Analysis
-
max time kernel
42s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
05-08-2022 12:58
Static task
static1
Behavioral task
behavioral1
Sample
CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar
Resource
win7-20220715-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar
Resource
win10v2004-20220721-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar
-
Size
185KB
-
MD5
8535942f58ba61ce5ce0755d7570f22f
-
SHA1
fb6c95fa16c2e91f22ac4e8d73233962e645c6bd
-
SHA256
308dcf6540932d062dd10a24fefd25d6660afe60dea76c9fa5612ae0f4cb4cda
-
SHA512
9ac96be4ae70460ee80918598584d88e765173b5f143eb094c0f66c5d4a942370c45ff60599aedcee38fbf15901a0e198f11057821bf2b8907c4a9a9387e10c9
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 1020 wmic.exe Token: SeSecurityPrivilege 1020 wmic.exe Token: SeTakeOwnershipPrivilege 1020 wmic.exe Token: SeLoadDriverPrivilege 1020 wmic.exe Token: SeSystemProfilePrivilege 1020 wmic.exe Token: SeSystemtimePrivilege 1020 wmic.exe Token: SeProfSingleProcessPrivilege 1020 wmic.exe Token: SeIncBasePriorityPrivilege 1020 wmic.exe Token: SeCreatePagefilePrivilege 1020 wmic.exe Token: SeBackupPrivilege 1020 wmic.exe Token: SeRestorePrivilege 1020 wmic.exe Token: SeShutdownPrivilege 1020 wmic.exe Token: SeDebugPrivilege 1020 wmic.exe Token: SeSystemEnvironmentPrivilege 1020 wmic.exe Token: SeRemoteShutdownPrivilege 1020 wmic.exe Token: SeUndockPrivilege 1020 wmic.exe Token: SeManageVolumePrivilege 1020 wmic.exe Token: 33 1020 wmic.exe Token: 34 1020 wmic.exe Token: 35 1020 wmic.exe Token: SeIncreaseQuotaPrivilege 1020 wmic.exe Token: SeSecurityPrivilege 1020 wmic.exe Token: SeTakeOwnershipPrivilege 1020 wmic.exe Token: SeLoadDriverPrivilege 1020 wmic.exe Token: SeSystemProfilePrivilege 1020 wmic.exe Token: SeSystemtimePrivilege 1020 wmic.exe Token: SeProfSingleProcessPrivilege 1020 wmic.exe Token: SeIncBasePriorityPrivilege 1020 wmic.exe Token: SeCreatePagefilePrivilege 1020 wmic.exe Token: SeBackupPrivilege 1020 wmic.exe Token: SeRestorePrivilege 1020 wmic.exe Token: SeShutdownPrivilege 1020 wmic.exe Token: SeDebugPrivilege 1020 wmic.exe Token: SeSystemEnvironmentPrivilege 1020 wmic.exe Token: SeRemoteShutdownPrivilege 1020 wmic.exe Token: SeUndockPrivilege 1020 wmic.exe Token: SeManageVolumePrivilege 1020 wmic.exe Token: 33 1020 wmic.exe Token: 34 1020 wmic.exe Token: 35 1020 wmic.exe Token: SeIncreaseQuotaPrivilege 1688 wmic.exe Token: SeSecurityPrivilege 1688 wmic.exe Token: SeTakeOwnershipPrivilege 1688 wmic.exe Token: SeLoadDriverPrivilege 1688 wmic.exe Token: SeSystemProfilePrivilege 1688 wmic.exe Token: SeSystemtimePrivilege 1688 wmic.exe Token: SeProfSingleProcessPrivilege 1688 wmic.exe Token: SeIncBasePriorityPrivilege 1688 wmic.exe Token: SeCreatePagefilePrivilege 1688 wmic.exe Token: SeBackupPrivilege 1688 wmic.exe Token: SeRestorePrivilege 1688 wmic.exe Token: SeShutdownPrivilege 1688 wmic.exe Token: SeDebugPrivilege 1688 wmic.exe Token: SeSystemEnvironmentPrivilege 1688 wmic.exe Token: SeRemoteShutdownPrivilege 1688 wmic.exe Token: SeUndockPrivilege 1688 wmic.exe Token: SeManageVolumePrivilege 1688 wmic.exe Token: 33 1688 wmic.exe Token: 34 1688 wmic.exe Token: 35 1688 wmic.exe Token: SeIncreaseQuotaPrivilege 1688 wmic.exe Token: SeSecurityPrivilege 1688 wmic.exe Token: SeTakeOwnershipPrivilege 1688 wmic.exe Token: SeLoadDriverPrivilege 1688 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
java.exepid process 2000 java.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
java.exedescription pid process target process PID 2000 wrote to memory of 1020 2000 java.exe wmic.exe PID 2000 wrote to memory of 1020 2000 java.exe wmic.exe PID 2000 wrote to memory of 1020 2000 java.exe wmic.exe PID 2000 wrote to memory of 1688 2000 java.exe wmic.exe PID 2000 wrote to memory of 1688 2000 java.exe wmic.exe PID 2000 wrote to memory of 1688 2000 java.exe wmic.exe PID 2000 wrote to memory of 1052 2000 java.exe wmic.exe PID 2000 wrote to memory of 1052 2000 java.exe wmic.exe PID 2000 wrote to memory of 1052 2000 java.exe wmic.exe PID 2000 wrote to memory of 1560 2000 java.exe wmic.exe PID 2000 wrote to memory of 1560 2000 java.exe wmic.exe PID 2000 wrote to memory of 1560 2000 java.exe wmic.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic CPU get ProcessorId2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exewmic bios get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get name2⤵
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get UUID2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1020-65-0x0000000000000000-mapping.dmp
-
memory/1052-67-0x0000000000000000-mapping.dmp
-
memory/1560-68-0x0000000000000000-mapping.dmp
-
memory/1688-66-0x0000000000000000-mapping.dmp
-
memory/2000-54-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmpFilesize
8KB
-
memory/2000-64-0x0000000002210000-0x0000000005210000-memory.dmpFilesize
48.0MB