Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 19:01
Static task
static1
Behavioral task
behavioral1
Sample
62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe
Resource
win10v2004-20220901-en
General
-
Target
62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe
-
Size
130KB
-
MD5
10ed6c9d1c6eb8dcc4dafc439b87f09f
-
SHA1
18ecd407f57e996c1afb45178eee4e194644c621
-
SHA256
62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184
-
SHA512
eb41723d0bb850df7ae0d8b6b635cf6f25e3636651f5cb314d4fb2549c53d41fd7e4df40b4872c055e18508d13cf99aa585c7b69fa3a266dc793013126511a51
-
SSDEEP
3072:cQ+pn2s/4CYUBn2XZkKSubtvtk5SW9ujjtqgDAHU:zsnb5YU0XZCubV2Ur9dsU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
javaz.exepid process 3576 javaz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe File opened for modification C:\Windows\assembly\Desktop.ini 62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe -
Drops file in Windows directory 3 IoCs
Processes:
62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe File opened for modification C:\Windows\assembly\Desktop.ini 62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe File opened for modification C:\Windows\assembly 62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exejavaz.exepid process 4988 62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe 3576 javaz.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exejavaz.exedescription pid process Token: SeDebugPrivilege 4988 62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe Token: 33 4988 62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe Token: SeIncBasePriorityPrivilege 4988 62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe Token: SeDebugPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe Token: 33 3576 javaz.exe Token: SeIncBasePriorityPrivilege 3576 javaz.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exejavaz.exepid process 4988 62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe 4988 62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe 3576 javaz.exe 3576 javaz.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.execmd.exedescription pid process target process PID 4988 wrote to memory of 1992 4988 62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe cmd.exe PID 4988 wrote to memory of 1992 4988 62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe cmd.exe PID 1992 wrote to memory of 2612 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 2612 1992 cmd.exe PING.EXE PID 4988 wrote to memory of 3576 4988 62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe javaz.exe PID 4988 wrote to memory of 3576 4988 62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe javaz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe"C:\Users\Admin\AppData\Local\Temp\62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 1 -w 10 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\62705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 103⤵
- Runs ping.exe
PID:2612 -
C:\Users\Admin\AppData\Roaming\javaz.exe"C:\Users\Admin\AppData\Roaming\javaz.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3576
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\javaz.exeFilesize
130KB
MD510ed6c9d1c6eb8dcc4dafc439b87f09f
SHA118ecd407f57e996c1afb45178eee4e194644c621
SHA25662705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184
SHA512eb41723d0bb850df7ae0d8b6b635cf6f25e3636651f5cb314d4fb2549c53d41fd7e4df40b4872c055e18508d13cf99aa585c7b69fa3a266dc793013126511a51
-
C:\Users\Admin\AppData\Roaming\javaz.exeFilesize
130KB
MD510ed6c9d1c6eb8dcc4dafc439b87f09f
SHA118ecd407f57e996c1afb45178eee4e194644c621
SHA25662705f5679bb10e1d0c86bb142a9d2e636f89738e8abcda8ccf86318f8a69184
SHA512eb41723d0bb850df7ae0d8b6b635cf6f25e3636651f5cb314d4fb2549c53d41fd7e4df40b4872c055e18508d13cf99aa585c7b69fa3a266dc793013126511a51
-
memory/1992-134-0x0000000000000000-mapping.dmp
-
memory/2612-135-0x0000000000000000-mapping.dmp
-
memory/3576-136-0x0000000000000000-mapping.dmp
-
memory/3576-139-0x00007FFD4F950000-0x00007FFD50386000-memory.dmpFilesize
10.2MB
-
memory/3576-140-0x0000000000F40000-0x0000000000F50000-memory.dmpFilesize
64KB
-
memory/3576-142-0x0000000000F40000-0x0000000000F50000-memory.dmpFilesize
64KB
-
memory/4988-132-0x00007FFD4F950000-0x00007FFD50386000-memory.dmpFilesize
10.2MB
-
memory/4988-133-0x0000000000ECA000-0x0000000000ECF000-memory.dmpFilesize
20KB
-
memory/4988-141-0x0000000000ECA000-0x0000000000ECF000-memory.dmpFilesize
20KB