a57e8d3a34f1c3d8c9faf26002356bf51244b973b5b12f19d893b0abbd5b2687

General

Target

a57e8d3a34f1c3d8c9faf26002356bf51244b973b5b12f19d893b0abbd5b2687.jar
Size

372KB
MD5

0cc92a59b64620e8f541dbb050eda288
SHA1

f899230ba288701e7965dd389ebb8a27e406b0fd
SHA256

a57e8d3a34f1c3d8c9faf26002356bf51244b973b5b12f19d893b0abbd5b2687
SHA512

6d6ae936240308cd3dfdb1a5e46eecb29190214690f516a2cd57741ea3abe70016c297f4f531ec3cb57a45759134b41b7b79f4d3bbd9d770428deae3fa755b94

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\Local Settings	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
936	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
936	AcroRd32.exe
936	AcroRd32.exe
936	AcroRd32.exe
936	AcroRd32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 3708	4040	java.exe	84
PID 4040 wrote to memory of 3708	4040	java.exe	84
PID 4040 wrote to memory of 4504	4040	java.exe	85
PID 4040 wrote to memory of 4504	4040	java.exe	85
PID 4504 wrote to memory of 936	4504	cmd.exe	87
PID 4504 wrote to memory of 936	4504	cmd.exe	87
PID 4504 wrote to memory of 936	4504	cmd.exe	87
PID 936 wrote to memory of 3900	936	AcroRd32.exe	98
PID 936 wrote to memory of 3900	936	AcroRd32.exe	98
PID 936 wrote to memory of 3900	936	AcroRd32.exe	98
PID 936 wrote to memory of 1916	936	AcroRd32.exe	99
PID 936 wrote to memory of 1916	936	AcroRd32.exe	99
PID 936 wrote to memory of 1916	936	AcroRd32.exe	99

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\a57e8d3a34f1c3d8c9faf26002356bf51244b973b5b12f19d893b0abbd5b2687.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\462563338400_9144268669699828144.jar"
  2⤵
  - Drops file in Program Files directory
  PID:3708
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\462563574000_4605553323222397114.pdf
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\462563574000_4605553323222397114.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      PID:3900
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
47974abf8daca80166b604a3bc441d4e

SHA1
172dcefa4bd547839d92ef976a7b1729c0896e53

SHA256
c7b10b6acfc43c43539eb3c7cb500611e23d8790aef372c2f21d06f8368e0c5d

SHA512
b4950a6983a9fd63351fa9f4762d872a10831927ff9ec042d185a0dcae0af9655e3ba5fc144941c0a74b9934d201189450099bc8de132f6d4fff44d0420e5c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\462563338400_9144268669699828144.jar

Filesize
244KB

MD5
26a8dcc8d813e7c541bff12a13a3f9fc

SHA1
a24317e0893c97d52a482e4cd7bd24e91454118a

SHA256
b99c1703b2a58c440d8a861c5bb38b46480f6fb4d423e843d2b60278df2b837f

SHA512
b0531b9b277ce3808bab7f6ce80ab8c9ed0ff17c9091f0737eba64db2f27b556b80b11144c33ae8471e786728409913c639cd8604d54c8315f333dd89830f003

Download Submit
C:\Users\Admin\AppData\Local\Temp\462563574000_4605553323222397114.pdf

Filesize
21KB

MD5
38ac5b30bf85501f678fb8286c704379

SHA1
879cf8a6b67614eeed45a72eeba81142d696e572

SHA256
2cd51a84ba6967752a68f0dacdcf7f5f158aaf0b6384e82d432e171821df280b

SHA512
d486044786628296384bd71dbdf2b80740a1fac8787c5d8cb1a87f911df570fd8af0a92658125d42b15b08cb446e82512b810b15ccbd92d3d6a3be8cee34e5f5

Download Submit
memory/3708-165-0x0000000002900000-0x0000000003900000-memory.dmp

Filesize
16.0MB

Download
memory/3708-169-0x0000000002900000-0x0000000003900000-memory.dmp

Filesize
16.0MB

Download
memory/4040-163-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4040-132-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4040-168-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4040-149-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4040-148-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/4040-140-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads