedescription pid process Token: SeDebugPrivilege 1384 UjbG.exe Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeDebugPrivilege 3980 msdt.exe Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE -
Suspicious use of FindShellTrayWindow 20 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE 3048 Explorer.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
java.exeEXCEL.EXEpid process 496 java.exe 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE 540 EXCEL.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
java.exeUjbG.execmd.exeExplorer.EXEmsdt.exedescription pid process target process PID 496 wrote to memory of 3356 496 java.exe UjbG.exe PID 496 wrote to memory of 3356 496 java.exe UjbG.exe PID 496 wrote to memory of 3356 496 java.exe UjbG.exe PID 3356 wrote to memory of 3572 3356 UjbG.exe cmd.exe PID 3356 wrote to memory of 3572 3356 UjbG.exe cmd.exe PID 3356 wrote to memory of 3572 3356 UjbG.exe cmd.exe PID 3356 wrote to memory of 1384 3356 UjbG.exe UjbG.exe PID 3356 wrote to memory of 1384 3356 UjbG.exe UjbG.exe PID 3356 wrote to memory of 1384 3356 UjbG.exe UjbG.exe PID 3356 wrote to memory of 1384 3356 UjbG.exe UjbG.exe PID 3572 wrote to memory of 936 3572 cmd.exe schtasks.exe PID 3572 wrote to memory of 936 3572 cmd.exe schtasks.exe PID 3572 wrote to memory of 936 3572 cmd.exe schtasks.exe PID 496 wrote to memory of 540 496 java.exe EXCEL.EXE PID 496 wrote to memory of 540 496 java.exe EXCEL.EXE PID 496 wrote to memory of 540 496 java.exe EXCEL.EXE PID 3048 wrote to memory of 3980 3048 Explorer.EXE msdt.exe PID 3048 wrote to memory of 3980 3048 Explorer.EXE msdt.exe PID 3048 wrote to memory of 3980 3048 Explorer.EXE msdt.exe PID 3980 wrote to memory of 3092 3980 msdt.exe cmd.exe PID 3980 wrote to memory of 3092 3980 msdt.exe cmd.exe PID 3980 wrote to memory of 3092 3980 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\PO-RY 001-21 Accuri.jar"2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Users\Admin\UjbG.exeC:\Users\Admin\UjbG.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9e1f3fba13714ca3a803c1c61fa66d8a.xml"4⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9e1f3fba13714ca3a803c1c61fa66d8a.xml"5⤵
- Creates scheduled task(s)
PID:936 -
C:\Users\Admin\UjbG.exeC:\Users\Admin\UjbG.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1384 -
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\ZnKfJA2RC6Bu.xlsx"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:540 -
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\UjbG.exe"3⤵PID:3092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a36564afc14b3eb0849c01a3afdb9944
SHA14dcee9fae3fde4e46b08529bc0ba067150686f07
SHA2569d4342f763c5d62a06f69aa6fdcb1caa376ff2f2c0972f36b487f73b4d221996
SHA512782082aa36ae056734e90fc079c813dfef59420571a1b70cde4cf15eb6c870f85b2bfe0748ef4db9df3d010c08671bff744d78178ba75bf2ba02b665f044ae89
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
MD507af266b0ddfcb6350b90c5a720833e9
SHA15a3a075a7560b1cfd55a6b59c8e17b9d9f0a7306
SHA256a59528ae0f6e1d08815b506a512f026eaa4cc27665d498bc4190d849fa12c893
SHA512289e19c36216c1b4566c2d167efba7b925926714c4d9d5423444a18fabb5233dc70d91431c766e497ee3b34bb8f0fe39754404def94515778456437ea93f581f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
MD54fcb2a3ee025e4a10d21e1b154873fe2
SHA157658e2fa594b7d0b99d02e041d0f3418e58856b
SHA25690bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA5124e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff
-
MD5
625fcbea1821d2a1eaebabacace38109
SHA1f5c88f49c439f42f7510ab49322dbb7852b25fe5
SHA256113a0c0153c6a70775fe88f97ab3e7452446f11956a53c904da5574742f70ac2
SHA5121058c89fa62c300e57d09d068cda061087c6030fc89c270b6c8aa801034ca9481294b157e8fe96e972a7fa8055bff3a3f5d2a3577d459aa93efcf8a4d3acb38e
-
MD5
625fcbea1821d2a1eaebabacace38109
SHA1f5c88f49c439f42f7510ab49322dbb7852b25fe5
SHA256113a0c0153c6a70775fe88f97ab3e7452446f11956a53c904da5574742f70ac2
SHA5121058c89fa62c300e57d09d068cda061087c6030fc89c270b6c8aa801034ca9481294b157e8fe96e972a7fa8055bff3a3f5d2a3577d459aa93efcf8a4d3acb38e
-
MD5
625fcbea1821d2a1eaebabacace38109
SHA1f5c88f49c439f42f7510ab49322dbb7852b25fe5
SHA256113a0c0153c6a70775fe88f97ab3e7452446f11956a53c904da5574742f70ac2
SHA5121058c89fa62c300e57d09d068cda061087c6030fc89c270b6c8aa801034ca9481294b157e8fe96e972a7fa8055bff3a3f5d2a3577d459aa93efcf8a4d3acb38e
-
MD5
119986be9f58ce4ec7253c0181b78d99
SHA1d694e671a2842b58f4646ab8239dfcf98e9f3093
SHA2569ba96b320d9901c41a9725f58f419b4b1f9c6a5e98ee176a14a96dfce3ec396a
SHA512623e4d9db1f5ebbce4b33f9e09a3e1b2ca7106c6c1afb791227692dc7f88eef3f15b8edd820fbd4c37ebdff73e32baca66de14a1cff13d52cf5018b2861a2c50