308dcf6540932d062dd10a24fefd25d6660afe60dea76c9fa5612ae0f4cb4cda

General

Target

CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar
Size

185KB
MD5

8535942f58ba61ce5ce0755d7570f22f
SHA1

fb6c95fa16c2e91f22ac4e8d73233962e645c6bd
SHA256

308dcf6540932d062dd10a24fefd25d6660afe60dea76c9fa5612ae0f4cb4cda
SHA512

9ac96be4ae70460ee80918598584d88e765173b5f143eb094c0f66c5d4a942370c45ff60599aedcee38fbf15901a0e198f11057821bf2b8907c4a9a9387e10c9

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 12 IoCs

Processes:

java.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	java.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2572	wmic.exe
Token: SeSecurityPrivilege	2572	wmic.exe
Token: SeTakeOwnershipPrivilege	2572	wmic.exe
Token: SeLoadDriverPrivilege	2572	wmic.exe
Token: SeSystemProfilePrivilege	2572	wmic.exe
Token: SeSystemtimePrivilege	2572	wmic.exe
Token: SeProfSingleProcessPrivilege	2572	wmic.exe
Token: SeIncBasePriorityPrivilege	2572	wmic.exe
Token: SeCreatePagefilePrivilege	2572	wmic.exe
Token: SeBackupPrivilege	2572	wmic.exe
Token: SeRestorePrivilege	2572	wmic.exe
Token: SeShutdownPrivilege	2572	wmic.exe
Token: SeDebugPrivilege	2572	wmic.exe
Token: SeSystemEnvironmentPrivilege	2572	wmic.exe
Token: SeRemoteShutdownPrivilege	2572	wmic.exe
Token: SeUndockPrivilege	2572	wmic.exe
Token: SeManageVolumePrivilege	2572	wmic.exe
Token: 33	2572	wmic.exe
Token: 34	2572	wmic.exe
Token: 35	2572	wmic.exe
Token: 36	2572	wmic.exe
Token: SeIncreaseQuotaPrivilege	2572	wmic.exe
Token: SeSecurityPrivilege	2572	wmic.exe
Token: SeTakeOwnershipPrivilege	2572	wmic.exe
Token: SeLoadDriverPrivilege	2572	wmic.exe
Token: SeSystemProfilePrivilege	2572	wmic.exe
Token: SeSystemtimePrivilege	2572	wmic.exe
Token: SeProfSingleProcessPrivilege	2572	wmic.exe
Token: SeIncBasePriorityPrivilege	2572	wmic.exe
Token: SeCreatePagefilePrivilege	2572	wmic.exe
Token: SeBackupPrivilege	2572	wmic.exe
Token: SeRestorePrivilege	2572	wmic.exe
Token: SeShutdownPrivilege	2572	wmic.exe
Token: SeDebugPrivilege	2572	wmic.exe
Token: SeSystemEnvironmentPrivilege	2572	wmic.exe
Token: SeRemoteShutdownPrivilege	2572	wmic.exe
Token: SeUndockPrivilege	2572	wmic.exe
Token: SeManageVolumePrivilege	2572	wmic.exe
Token: 33	2572	wmic.exe
Token: 34	2572	wmic.exe
Token: 35	2572	wmic.exe
Token: 36	2572	wmic.exe
Token: SeIncreaseQuotaPrivilege	3100	wmic.exe
Token: SeSecurityPrivilege	3100	wmic.exe
Token: SeTakeOwnershipPrivilege	3100	wmic.exe
Token: SeLoadDriverPrivilege	3100	wmic.exe
Token: SeSystemProfilePrivilege	3100	wmic.exe
Token: SeSystemtimePrivilege	3100	wmic.exe
Token: SeProfSingleProcessPrivilege	3100	wmic.exe
Token: SeIncBasePriorityPrivilege	3100	wmic.exe
Token: SeCreatePagefilePrivilege	3100	wmic.exe
Token: SeBackupPrivilege	3100	wmic.exe
Token: SeRestorePrivilege	3100	wmic.exe
Token: SeShutdownPrivilege	3100	wmic.exe
Token: SeDebugPrivilege	3100	wmic.exe
Token: SeSystemEnvironmentPrivilege	3100	wmic.exe
Token: SeRemoteShutdownPrivilege	3100	wmic.exe
Token: SeUndockPrivilege	3100	wmic.exe
Token: SeManageVolumePrivilege	3100	wmic.exe
Token: 33	3100	wmic.exe
Token: 34	3100	wmic.exe
Token: 35	3100	wmic.exe
Token: 36	3100	wmic.exe
Token: SeIncreaseQuotaPrivilege	3100	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid process

4528 java.exe

pid	process
4528	java.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

java.exe

description	pid	process	target process
PID 4528 wrote to memory of 2572	4528	java.exe	wmic.exe
PID 4528 wrote to memory of 2572	4528	java.exe	wmic.exe
PID 4528 wrote to memory of 3100	4528	java.exe	wmic.exe
PID 4528 wrote to memory of 3100	4528	java.exe	wmic.exe
PID 4528 wrote to memory of 680	4528	java.exe	wmic.exe
PID 4528 wrote to memory of 680	4528	java.exe	wmic.exe
PID 4528 wrote to memory of 3684	4528	java.exe	wmic.exe
PID 4528 wrote to memory of 3684	4528	java.exe	wmic.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\System32\Wbem\wmic.exe
wmic CPU get ProcessorId
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\System32\Wbem\wmic.exe
wmic bios get serialnumber
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get name
2⤵
PID:680

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
2⤵
PID:3684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/680-143-0x0000000000000000-mapping.dmp

Download
memory/2572-141-0x0000000000000000-mapping.dmp

Download
memory/3100-142-0x0000000000000000-mapping.dmp

Download
memory/3684-144-0x0000000000000000-mapping.dmp

Download
memory/4528-134-0x00000000028B0000-0x00000000038B0000-memory.dmp

Filesize
16.0MB

Download
memory/4528-145-0x00000000028B0000-0x00000000038B0000-memory.dmp

Filesize
16.0MB

Download
memory/4528-147-0x00000000028B0000-0x00000000038B0000-memory.dmp

Filesize
16.0MB

Download
memory/4528-148-0x00000000028B0000-0x00000000038B0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads