0131f55b79672dffbb530d686209174d956c787b8e4895741084664a777837cc

Analysis

max time kernel
42s
max time network
83s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-05-2022 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0131f55b79672dffbb530d686209174d956c787b8e4895741084664a777837cc.jar
Size

1.1MB
MD5

8b9550eae6cfbe4359a8dc4331038567
SHA1

15bb1028665c9e5998629bd1d6c5b2ad63bdd740
SHA256

0131f55b79672dffbb530d686209174d956c787b8e4895741084664a777837cc
SHA512

a24f384d06202de61c33871d801c5993b9a3a9674b2ab81039e6c53aa8267565ebc93b4fbd5a3031f1a25d9e5be83006ae731840e808d26615e612708781d030

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4916 schtasks.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 2432 wrote to memory of 4632 2432 java.exe wscript.exe
PID 2432 wrote to memory of 4632 2432 java.exe wscript.exe

pid	process
4916	schtasks.exe

description	pid	process	target process
PID 2432 wrote to memory of 4632	2432	java.exe	wscript.exe
PID 2432 wrote to memory of 4632	2432	java.exe	wscript.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\0131f55b79672dffbb530d686209174d956c787b8e4895741084664a777837cc.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\vtljjwvqbg.js
  2⤵
  PID:4632
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\TLIolvyPBn.js"
    3⤵
    PID:2152
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\IyFfaseYOW.js"
      4⤵
      PID:960
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\IyFfaseYOW.js
        5⤵
        Creates scheduled task(s)
        
        PID:4916
  - - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\jtrigsdnta.txt"
      4⤵
      PID:4112
    - - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\javaw" -jar "C:\Users\Admin\AppData\RoamingServer683241691.jar"
        5⤵
        
        PID:3932
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\efkcxgkl.txt"
    3⤵
    PID:1920
  - - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.98630158988057021120342389672155341.class
      4⤵
      PID:2416
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive587012033166478658.vbs
      4⤵
      PID:4092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
db9989f846646befd32877dc0bc2299d

SHA1
d2f5143c3d4d4450941cb4ad37172a0f182dce43

SHA256
d2aaa04f32f4fb91c7626d93efc38a678a7d8915cf592c89b4f29b592232c398

SHA512
237229717c1eb92ac234a7c04fbbc8ba724b62a9d507dee58ae31537b93c06a835d19e6a3205ca052eb7c3f8dfb7c1552f244961b3445a09cb340a4a00c87a6d

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
701b7028e1175f1a25514b1add7df0c7

SHA1
5395efc5b761bdf06ea291b107dc4164c9308c66

SHA256
e02607f25a4b1a6433b987dce1af945fe83d07cef5e2fe868ad8d41f6fe50404

SHA512
6ae61b6e7af35ca006dff591f23936c08596690d5f40ef32cf805fc7df5eae468b88e6ed1fc0148624ef8ec397d5dfc02d92f7ef3eb80337d1bb378bf8983386

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
89e7d650f1ad7f0e7dfb3448ca3fa328

SHA1
c593da66580de32f0e0abd5fb7a216a01956092b

SHA256
ef71aaebf34c326c1398ae5093e96bafb3c8fe31d8d6a40ec126d5ab4ffa4bc7

SHA512
30fa1c89932ed5dc8b35e6c4f50165c2f70355af53fc6a384f8071c4e19e42187b7b68d95f91d3d66a5ef07a6148f654602c7c3a0bcd81263aa8c060ed4093d8

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
b074f7d36ad60a74af9f9ce2668046ef

SHA1
222f2d68b2212b516e614f0462589888cd9dade7

SHA256
2f5dc89f593000db14a471ea9e32bac416ba5e5c69dbefca86c37fd4a0cc8246

SHA512
4651bec60901c5a6f1c23afe3510ac71bfafb0458bb4c5ce25d1a7c32ef74da3cb0e3751e3fb5647b696f4448886b6704ce9843372e81783d8c68cce111904d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.98630158988057021120342389672155341.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\RoamingServer683241691.jar

Filesize
130KB

MD5
94744b9845e5f391cca7260098bbe1a2

SHA1
f297391b564b68d07739a1f9723e915777abc279

SHA256
171c05a83078824f27b9cb3ab2b152579edfefaea4c1dea5e690a5367c0e67d3

SHA512
d0d84b46cd586f3a020bf00ee2dedd8c33887337de6eac0c1936ad74c7b2c33343653d91067e4916a55def3d06b5b586cb5b1be38959963cad8c6632571b9168

