ac65f03a3be26aa47f5338570fe338e3d0a89a15d74d12089466540975f5654d

General

Target

tmp.exe
Size

405KB
MD5

0e27480e43e0585cfae5e08a966dc9c8
SHA1

a59d1be2fbf89a529745725933ca6e1f41d9b4ac
SHA256

ac65f03a3be26aa47f5338570fe338e3d0a89a15d74d12089466540975f5654d
SHA512

2cd5e128af8ab578178899973c79853fbc072e83880932cd26f9824cd3655bc2ea24400d78fc80ed5f9d7ff74aca7af47c1c186814f924b330c326fc43bd4728
SSDEEP

6144:RWWmZUA+FX/TQB7Ysv5AvfITQocgDh+gDRUxBO:8WxA+FyvZug6T

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

java.exe

pid process

212 java.exe

pid	process
212	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\Oracle\\java.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\Oracle\\java.exe"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

java.exe

description pid process target process

PID 212 set thread context of 5020 212 java.exe svchost.exe
PID 212 set thread context of 4664 212 java.exe explorer.exe

description	pid	process	target process
PID 212 set thread context of 5020	212	java.exe	svchost.exe
PID 212 set thread context of 4664	212	java.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

tmp.exejava.exesvchost.exeexplorer.exe

pid	process
5080	tmp.exe
5080	tmp.exe
5080	tmp.exe
5080	tmp.exe
212	java.exe
212	java.exe
212	java.exe
212	java.exe
5020	svchost.exe
5020	svchost.exe
5020	svchost.exe
5020	svchost.exe
4664	explorer.exe
4664	explorer.exe
4664	explorer.exe
4664	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tmp.exejava.exesvchost.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	5080	tmp.exe
Token: SeDebugPrivilege	212	java.exe
Token: SeDebugPrivilege	5020	svchost.exe
Token: SeDebugPrivilege	4664	explorer.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

tmp.exejava.exe

description	pid	process	target process
PID 5080 wrote to memory of 212	5080	tmp.exe	java.exe
PID 5080 wrote to memory of 212	5080	tmp.exe	java.exe
PID 212 wrote to memory of 5020	212	java.exe	svchost.exe
PID 212 wrote to memory of 5020	212	java.exe	svchost.exe
PID 212 wrote to memory of 5020	212	java.exe	svchost.exe
PID 212 wrote to memory of 5020	212	java.exe	svchost.exe
PID 212 wrote to memory of 4664	212	java.exe	explorer.exe
PID 212 wrote to memory of 4664	212	java.exe	explorer.exe
PID 212 wrote to memory of 4664	212	java.exe	explorer.exe
PID 212 wrote to memory of 4664	212	java.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080

C:\ProgramData\Oracle\java.exe
"C:\ProgramData\Oracle\java.exe" {9BD1DCD7-3729-4AF2-9B63-2C886FDD565E}
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\java.exe

Filesize
405KB

MD5
0e27480e43e0585cfae5e08a966dc9c8

SHA1
a59d1be2fbf89a529745725933ca6e1f41d9b4ac

SHA256
ac65f03a3be26aa47f5338570fe338e3d0a89a15d74d12089466540975f5654d

SHA512
2cd5e128af8ab578178899973c79853fbc072e83880932cd26f9824cd3655bc2ea24400d78fc80ed5f9d7ff74aca7af47c1c186814f924b330c326fc43bd4728

Download Submit
C:\ProgramData\Oracle\java.exe

Filesize
405KB

MD5
0e27480e43e0585cfae5e08a966dc9c8

SHA1
a59d1be2fbf89a529745725933ca6e1f41d9b4ac

SHA256
ac65f03a3be26aa47f5338570fe338e3d0a89a15d74d12089466540975f5654d

SHA512
2cd5e128af8ab578178899973c79853fbc072e83880932cd26f9824cd3655bc2ea24400d78fc80ed5f9d7ff74aca7af47c1c186814f924b330c326fc43bd4728

Download Submit
C:\Users\Admin\AppData\Local\Temp\{00CE3573-C146-41D7-8996-CFED23D62D28}

Filesize
288KB

MD5
30f08bf9de767c872a571e98daa89ee7

SHA1
4babc2ba6529e59349d9f70061bfb3dbe62c570a

SHA256
b99811ff223f75c0b58906ca3fa8e31e2dd19ab1f64e236e2408c44831b79262

SHA512
2b0656486e4640b30b0b55b9e3a960a731f2b8b65970d828986afbb15a17d382237fc2850e6e2b3562351a27006be90d21159250027325a85cb2725b2f8f4ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{00CE3573-C146-41D7-8996-CFED23D62D28}

Filesize
288KB

MD5
30f08bf9de767c872a571e98daa89ee7

SHA1
4babc2ba6529e59349d9f70061bfb3dbe62c570a

SHA256
b99811ff223f75c0b58906ca3fa8e31e2dd19ab1f64e236e2408c44831b79262

SHA512
2b0656486e4640b30b0b55b9e3a960a731f2b8b65970d828986afbb15a17d382237fc2850e6e2b3562351a27006be90d21159250027325a85cb2725b2f8f4ffd

Download Submit
memory/212-132-0x0000000000000000-mapping.dmp

Download
memory/4664-151-0x0000000000A00000-mapping.dmp

Download
memory/4664-153-0x0000000002520000-0x0000000002570000-memory.dmp

Filesize
320KB

Download
memory/5020-136-0x000001D4D8990000-0x000001D4D8992000-memory.dmp

Filesize
8KB

Download
memory/5020-138-0x000001D4D8940000-mapping.dmp

Download
memory/5020-135-0x000001D4D8940000-0x000001D4D8981000-memory.dmp

Filesize
260KB

Download
memory/5020-140-0x000001D4DA470000-0x000001D4DA4C0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads