Analysis
-
max time kernel
203s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 23:08
Static task
static1
Behavioral task
behavioral1
Sample
73d4e82c16b44e54e1d6fa7aea02dbfda6c68ecf53a0c344f71976c396646cbd.jar
Resource
win7-20220414-en
General
-
Target
73d4e82c16b44e54e1d6fa7aea02dbfda6c68ecf53a0c344f71976c396646cbd.jar
-
Size
290KB
-
MD5
415b4fbe68f380c0d99f74e78e53405e
-
SHA1
464f84b93b94361da11ad006a7dad78c9bd27134
-
SHA256
73d4e82c16b44e54e1d6fa7aea02dbfda6c68ecf53a0c344f71976c396646cbd
-
SHA512
932206ce85b4e774d404e388fc35444f6708c4d2e70b3240477872d5b6bed17a22de0b62f1475f920aa55498b29ddb369f5e026af6396a696c757c476e5ca8f2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1824 javaw.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\test.txt java.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4360 reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4812 java.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4908 wrote to memory of 4812 4908 java.exe 80 PID 4908 wrote to memory of 4812 4908 java.exe 80 PID 4908 wrote to memory of 3348 4908 java.exe 82 PID 4908 wrote to memory of 3348 4908 java.exe 82 PID 4812 wrote to memory of 804 4812 java.exe 84 PID 4812 wrote to memory of 804 4812 java.exe 84 PID 804 wrote to memory of 856 804 cmd.exe 86 PID 804 wrote to memory of 856 804 cmd.exe 86 PID 4812 wrote to memory of 1648 4812 java.exe 87 PID 4812 wrote to memory of 1648 4812 java.exe 87 PID 1648 wrote to memory of 1096 1648 cmd.exe 89 PID 1648 wrote to memory of 1096 1648 cmd.exe 89 PID 4812 wrote to memory of 4196 4812 java.exe 90 PID 4812 wrote to memory of 4196 4812 java.exe 90 PID 4812 wrote to memory of 4508 4812 java.exe 92 PID 4812 wrote to memory of 4508 4812 java.exe 92 PID 4812 wrote to memory of 4360 4812 java.exe 94 PID 4812 wrote to memory of 4360 4812 java.exe 94 PID 4812 wrote to memory of 4512 4812 java.exe 99 PID 4812 wrote to memory of 4512 4812 java.exe 99 PID 4812 wrote to memory of 2044 4812 java.exe 96 PID 4812 wrote to memory of 2044 4812 java.exe 96 PID 4812 wrote to memory of 1824 4812 java.exe 97 PID 4812 wrote to memory of 1824 4812 java.exe 97 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2044 attrib.exe 4512 attrib.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\73d4e82c16b44e54e1d6fa7aea02dbfda6c68ecf53a0c344f71976c396646cbd.jar1⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\MCNKJHGGFFF6161718763833404654.JAR istmp2⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3239256841136127608.vbs3⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3239256841136127608.vbs4⤵PID:856
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2147182563360349040.vbs3⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2147182563360349040.vbs4⤵PID:1096
-
-
-
C:\Windows\SYSTEM32\xcopy.exexcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e3⤵PID:4196
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe3⤵PID:4508
-
-
C:\Windows\SYSTEM32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v QYraFnSZOca /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\WCUkqDHuYPW.jpg\WUFKYxLvepBd.JStdFc\"" /f3⤵
- Modifies registry key
PID:4360
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +h "C:\Users\Admin\WCUkqDHuYPW.jpg"3⤵
- Views/modifies file attributes
PID:2044
-
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exeC:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\WCUkqDHuYPW.jpg\WUFKYxLvepBd.JStdFc3⤵
- Executes dropped EXE
PID:1824
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +h "C:\Users\Admin\WCUkqDHuYPW.jpg\*.*"3⤵
- Views/modifies file attributes
PID:4512
-
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "REalTechInfo" /t REG_SZ /F /D "java -jar "C:\Users\Admin\AppData\Local\Temp\MCNKJHGGFFF6161718763833404654.JAR istmp""2⤵PID:3348
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD569709f3c93d6b53ab94641fff57ec8f2
SHA15a88f115b8c073b306cd39493febfbbb49a13e07
SHA25626f3cb863033d1e0ded648df8db043ae718f1a422bb5b7f1c4dd81c4926f7f11
SHA5126178cb8aa2ae885c203d44916f796d7befe466c9caeaf6c6938d8daac8290ad60f754f4fd2ad8fa818e50a42f92509f576718ec80db57a4c82d0e51b41c45027
-
Filesize
290KB
MD5415b4fbe68f380c0d99f74e78e53405e
SHA1464f84b93b94361da11ad006a7dad78c9bd27134
SHA25673d4e82c16b44e54e1d6fa7aea02dbfda6c68ecf53a0c344f71976c396646cbd
SHA512932206ce85b4e774d404e388fc35444f6708c4d2e70b3240477872d5b6bed17a22de0b62f1475f920aa55498b29ddb369f5e026af6396a696c757c476e5ca8f2
-
Filesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2632097139-1792035885-811742494-1000\83aa4cc77f591dfc2374580bbd95f6ba_2c37a701-1043-4f89-b4d1-d05ed25c6971
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
155KB
MD5ce330d52fc60db54ddfb463ad2280722
SHA19506dfdaf3db5636a45b6e06006670387c62746c
SHA256ec55bc29ddec5cfbe53cb366b6d1ce5011323f48b8411f22e27ba8dfe7cfbea9
SHA51256e4cb6d55b166fbcaa2feeaa80b230f109cedadba2af0d7dfef80ae6289a49c00515f4d00e70d34355bc13ac98cc200b6a298046ce63e55f6c7a05668bd181c
-
Filesize
155KB
MD5ce330d52fc60db54ddfb463ad2280722
SHA19506dfdaf3db5636a45b6e06006670387c62746c
SHA256ec55bc29ddec5cfbe53cb366b6d1ce5011323f48b8411f22e27ba8dfe7cfbea9
SHA51256e4cb6d55b166fbcaa2feeaa80b230f109cedadba2af0d7dfef80ae6289a49c00515f4d00e70d34355bc13ac98cc200b6a298046ce63e55f6c7a05668bd181c
-
Filesize
202KB
MD5aa120c29e7202ce9ae9c0752284c7e36
SHA194e7d33ccab298c67b1cc816d3c228cc7e6b84e4
SHA256449036069e2bfe7ec052a614be07ad7105a3203d974d46423c0c32d6ce888661
SHA5121442856f08213f4a356cd404c50a65a12b908f6fb86c299d636af595577ef8af82294ad4237fbb025578b946e8f179b9eed0f6d6c4aa88970bfb228ae8c767f8
-
Filesize
809KB
MD5df3ca8d16bded6a54977b30e66864d33
SHA1b7b9349b33230c5b80886f5c1f0a42848661c883
SHA2561d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
SHA512951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0
-
Filesize
809KB
MD5df3ca8d16bded6a54977b30e66864d33
SHA1b7b9349b33230c5b80886f5c1f0a42848661c883
SHA2561d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
SHA512951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0
-
Filesize
1.1MB
MD528d5b414c0e548a139b977921e0087f6
SHA113ad3757de05fb8992e0522b5d3de39247e60cbd