Download Submit
C:\Users\Admin\AppData\Roaming\IyFfaseYOW.js

Filesize
18KB

MD5
9ad074e4b977d42b16bea24a940ffd32

SHA1
38b9ca30670d8dd3f6b25ebda0d7a8256642b379

SHA256
077d7fe9434715f0c9e979bc4b9d347a3d07a3cbec8be282dc0f9c2d0c52bba1

SHA512
6c2a7f01bb37776c68eab8f2535c0e9901f7c4f72af9a503d09b8fd6a909a30fd8632d183f472b8de26c0ce4c0eb736e0e16381be933b4c21e47614542cde2eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2632097139-1792035885-811742494-1000\83aa4cc77f591dfc2374580bbd95f6ba_2c37a701-1043-4f89-b4d1-d05ed25c6971

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\TLIolvyPBn.js

Filesize
439KB

MD5
053ed27b5bd479f8d0e4e76399c39430

SHA1
aee93c1e6bd9afc0989e6299f97f796bdc7515b5

SHA256
ff6bfd9ed665b99c77182b6c166d37114de00d8829975387653eff794303a1f1

SHA512
8e3abbb1e3f60c6c6cbb12aff489024266c8f7cd01dea11280c24549020d18a96ffc283b7ea6c5a0b0eb602876a9d633b820824bd66fa87122ad76e39060f560

Download Submit
C:\Users\Admin\AppData\Roaming\efkcxgkl.txt

Filesize
473KB

MD5
635ebeaa68c4aeaae2a54ba5faf3f1b7

SHA1
265360f03bcc39b483985a8c3fe9e4877043e0b7

SHA256
70d13f75995405181c186017fff7830e7b3b6434392a2cec33fe8be6f9c989c0

SHA512
9606ad090416553d88a9e508ad4782855f6c97ec835909178c69ef2f3e6f49bbb88ca1bc4a8171f0fe0c9f8675ea6c61c2aa04437a77f7375b74b07ca2a36388

Download Submit
C:\Users\Admin\AppData\Roaming\jtrigsdnta.txt

Filesize
146KB

MD5
37b1429e7e0671bd1a61e99dd86cff71

SHA1
5b5f0c6bf438775a6d9966013dead771138e03e6

SHA256
f5b8ca4d2d55cd0fbd08ac098fc5ebf2f588881976605c91b50433e4cf4c5ccb

SHA512
2b30b03922086e6da383fadfc2e2e1ee529eced47d9a1a3763948b22cd312dd65d56c60e01c97e8fd4e6eb9b82c6a02342868e3c4057809cac8adb95ed4069c7

Download Submit
C:\Users\Admin\vtljjwvqbg.js

Filesize
704KB

MD5
272e817c4fbe74869de812be33d287ff

SHA1
a2a8dd0ee9fd43a5b26dacd8a92fdbbef7e47d25

SHA256
694eedba83504b7cd964a40e1375e6666fa05e6bd149f882bfee5790e5a63781

SHA512
b06780f9dc3ddc48bbe6f657951a166efa8c5591db1f765733de1e892be4fafc0cebef142f3e18cccf2baa361166b404fec153498e6c0f15a55150e73334233a

Download Submit
memory/960-151-0x0000000000000000-mapping.dmp

Download
memory/1920-203-0x00000000029A0000-0x00000000039A0000-memory.dmp

Filesize
16.0MB

Download
memory/1920-187-0x00000000029A0000-0x00000000039A0000-memory.dmp

Filesize
16.0MB

Download
memory/1920-157-0x00000000029A0000-0x00000000039A0000-memory.dmp

Filesize
16.0MB

Download
memory/1920-214-0x00000000029A0000-0x00000000039A0000-memory.dmp

Filesize
16.0MB

Download
memory/1920-207-0x00000000029A0000-0x00000000039A0000-memory.dmp

Filesize
16.0MB

Download
memory/1920-145-0x0000000000000000-mapping.dmp

Download
memory/2152-143-0x0000000000000000-mapping.dmp

Download
memory/2416-186-0x00000000031B0000-0x00000000041B0000-memory.dmp

Filesize
16.0MB

Download
memory/2416-168-0x0000000000000000-mapping.dmp

Download
memory/2416-217-0x00000000031B0000-0x00000000041B0000-memory.dmp

Filesize
16.0MB

Download
memory/2416-218-0x00000000031B0000-0x00000000041B0000-memory.dmp

Filesize
16.0MB

Download
memory/2432-139-0x0000000002580000-0x0000000003580000-memory.dmp

Filesize
16.0MB

Download
memory/3932-188-0x0000000000000000-mapping.dmp

Download
memory/3932-211-0x0000000003100000-0x0000000004100000-memory.dmp

Filesize
16.0MB

Download
memory/4092-210-0x0000000000000000-mapping.dmp

Download
memory/4112-160-0x0000000000000000-mapping.dmp

Download
memory/4112-173-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

Filesize
16.0MB

Download
memory/4632-140-0x0000000000000000-mapping.dmp

Download
memory/4916-199-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads