Analysis
-
max time kernel
82s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-07-2022 03:28
Static task
static1
Behavioral task
behavioral1
Sample
48516cea7265c148e32d13bbcdef594c749af8dbed2b06d7cf485b4f6c612ba2.jar
Resource
win7-20220414-en
General
-
Target
48516cea7265c148e32d13bbcdef594c749af8dbed2b06d7cf485b4f6c612ba2.jar
-
Size
542KB
-
MD5
2e029179d3abe1c44e964cf1a916c0f2
-
SHA1
a1f625ed4bc96e3b713a074407db495fe2ade227
-
SHA256
48516cea7265c148e32d13bbcdef594c749af8dbed2b06d7cf485b4f6c612ba2
-
SHA512
f07eda5daf421ef318dfde498570e408ac82fbea2c38c968ffe3c5ed8632f4805012d1d377ea9cecb28771127262701494c396d9460d3d58a830a89bb042b4a9
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
Processes:
java.exepid Process 1708 java.exe 1708 java.exe 1708 java.exe 872 872 -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\HenXqEnK = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\wWWftzTmb\\XuUTrrX.AuwrrnQDinZIPV\"" reg.exe -
Drops file in System32 directory 1 IoCs
Processes:
java.exedescription ioc Process File created C:\Windows\System32\test.txt java.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
java.exejava.exepid Process 1708 java.exe 1956 java.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
java.exejava.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 1708 wrote to memory of 1956 1708 java.exe 28 PID 1708 wrote to memory of 1956 1708 java.exe 28 PID 1708 wrote to memory of 1956 1708 java.exe 28 PID 1956 wrote to memory of 1152 1956 java.exe 29 PID 1956 wrote to memory of 1152 1956 java.exe 29 PID 1956 wrote to memory of 1152 1956 java.exe 29 PID 1708 wrote to memory of 1980 1708 java.exe 30 PID 1708 wrote to memory of 1980 1708 java.exe 30 PID 1708 wrote to memory of 1980 1708 java.exe 30 PID 1980 wrote to memory of 976 1980 cmd.exe 31 PID 1980 wrote to memory of 976 1980 cmd.exe 31 PID 1980 wrote to memory of 976 1980 cmd.exe 31 PID 1152 wrote to memory of 648 1152 cmd.exe 32 PID 1152 wrote to memory of 648 1152 cmd.exe 32 PID 1152 wrote to memory of 648 1152 cmd.exe 32 PID 1708 wrote to memory of 840 1708 java.exe 34 PID 1708 wrote to memory of 840 1708 java.exe 34 PID 1708 wrote to memory of 840 1708 java.exe 34 PID 1956 wrote to memory of 1080 1956 java.exe 33 PID 1956 wrote to memory of 1080 1956 java.exe 33 PID 1956 wrote to memory of 1080 1956 java.exe 33 PID 1080 wrote to memory of 852 1080 cmd.exe 35 PID 1080 wrote to memory of 852 1080 cmd.exe 35 PID 1080 wrote to memory of 852 1080 cmd.exe 35 PID 840 wrote to memory of 1276 840 cmd.exe 36 PID 840 wrote to memory of 1276 840 cmd.exe 36 PID 840 wrote to memory of 1276 840 cmd.exe 36 PID 1708 wrote to memory of 1804 1708 java.exe 38 PID 1708 wrote to memory of 1804 1708 java.exe 38 PID 1708 wrote to memory of 1804 1708 java.exe 38 PID 1956 wrote to memory of 1312 1956 java.exe 37 PID 1956 wrote to memory of 1312 1956 java.exe 37 PID 1956 wrote to memory of 1312 1956 java.exe 37 PID 1708 wrote to memory of 1680 1708 java.exe 39 PID 1708 wrote to memory of 1680 1708 java.exe 39 PID 1708 wrote to memory of 1680 1708 java.exe 39 PID 1708 wrote to memory of 304 1708 java.exe 40 PID 1708 wrote to memory of 304 1708 java.exe 40 PID 1708 wrote to memory of 304 1708 java.exe 40 PID 1708 wrote to memory of 1788 1708 java.exe 41 PID 1708 wrote to memory of 1788 1708 java.exe 41 PID 1708 wrote to memory of 1788 1708 java.exe 41 PID 1708 wrote to memory of 896 1708 java.exe 42 PID 1708 wrote to memory of 896 1708 java.exe 42 PID 1708 wrote to memory of 896 1708 java.exe 42 PID 1708 wrote to memory of 1528 1708 java.exe 43 PID 1708 wrote to memory of 1528 1708 java.exe 43 PID 1708 wrote to memory of 1528 1708 java.exe 43 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 1788 attrib.exe 896 attrib.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\48516cea7265c148e32d13bbcdef594c749af8dbed2b06d7cf485b4f6c612ba2.jar1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.0121684646984269179006612862934578346.class2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8661491885237701448.vbs3⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8661491885237701448.vbs4⤵PID:648
-
-
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8226210047816842428.vbs3⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8226210047816842428.vbs4⤵PID:852
-
-
-
C:\Windows\system32\xcopy.exexcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e3⤵PID:1312
-
-
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1650148143855715996.vbs2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1650148143855715996.vbs3⤵PID:976
-
-
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive111008561707770343.vbs2⤵
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive111008561707770343.vbs3⤵PID:1276
-
-
-
C:\Windows\system32\xcopy.exexcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e2⤵PID:1804
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1680
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v HenXqEnK /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\wWWftzTmb\XuUTrrX.AuwrrnQDinZIPV\"" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:304
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\wWWftzTmb\*.*"2⤵
- Views/modifies file attributes
PID:1788
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\wWWftzTmb"2⤵
- Views/modifies file attributes
PID:896
-
-
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exeC:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\wWWftzTmb\XuUTrrX.AuwrrnQDinZIPV2⤵PID:1528
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
Filesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
Filesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-790309383-526510583-3802439154-1000\83aa4cc77f591dfc2374580bbd95f6ba_5a8ed3ac-cae1-4e8b-9fd6-2d374700adef
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
3KB
MD5220d46c01b99591649a7c7074b0225cc
SHA1a29195347c730ee5326596c38595bcfe1c3dcb9e
SHA2565022bc415d46b944fa7a028c624e8f5e6a94068120c4c5fe110e168e8d75d056
SHA5126bb28fedac2cb13da76d62e232ac7044074f19c340c4463dbc5a6821836f3eea52281781adef5b6c8353464a58dc47044e0941bce5d27c6a23a8a08cbf52136c
-
Filesize
148KB
MD5ae42860afe3a2843efa9849263bd0c21
SHA11df534b0ee936b8d5446490dc48f326f64547ff6
SHA256f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9
-
Filesize
47B
MD5e07ff715615b5728acf1efe2df0f3488
SHA1fd6a8f4824f3b3dabf05a13a904fc611d152fd05
SHA256f14311869f852644cedcab72e81f120378c310399a65b8d78b4278c8bdaceb30
SHA512ca3e48c640e3bcde76250e9f806c2ec050ea0be7ab64a14ec5d81e1d13b7575c9e76982a63957cffa509d37620a0a16d6046c630c6580ccdbedc4a399aaa8411
-
Filesize
542KB
MD52e029179d3abe1c44e964cf1a916c0f2
SHA1a1f625ed4bc96e3b713a074407db495fe2ade227
SHA25648516cea7265c148e32d13bbcdef594c749af8dbed2b06d7cf485b4f6c612ba2
SHA512f07eda5daf421ef318dfde498570e408ac82fbea2c38c968ffe3c5ed8632f4805012d1d377ea9cecb28771127262701494c396d9460d3d58a830a89bb042b4a9
-
Filesize
148KB
MD5ae42860afe3a2843efa9849263bd0c21
SHA11df534b0ee936b8d5446490dc48f326f64547ff6
SHA256f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9
-
Filesize
148KB
MD5ae42860afe3a2843efa9849263bd0c21
SHA11df534b0ee936b8d5446490dc48f326f64547ff6
SHA256f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9
-
Filesize
148KB
MD5ae42860afe3a2843efa9849263bd0c21
SHA11df534b0ee936b8d5446490dc48f326f64547ff6
SHA256f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9
-
Filesize
148KB
MD5ae42860afe3a2843efa9849263bd0c21
SHA11df534b0ee936b8d5446490dc48f326f64547ff6
SHA256f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9
-
Filesize
185KB
MD5846245142683adc04baf77c6e29063db
SHA16a1b06baf85419b7345520d78ee416ce06747473
SHA256c860377e71c0bae6821f9083123f55974a549e2c57ff50cec572d18ed06f2d6c
SHA512e0a7c9d9da3d062245718bb54553170857f647798308e4e28e5b5fbf3ac2a0496cf55bfc7a7663810113cf71807923bb365b27652a12c106e1908a89ec12cbaa