ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8

General

Target

ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8.exe
Size

5.2MB
MD5

56ac386bad012746c76dde506bb664aa
SHA1

4a9c1e46644c3d3a2304d9abf48e1832f5e70953
SHA256

ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8
SHA512

2e93d12959ef2b3622afca1d63bfd28719ced5be5c7cac7477b72e08cfe056b62ff785c8518375479553983b723e1b2af6826d6ec8e28033979acd0fe00d963e
SSDEEP

98304:ik31h3708LQ0tuXd4lVPSMTP8BOAMfnLe+BNXcJFI4AbR3Ru0+O0s0v02Do6kQgq:xDJ5SKKOAMfLDBNXqFjUF0tBd3

Score

9^/10

persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\qli6EA8.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\qli6EA8.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\qli6EA8.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\qli6EA8.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\qli6EA8.tmp	acprotect

Executes dropped EXE 1 IoCs

Processes:

javatrig.exe

pid process

3268 javatrig.exe

pid	process
3268	javatrig.exe

Loads dropped DLL 5 IoCs

Processes:

ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8.exejavatrig.exe

pid	process
2376	ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8.exe
2376	ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8.exe
3268	javatrig.exe
3268	javatrig.exe
2376	ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8.exe

Drops file in Windows directory 1 IoCs

Processes:

javatrig.exe

description ioc process

File created C:\Windows\vminst.log javatrig.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8.exe

pid process

2376 ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8.exe

description	ioc	process
File created	C:\Windows\vminst.log	javatrig.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8.exejavatrig.exe

description	pid	process	target process
PID 2376 wrote to memory of 3268	2376	ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8.exe	javatrig.exe
PID 2376 wrote to memory of 3268	2376	ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8.exe	javatrig.exe
PID 2376 wrote to memory of 3268	2376	ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8.exe	javatrig.exe
PID 3268 wrote to memory of 2232	3268	javatrig.exe	pcaui.exe
PID 3268 wrote to memory of 2232	3268	javatrig.exe	pcaui.exe

C:\Users\Admin\AppData\Local\Temp\ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8.exe
"C:\Users\Admin\AppData\Local\Temp\ba16ada6acf94a880ec988a39e614b500196f352f588910a5d05a4de4d3750f8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\javatrig.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\javatrig.exe /l /exe_install /vercheck /wxret
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\system32\pcaui.exe
"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {65fc8e85-fff3-4ca6-a346-5ab7dece50bf} -a "Microsoft JVM" -v "Microsoft" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 1 -f 0 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\javatrig.exe"
3⤵
PID:2232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
90KB

MD5
31b1aa87640fd1c8743918951ea6bc97

SHA1
7f97b54e033c43d76cc6fe7c0e04ba403001b087

SHA256
9825a94130dea65a260b2a33193506fbc16626bc23c6757ba683e037e9a4a546

SHA512
a5fad9bd257aa213ebd2e8f3723bf8e1eaf4a921727f27d4d9714b9c5788d3409fb7561ad857617de7dce84d494855ea6a7dea03e27e0003e362cc88fc181bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\javatrig.exe

Filesize
1021KB

MD5
76f8ced27fff4b9f02c5b7735ba74198

SHA1
56db513068e7b0264d95b28a3efd4d8fb81e28fd

SHA256
f21f20c3fa409cb566e5b5d976175f6da42d06b50e793bbb736acb0778023b8d

SHA512
c22281e4d0f9f274b0ad398a97cb7775ad0e97f022bb4e78d4a73eb0f806a126e0f6983f3ac05ee2e5f245c7fd7c03895fd00cbc38c9d5c38f92946cdac1768c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\javatrig.exe

Filesize
1021KB

MD5
76f8ced27fff4b9f02c5b7735ba74198

SHA1
56db513068e7b0264d95b28a3efd4d8fb81e28fd

SHA256
f21f20c3fa409cb566e5b5d976175f6da42d06b50e793bbb736acb0778023b8d

SHA512
c22281e4d0f9f274b0ad398a97cb7775ad0e97f022bb4e78d4a73eb0f806a126e0f6983f3ac05ee2e5f245c7fd7c03895fd00cbc38c9d5c38f92946cdac1768c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qli6EA8.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qli6EA8.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qli6EA8.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qli6EA8.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qli6EA8.tmp

Filesize
172KB

MD5
fe763c2d71419352141c77c310e600d2

SHA1
6bb51ebcbde9fe5556a74319b49bea37d5542d5e

SHA256
7fdf10ca02d2238e22fda18dfbede9750da9f257221802c8b86c557c19c9bc7b

SHA512
147b3a525b1fef98ae46923dcbe25edfcf7b523f347857466eefa88f09ec053ba309dfbee5f1454ec64aba0518ee21986c4b6a506f8550efb1163c8f04d7482c

Download Submit
memory/2232-140-0x0000000000000000-mapping.dmp

Download
memory/2376-144-0x0000000000A50000-0x0000000000AC3000-memory.dmp

Filesize
460KB

Download
memory/2376-139-0x0000000001000000-0x0000000001515000-memory.dmp

Filesize
5.1MB

Download
memory/2376-132-0x0000000001000000-0x0000000001515000-memory.dmp

Filesize
5.1MB

Download
memory/2376-135-0x0000000000A50000-0x0000000000AC3000-memory.dmp

Filesize
460KB

Download
memory/2376-148-0x0000000001000000-0x0000000001515000-memory.dmp

Filesize
5.1MB

Download
memory/2376-149-0x0000000000A50000-0x0000000000AC3000-memory.dmp

Filesize
460KB

Download
memory/3268-136-0x0000000000000000-mapping.dmp

Download
memory/3268-145-0x00000000021A0000-0x0000000002213000-memory.dmp

Filesize
460KB

Download
memory/3268-146-0x00000000021A0000-0x0000000002213000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads