Analysis
-
max time kernel
139s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2022 12:58
Static task
static1
Behavioral task
behavioral1
Sample
CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar
Resource
win7-20220715-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar
Resource
win10v2004-20220721-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar
-
Size
185KB
-
MD5
8535942f58ba61ce5ce0755d7570f22f
-
SHA1
fb6c95fa16c2e91f22ac4e8d73233962e645c6bd
-
SHA256
308dcf6540932d062dd10a24fefd25d6660afe60dea76c9fa5612ae0f4cb4cda
-
SHA512
9ac96be4ae70460ee80918598584d88e765173b5f143eb094c0f66c5d4a942370c45ff60599aedcee38fbf15901a0e198f11057821bf2b8907c4a9a9387e10c9
Score
4/10
Malware Config
Signatures
-
Drops file in Program Files directory 12 IoCs
Processes:
java.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb java.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2572 wmic.exe Token: SeSecurityPrivilege 2572 wmic.exe Token: SeTakeOwnershipPrivilege 2572 wmic.exe Token: SeLoadDriverPrivilege 2572 wmic.exe Token: SeSystemProfilePrivilege 2572 wmic.exe Token: SeSystemtimePrivilege 2572 wmic.exe Token: SeProfSingleProcessPrivilege 2572 wmic.exe Token: SeIncBasePriorityPrivilege 2572 wmic.exe Token: SeCreatePagefilePrivilege 2572 wmic.exe Token: SeBackupPrivilege 2572 wmic.exe Token: SeRestorePrivilege 2572 wmic.exe Token: SeShutdownPrivilege 2572 wmic.exe Token: SeDebugPrivilege 2572 wmic.exe Token: SeSystemEnvironmentPrivilege 2572 wmic.exe Token: SeRemoteShutdownPrivilege 2572 wmic.exe Token: SeUndockPrivilege 2572 wmic.exe Token: SeManageVolumePrivilege 2572 wmic.exe Token: 33 2572 wmic.exe Token: 34 2572 wmic.exe Token: 35 2572 wmic.exe Token: 36 2572 wmic.exe Token: SeIncreaseQuotaPrivilege 2572 wmic.exe Token: SeSecurityPrivilege 2572 wmic.exe Token: SeTakeOwnershipPrivilege 2572 wmic.exe Token: SeLoadDriverPrivilege 2572 wmic.exe Token: SeSystemProfilePrivilege 2572 wmic.exe Token: SeSystemtimePrivilege 2572 wmic.exe Token: SeProfSingleProcessPrivilege 2572 wmic.exe Token: SeIncBasePriorityPrivilege 2572 wmic.exe Token: SeCreatePagefilePrivilege 2572 wmic.exe Token: SeBackupPrivilege 2572 wmic.exe Token: SeRestorePrivilege 2572 wmic.exe Token: SeShutdownPrivilege 2572 wmic.exe Token: SeDebugPrivilege 2572 wmic.exe Token: SeSystemEnvironmentPrivilege 2572 wmic.exe Token: SeRemoteShutdownPrivilege 2572 wmic.exe Token: SeUndockPrivilege 2572 wmic.exe Token: SeManageVolumePrivilege 2572 wmic.exe Token: 33 2572 wmic.exe Token: 34 2572 wmic.exe Token: 35 2572 wmic.exe Token: 36 2572 wmic.exe Token: SeIncreaseQuotaPrivilege 3100 wmic.exe Token: SeSecurityPrivilege 3100 wmic.exe Token: SeTakeOwnershipPrivilege 3100 wmic.exe Token: SeLoadDriverPrivilege 3100 wmic.exe Token: SeSystemProfilePrivilege 3100 wmic.exe Token: SeSystemtimePrivilege 3100 wmic.exe Token: SeProfSingleProcessPrivilege 3100 wmic.exe Token: SeIncBasePriorityPrivilege 3100 wmic.exe Token: SeCreatePagefilePrivilege 3100 wmic.exe Token: SeBackupPrivilege 3100 wmic.exe Token: SeRestorePrivilege 3100 wmic.exe Token: SeShutdownPrivilege 3100 wmic.exe Token: SeDebugPrivilege 3100 wmic.exe Token: SeSystemEnvironmentPrivilege 3100 wmic.exe Token: SeRemoteShutdownPrivilege 3100 wmic.exe Token: SeUndockPrivilege 3100 wmic.exe Token: SeManageVolumePrivilege 3100 wmic.exe Token: 33 3100 wmic.exe Token: 34 3100 wmic.exe Token: 35 3100 wmic.exe Token: 36 3100 wmic.exe Token: SeIncreaseQuotaPrivilege 3100 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
java.exepid process 4528 java.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
java.exedescription pid process target process PID 4528 wrote to memory of 2572 4528 java.exe wmic.exe PID 4528 wrote to memory of 2572 4528 java.exe wmic.exe PID 4528 wrote to memory of 3100 4528 java.exe wmic.exe PID 4528 wrote to memory of 3100 4528 java.exe wmic.exe PID 4528 wrote to memory of 680 4528 java.exe wmic.exe PID 4528 wrote to memory of 680 4528 java.exe wmic.exe PID 4528 wrote to memory of 3684 4528 java.exe wmic.exe PID 4528 wrote to memory of 3684 4528 java.exe wmic.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic CPU get ProcessorId2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exewmic bios get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get name2⤵
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get UUID2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/680-143-0x0000000000000000-mapping.dmp
-
memory/2572-141-0x0000000000000000-mapping.dmp
-
memory/3100-142-0x0000000000000000-mapping.dmp
-
memory/3684-144-0x0000000000000000-mapping.dmp
-
memory/4528-134-0x00000000028B0000-0x00000000038B0000-memory.dmpFilesize
16.0MB
-
memory/4528-145-0x00000000028B0000-0x00000000038B0000-memory.dmpFilesize
16.0MB
-
memory/4528-147-0x00000000028B0000-0x00000000038B0000-memory.dmpFilesize
16.0MB
-
memory/4528-148-0x00000000028B0000-0x00000000038B0000-memory.dmpFilesize
16.0MB