7165229307e2ab92fd0fe0d79a0d8b7ec1856f1ca43fbd315ad829a99fb5d1ee

Analysis

max time kernel
150s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7165229307e2ab92fd0fe0d79a0d8b7ec1856f1ca43fbd315ad829a99fb5d1ee.exe
Size

1.6MB
MD5

f11e5be0aeec5ce5b583ab640db42711
SHA1

83806b0a1bafeb8855b2047e9073c4008e90f000
SHA256

7165229307e2ab92fd0fe0d79a0d8b7ec1856f1ca43fbd315ad829a99fb5d1ee
SHA512

479ad959a1a0dc850eb676d78e3341c0180fec6a1bf0ab2762dd7dac5664fbc3e40ba3f4be7c1f46f392b9905a0545fc42472f711ff188e8f077cd2b7ecf80eb
SSDEEP

49152:2AMnuPuxR3+6r5OpFl20TWnsEiUEKplw7Uxj0:LWxRl9O00T4s5BMlQUxj0

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7165229307e2ab92fd0fe0d79a0d8b7ec1856f1ca43fbd315ad829a99fb5d1ee.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7165229307e2ab92fd0fe0d79a0d8b7ec1856f1ca43fbd315ad829a99fb5d1ee.exe

Drops startup file 1 IoCs

Processes:

javaw.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DarkScape.jar javaw.exe
Loads dropped DLL 1 IoCs

Processes:

javaw.exe

pid process

4820 javaw.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DarkScape.jar	javaw.exe

pid	process
4820	javaw.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkScape.jar = "C:\\Users\\Admin\\DarkScape.jar"	REG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

7165229307e2ab92fd0fe0d79a0d8b7ec1856f1ca43fbd315ad829a99fb5d1ee.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	7165229307e2ab92fd0fe0d79a0d8b7ec1856f1ca43fbd315ad829a99fb5d1ee.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

javaw.exe

pid process

4820 javaw.exe
4820 javaw.exe
4820 javaw.exe

pid	process
4820	javaw.exe
4820	javaw.exe
4820	javaw.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7165229307e2ab92fd0fe0d79a0d8b7ec1856f1ca43fbd315ad829a99fb5d1ee.exejavaw.exe

description	pid	process	target process
PID 444 wrote to memory of 4820	444	7165229307e2ab92fd0fe0d79a0d8b7ec1856f1ca43fbd315ad829a99fb5d1ee.exe	javaw.exe
PID 444 wrote to memory of 4820	444	7165229307e2ab92fd0fe0d79a0d8b7ec1856f1ca43fbd315ad829a99fb5d1ee.exe	javaw.exe
PID 4820 wrote to memory of 3028	4820	javaw.exe	REG.exe
PID 4820 wrote to memory of 3028	4820	javaw.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\7165229307e2ab92fd0fe0d79a0d8b7ec1856f1ca43fbd315ad829a99fb5d1ee.exe
"C:\Users\Admin\AppData\Local\Temp\7165229307e2ab92fd0fe0d79a0d8b7ec1856f1ca43fbd315ad829a99fb5d1ee.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:444

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\DarkScape.jar"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\SYSTEM32\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "DarkScape.jar" /t REG_SZ /F /D "C:\Users\Admin\DarkScape.jar"
3⤵
- Adds Run key to start application
PID:3028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DarkScape.jar

Filesize
1.5MB

MD5
2e546e90056ceb5561e941f3db202154

SHA1
6252949737c1e99459edd10c3f713f11ae84550a

SHA256
f292cb1e26a33356dfbb37ccbf13ef7552460d299820be59813c8b87a2db796f

SHA512
b6cc2d728b4edcd4c4325ded00fede3f8e45ec96078f0539cfa51ae05ead0d036d9912816cbc312482ecb75613e7b2dc3b5feee8e0a493c5ed600fae385accff

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNativeHook_2256025970430355596.dll

Filesize
57KB

MD5
d12501aaf90c14a87678c1199c332694

SHA1
47a09b3b92928d9076ad162d2f03f3426fe38095

SHA256
fc23a64cc52f5b19e310a8d96b1fbfec981310359bda907f5931a53360485fbc

SHA512
ee0cc22ba3c28fdf1cfd1721b466f8ccd0ac590ea37f7be77a8c7e8ed9aa7ee563921b2106e9ca05cd606706eaf17b4f835053104da4567b75f1f6ccb7e6ce94

Download Submit
memory/444-132-0x0000000000FF0000-0x0000000000FFE000-memory.dmp

Filesize
56KB

Download
memory/444-133-0x0000000005A70000-0x0000000005B0C000-memory.dmp

Filesize
624KB

Download
memory/444-134-0x00000000060C0000-0x0000000006664000-memory.dmp

Filesize
5.6MB

Download
memory/444-135-0x0000000005B10000-0x0000000005BA2000-memory.dmp

Filesize
584KB

Download
memory/444-136-0x0000000005BD0000-0x0000000005BDA000-memory.dmp

Filesize
40KB

Download
memory/444-137-0x0000000005C40000-0x0000000005C96000-memory.dmp

Filesize
344KB

Download
memory/3028-152-0x0000000000000000-mapping.dmp

Download
memory/4820-138-0x0000000000000000-mapping.dmp

Download
memory/4820-144-0x00000000026A0000-0x00000000036A0000-memory.dmp

Filesize
16.0MB

Download
memory/4820-150-0x00000000026A0000-0x00000000036A0000-memory.dmp

Filesize
16.0MB

Download