381768716f30918b472bb41e9aca29d1b01643ec1892545453d104f03bc2a612

General

Target

INVOICE-0899877.jar
Size

1.0MB
MD5

69177a6a0ac1953b7fe870f44d0b08b5
SHA1

050090f180f571711def0706a23e32a715ec5be5
SHA256

381768716f30918b472bb41e9aca29d1b01643ec1892545453d104f03bc2a612
SHA512

b03921f0e1ad1df192b6c85663fdcb22700808829c02356ee9a82623267553b77b974f14bdf710b4fd523ccee97c0d31cae9fcf0989c85712f65e607e7a665dd

Score

9^/10

Malware Config

Signatures

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/1268-10-0x0000000002220000-0x0000000002323000-memory.dmp	beds_protector

Executes dropped EXE 6 IoCs

Processes:

cb1M.execb1M.execb1M.execb1M.execb1M.execb1M.exe

pid process

1268 cb1M.exe
1544 cb1M.exe
344 cb1M.exe
616 cb1M.exe
924 cb1M.exe
292 cb1M.exe

Drops startup file 2 IoCs

Processes:

Powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe	Powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

cb1M.exePowershell.exe

pid	process
1268	cb1M.exe
1268	cb1M.exe
1268	cb1M.exe
1268	cb1M.exe
1268	cb1M.exe
1268	cb1M.exe
1268	cb1M.exe
1268	cb1M.exe
1268	cb1M.exe
1268	cb1M.exe
436	Powershell.exe
436	Powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cb1M.exePowershell.exe

description pid process

Token: SeDebugPrivilege 1268 cb1M.exe
Token: SeDebugPrivilege 436 Powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid process

1044 java.exe

description	pid	process
Token: SeDebugPrivilege	1268	cb1M.exe
Token: SeDebugPrivilege	436	Powershell.exe

pid	process
1044	java.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

java.execb1M.exe

description	pid	process	target process
PID 1044 wrote to memory of 1268	1044	java.exe	cb1M.exe
PID 1044 wrote to memory of 1268	1044	java.exe	cb1M.exe
PID 1044 wrote to memory of 1268	1044	java.exe	cb1M.exe
PID 1044 wrote to memory of 1268	1044	java.exe	cb1M.exe
PID 1268 wrote to memory of 436	1268	cb1M.exe	Powershell.exe
PID 1268 wrote to memory of 436	1268	cb1M.exe	Powershell.exe
PID 1268 wrote to memory of 436	1268	cb1M.exe	Powershell.exe
PID 1268 wrote to memory of 436	1268	cb1M.exe	Powershell.exe
PID 1268 wrote to memory of 1544	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 1544	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 1544	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 1544	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 344	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 344	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 344	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 344	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 616	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 616	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 616	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 616	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 924	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 924	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 924	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 924	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 292	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 292	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 292	1268	cb1M.exe	cb1M.exe
PID 1268 wrote to memory of 292	1268	cb1M.exe	cb1M.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\INVOICE-0899877.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\cb1M.exe
C:\Users\Admin\cb1M.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\cb1M.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Users\Admin\cb1M.exe
"C:\Users\Admin\cb1M.exe"
3⤵
- Executes dropped EXE
PID:1544

C:\Users\Admin\cb1M.exe
"C:\Users\Admin\cb1M.exe"
3⤵
- Executes dropped EXE
PID:344

C:\Users\Admin\cb1M.exe
"C:\Users\Admin\cb1M.exe"
3⤵
- Executes dropped EXE
PID:292

C:\Users\Admin\cb1M.exe
"C:\Users\Admin\cb1M.exe"
3⤵
- Executes dropped EXE
PID:924

C:\Users\Admin\cb1M.exe
"C:\Users\Admin\cb1M.exe"
3⤵
- Executes dropped EXE
PID:616

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\cb1M.exe
MD5
97aa8299f3eae737008853b62609dc53

SHA1
33d2ad2819f64bd616f8a0a8964c582efdaeb25b

SHA256
3cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac

SHA512
630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391

Download Submit
C:\Users\Admin\cb1M.exe
MD5
97aa8299f3eae737008853b62609dc53

SHA1
33d2ad2819f64bd616f8a0a8964c582efdaeb25b

SHA256
3cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac

SHA512
630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391

Download Submit
C:\Users\Admin\cb1M.exe
MD5
97aa8299f3eae737008853b62609dc53

SHA1
33d2ad2819f64bd616f8a0a8964c582efdaeb25b

SHA256
3cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac

SHA512
630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391

Download Submit
C:\Users\Admin\cb1M.exe
MD5
97aa8299f3eae737008853b62609dc53

SHA1
33d2ad2819f64bd616f8a0a8964c582efdaeb25b

SHA256
3cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac

SHA512
630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391

Download Submit
C:\Users\Admin\cb1M.exe
MD5
97aa8299f3eae737008853b62609dc53

SHA1
33d2ad2819f64bd616f8a0a8964c582efdaeb25b

SHA256
3cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac

SHA512
630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391

Download Submit
C:\Users\Admin\cb1M.exe
MD5
97aa8299f3eae737008853b62609dc53

SHA1
33d2ad2819f64bd616f8a0a8964c582efdaeb25b

SHA256
3cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac

SHA512
630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391

Download Submit
C:\Users\Admin\cb1M.exe
MD5
97aa8299f3eae737008853b62609dc53

SHA1
33d2ad2819f64bd616f8a0a8964c582efdaeb25b

SHA256
3cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac

SHA512
630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391

Download Submit
memory/436-43-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/436-29-0x0000000006030000-0x0000000006031000-memory.dmp

Filesize
4KB

Download
memory/436-12-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/436-35-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/436-14-0x0000000072EE0000-0x00000000735CE000-memory.dmp

Filesize
6.9MB

Download
memory/436-15-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/436-16-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/436-34-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/436-26-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/436-11-0x0000000000000000-mapping.dmp

Download
memory/436-42-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/436-25-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/436-24-0x0000000004A92000-0x0000000004A93000-memory.dmp

Filesize
4KB

Download
memory/436-23-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/788-44-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp

Filesize
2.5MB

Download
memory/1044-3-0x00000000021F0000-0x0000000002460000-memory.dmp

Filesize
2.4MB

Download
memory/1044-2-0x000007FEFB851000-0x000007FEFB853000-memory.dmp

Filesize
8KB

Download
memory/1268-10-0x0000000002220000-0x0000000002323000-memory.dmp

Filesize
1.0MB

Download
memory/1268-17-0x0000000000530000-0x000000000053F000-memory.dmp

Filesize
60KB

Download
memory/1268-13-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/1268-8-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1268-7-0x0000000072EE0000-0x00000000735CE000-memory.dmp

Filesize
6.9MB

Download
memory/1268-4-0x0000000000000000-mapping.dmp

Download

pid	process
1268	cb1M.exe
1544	cb1M.exe
344	cb1M.exe
616	cb1M.exe
924	cb1M.exe
292	cb1M.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads