Analysis
-
max time kernel
96s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 23:08
Static task
static1
Behavioral task
behavioral1
Sample
purchase_order_PDF.jar
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
purchase_order_PDF.jar
Resource
win10v2004-20220414-en
General
-
Target
purchase_order_PDF.jar
-
Size
290KB
-
MD5
415b4fbe68f380c0d99f74e78e53405e
-
SHA1
464f84b93b94361da11ad006a7dad78c9bd27134
-
SHA256
73d4e82c16b44e54e1d6fa7aea02dbfda6c68ecf53a0c344f71976c396646cbd
-
SHA512
932206ce85b4e774d404e388fc35444f6708c4d2e70b3240477872d5b6bed17a22de0b62f1475f920aa55498b29ddb369f5e026af6396a696c757c476e5ca8f2
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1132 java.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1364 wrote to memory of 1132 1364 java.exe 80 PID 1364 wrote to memory of 1132 1364 java.exe 80 PID 1364 wrote to memory of 2884 1364 java.exe 82 PID 1364 wrote to memory of 2884 1364 java.exe 82
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\purchase_order_PDF.jar1⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\MCNKJHGGFFF1464297444221810296.JAR istmp2⤵
- Suspicious use of SetWindowsHookEx
PID:1132
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "REalTechInfo" /t REG_SZ /F /D "java -jar "C:\Users\Admin\AppData\Local\Temp\MCNKJHGGFFF1464297444221810296.JAR istmp""2⤵PID:2884
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD52b0bc319dcad12bd4c63bd7db09a0ff8
SHA11b6ef4d99ca8595b82861b218b86de584a0db4fe
SHA256141af48088b0a2626cd5a2fea6ab871c60c5e70ceb39c824c91d8ea1623412c4
SHA512c024c16c932c851f61caba2a4b522a10ae218a2144e4a243422b2304384cc655c86d8b1c0126a0a9c2ebd54b6f429c4d63fbcdc6f4f18e8ee51ace1ddea72c6a
-
Filesize
290KB
MD5415b4fbe68f380c0d99f74e78e53405e
SHA1464f84b93b94361da11ad006a7dad78c9bd27134
SHA25673d4e82c16b44e54e1d6fa7aea02dbfda6c68ecf53a0c344f71976c396646cbd
SHA512932206ce85b4e774d404e388fc35444f6708c4d2e70b3240477872d5b6bed17a22de0b62f1475f920aa55498b29ddb369f5e026af6396a696c757c476e5ca8f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2632097139-1792035885-811742494-1000\83aa4cc77f591dfc2374580bbd95f6ba_2c37a701-1043-4f89-b4d1-d05ed25c6971
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd