Analysis
-
max time kernel
76s -
max time network
65s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
30-07-2022 21:57
Static task
static1
Behavioral task
behavioral1
Sample
612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe
Resource
win10v2004-20220721-en
General
-
Target
612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe
-
Size
1.4MB
-
MD5
bf8f74eb5dee1bb05729a4092481f8c5
-
SHA1
b78641682de541b52ddc277e317432d904453e82
-
SHA256
612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359
-
SHA512
17f06d41247f979f8bdb8fd22367b377233fb59a594affd5ddd47dfcff8faa2aa4e67e4e7005427a1a6712ad8766d2fa805111ef463bb90fd771d68e37ef0751
Malware Config
Signatures
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Processes:
resource yara_rule behavioral1/memory/1644-69-0x0000000000402000-0x000000000048B200-memory.dmp m00nd3v_logger behavioral1/memory/1644-73-0x0000000000402000-0x000000000048B200-memory.dmp m00nd3v_logger -
Executes dropped EXE 1 IoCs
Processes:
javas.exepid process 1872 javas.exe -
Drops startup file 1 IoCs
Processes:
javas.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\javas.DFYk4p0zuTWUN0um.lnk javas.exe -
Loads dropped DLL 1 IoCs
Processes:
javas.exepid process 1872 javas.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
javas.exedescription pid process target process PID 1872 set thread context of 1644 1872 javas.exe RegAsm.exe -
Drops file in Windows directory 4 IoCs
Processes:
612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exejavas.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new 612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new 612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new javas.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new javas.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exejavas.exedescription pid process Token: SeDebugPrivilege 1996 612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe Token: SeDebugPrivilege 1872 javas.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exeexplorer.exejavas.exedescription pid process target process PID 1996 wrote to memory of 1652 1996 612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe explorer.exe PID 1996 wrote to memory of 1652 1996 612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe explorer.exe PID 1996 wrote to memory of 1652 1996 612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe explorer.exe PID 1996 wrote to memory of 1652 1996 612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe explorer.exe PID 1524 wrote to memory of 1872 1524 explorer.exe javas.exe PID 1524 wrote to memory of 1872 1524 explorer.exe javas.exe PID 1524 wrote to memory of 1872 1524 explorer.exe javas.exe PID 1524 wrote to memory of 1872 1524 explorer.exe javas.exe PID 1872 wrote to memory of 1644 1872 javas.exe RegAsm.exe PID 1872 wrote to memory of 1644 1872 javas.exe RegAsm.exe PID 1872 wrote to memory of 1644 1872 javas.exe RegAsm.exe PID 1872 wrote to memory of 1644 1872 javas.exe RegAsm.exe PID 1872 wrote to memory of 1644 1872 javas.exe RegAsm.exe PID 1872 wrote to memory of 1644 1872 javas.exe RegAsm.exe PID 1872 wrote to memory of 1644 1872 javas.exe RegAsm.exe PID 1872 wrote to memory of 1644 1872 javas.exe RegAsm.exe PID 1872 wrote to memory of 1644 1872 javas.exe RegAsm.exe PID 1872 wrote to memory of 1644 1872 javas.exe RegAsm.exe PID 1872 wrote to memory of 1644 1872 javas.exe RegAsm.exe PID 1872 wrote to memory of 1644 1872 javas.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe"C:\Users\Admin\AppData\Local\Temp\612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\javas.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\javas.exe"C:\Users\Admin\AppData\Roaming\javas.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\javas.exeFilesize
1.4MB
MD5bf8f74eb5dee1bb05729a4092481f8c5
SHA1b78641682de541b52ddc277e317432d904453e82
SHA256612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359
SHA51217f06d41247f979f8bdb8fd22367b377233fb59a594affd5ddd47dfcff8faa2aa4e67e4e7005427a1a6712ad8766d2fa805111ef463bb90fd771d68e37ef0751
-
C:\Users\Admin\AppData\Roaming\javas.exeFilesize
1.4MB
MD5bf8f74eb5dee1bb05729a4092481f8c5
SHA1b78641682de541b52ddc277e317432d904453e82
SHA256612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359
SHA51217f06d41247f979f8bdb8fd22367b377233fb59a594affd5ddd47dfcff8faa2aa4e67e4e7005427a1a6712ad8766d2fa805111ef463bb90fd771d68e37ef0751
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cchFilesize
514B
MD5c7fa61d67a12b9fd1cab0e0032e3b8e2
SHA12c8f45e5f9374a88468e6ad4b7f38513fc0662dd
SHA256789ee28edc35e4d7ff6fb7ca993eed973a0d1be0a10a92d1923f77bb30508b59
SHA512d992d8e4edc9fcd9a7c50d8222e1fb4390c369a25077eff0442d3462296dcbae8bd2ccd313a23a7da1f140ea7dd248509093547290541ffa7b41ea44449c2faf
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cchFilesize
514B
MD5c7fa61d67a12b9fd1cab0e0032e3b8e2
SHA12c8f45e5f9374a88468e6ad4b7f38513fc0662dd
SHA256789ee28edc35e4d7ff6fb7ca993eed973a0d1be0a10a92d1923f77bb30508b59
SHA512d992d8e4edc9fcd9a7c50d8222e1fb4390c369a25077eff0442d3462296dcbae8bd2ccd313a23a7da1f140ea7dd248509093547290541ffa7b41ea44449c2faf
-
\Users\Admin\AppData\Roaming\javas.exeFilesize
1.4MB
MD5bf8f74eb5dee1bb05729a4092481f8c5
SHA1b78641682de541b52ddc277e317432d904453e82
SHA256612d970b264afbea7c98dea5d7be82c982b218be0f95cbb82aca89eebf754359
SHA51217f06d41247f979f8bdb8fd22367b377233fb59a594affd5ddd47dfcff8faa2aa4e67e4e7005427a1a6712ad8766d2fa805111ef463bb90fd771d68e37ef0751
-
memory/1524-59-0x000007FEFB931000-0x000007FEFB933000-memory.dmpFilesize
8KB
-
memory/1644-70-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/1644-73-0x0000000000402000-0x000000000048B200-memory.dmpFilesize
548KB
-
memory/1644-78-0x0000000074220000-0x00000000747CB000-memory.dmpFilesize
5.7MB
-
memory/1644-76-0x0000000074220000-0x00000000747CB000-memory.dmpFilesize
5.7MB
-
memory/1644-71-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/1644-69-0x0000000000402000-0x000000000048B200-memory.dmpFilesize
548KB
-
memory/1652-56-0x0000000000000000-mapping.dmp
-
memory/1652-58-0x0000000071651000-0x0000000071653000-memory.dmpFilesize
8KB
-
memory/1872-68-0x0000000074220000-0x00000000747CB000-memory.dmpFilesize
5.7MB
-
memory/1872-61-0x0000000000000000-mapping.dmp
-
memory/1872-65-0x0000000074220000-0x00000000747CB000-memory.dmpFilesize
5.7MB
-
memory/1872-77-0x0000000074220000-0x00000000747CB000-memory.dmpFilesize
5.7MB
-
memory/1996-66-0x0000000074220000-0x00000000747CB000-memory.dmpFilesize
5.7MB
-
memory/1996-54-0x0000000075371000-0x0000000075373000-memory.dmpFilesize
8KB
-
memory/1996-55-0x0000000074220000-0x00000000747CB000-memory.dmpFilesize
5.7MB