SHA256b1dfd4d86a641dadcb3878d9c11aa53afacbf17b98f6b2e00994341cbb555f24
SHA5128c673ff412b9deb8bc490065a9cad1b77ab9a6fcd134e32acb67d4f2774411c81fdcd12e1c0632e80b193e73b5af319ba8dff668e279a46bbd1ae281e10e6b74
-
Filesize
896KB
MD534dc63a0055aeb62d12621a972bcb2ce
SHA103af91d6055c03c79a0f7410fe9014e3e54b554f
SHA256b87955963952ec60d112ca5bdaee2e6408f8c5400b33f4a1529274da3e5c0d8f
SHA512166f0f9d4b1dc73448320148d63a420fc2e545d7e561a847d1470e7ec09df8c2da997474023a529fad274aa7d35e839836a81624e412ce9ff95b6f6eba3d3118
-
Filesize
48KB
MD5b140730c68a0d3e52d4533f4fb32dce8
SHA182687e557c57534f1e54f14a016eaac0f375e83d
SHA25688cabc3823364a5abf3525f0aeaee11ba7353796e78cfb1aa5c047c35db2d943
SHA5129f1cdee973c9c16b2f965118e12df571410c8e5bfb010e8738231ad59548c2999673f57f963cb3e4a2d71d6bc4fd714b4624556ed3530fa9b987a82fa5c7d4fe
-
Filesize
48KB
MD5b140730c68a0d3e52d4533f4fb32dce8
SHA182687e557c57534f1e54f14a016eaac0f375e83d
SHA25688cabc3823364a5abf3525f0aeaee11ba7353796e78cfb1aa5c047c35db2d943
SHA5129f1cdee973c9c16b2f965118e12df571410c8e5bfb010e8738231ad59548c2999673f57f963cb3e4a2d71d6bc4fd714b4624556ed3530fa9b987a82fa5c7d4fe
-
Filesize
75KB
MD5a56686411fc41f3abeea19f129935ee9
SHA16cb98bbc9d0e779a44dd0608cb2c7645c33de4e6
SHA2560f906562f61761f3c66150362abfb04b4ca37c82071e91cc89d43fac5d7425ec
SHA512be74f0a89c702e189d617a96d6b36506777c48ad41a2daaf43d7bf5719b8055de34ee567417b75ee6fadc1fa740a7e1c5f8d890723890b2c9e49965e469f352e
-
Filesize
75KB
MD5a56686411fc41f3abeea19f129935ee9
SHA16cb98bbc9d0e779a44dd0608cb2c7645c33de4e6
SHA2560f906562f61761f3c66150362abfb04b4ca37c82071e91cc89d43fac5d7425ec
SHA512be74f0a89c702e189d617a96d6b36506777c48ad41a2daaf43d7bf5719b8055de34ee567417b75ee6fadc1fa740a7e1c5f8d890723890b2c9e49965e469f352e
-
Filesize
634B
MD5499f2a4e0a25a41c1ff80df2d073e4fd
SHA1e2469cbe07e92d817637be4e889ebb74c3c46253
SHA25680847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb
SHA5127828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d
-
Filesize
2KB
MD591aa6ea7320140f30379f758d626e59d
SHA13be2febe28723b1033ccdaa110eaf59bbd6d1f96
SHA2564af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4
SHA51203428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb
-
Filesize
512KB
MD5c17d841b4946949dccc0a972894db0d1
SHA11bf122e3f1a21e35bdbc8ce420ea0c35cfd167b5
SHA2569a80d24dd39089da694e67c8971fb59a3fb892f55083c8cd5fc970a770cea71e
SHA5126ea8a196483cae2100bde0176887ddc0d822aaf506b5da7435fd564027d19fa3efd49c82cffad0e26d355654e13a2522c64cfaeaf559452b08827b44a91fcf6b
-
Filesize
47B
MD50d912fa49a3ba6f156ffb68bbb709c4d
SHA1bb47003678dc711c757dd4df7e25f277c5c01ec9
SHA256506c9c98eca046352e3fc8834637497d5e25bf3929e3bfd72b6e987316254fde
SHA512c6b9962d791b3c0adb9c94195d623bdc2564f6a85a841fa03147fe20f906d9dc35e352cf736de86ef0e236a029e7de5a11ce0a76488d26a56fe13898842e70ae
-
Filesize
248KB
MD5119e36f35b39c6a5b885abfc40ee7d81
SHA1d07cd5766109293c1f20810f53595904deb22323
SHA2560f960a7b4eb536a48eca9a9eb170f6997c11ffe64852bbb3148aafd1498ba448
SHA512449bbc745bd4fa5b4ed47b6cdb5ad5906e6585a27d66471778be79563df11592acca4aaba77874d0932ff6c13689c5be48aedeca18a3464ef1e5387b79801088