Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2022, 17:35
Static task
static1
Behavioral task
behavioral1
Sample
f2be302712cf964184b2817333fb2a30ddb27ce667af58228fbc0056fe0b360a.jar
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f2be302712cf964184b2817333fb2a30ddb27ce667af58228fbc0056fe0b360a.jar
Resource
win10v2004-20220812-en
General
-
Target
f2be302712cf964184b2817333fb2a30ddb27ce667af58228fbc0056fe0b360a.jar
-
Size
49KB
-
MD5
c083fea491f147194d3b90d4e48cfa49
-
SHA1
a5af55828ff27ea611e2eca3f19301297572ef7d
-
SHA256
f2be302712cf964184b2817333fb2a30ddb27ce667af58228fbc0056fe0b360a
-
SHA512
c6209ab3684de5e15a4f9a3f2c87d659f63635916945014df6adffdb5126a5bd8c0aaaaf529e5a94aeb922a1136b85bdffbec2cae1bc72cfc4b1104b3bf70f98
-
SSDEEP
768:9k6CTyR6z0gST8bwui6s0fSxHmB55j25d8jNiTMrHaKFj/ejtTOERqR:9k6C547T4wGsjFC5s5UNEs6KEjtCP
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2828 attrib.exe 2700 attrib.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DOsW1fb3MJ = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\BRMEuz4akD\\puyx8f9QIQ.txt\"" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DOsW1fb3MJ = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\BRMEuz4akD\\puyx8f9QIQ.txt\"" reg.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\BRMEuz4akD\Desktop.ini java.exe File opened for modification C:\Users\Admin\AppData\Roaming\BRMEuz4akD\Desktop.ini attrib.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\tem java.exe File opened for modification C:\Windows\tem java.exe File created C:\Windows\tem javaw.exe File opened for modification C:\Windows\tem javaw.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 1956 reg.exe 3632 reg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4460 java.exe 884 javaw.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4460 wrote to memory of 1956 4460 java.exe 81 PID 4460 wrote to memory of 1956 4460 java.exe 81 PID 4460 wrote to memory of 2828 4460 java.exe 82 PID 4460 wrote to memory of 2828 4460 java.exe 82 PID 4460 wrote to memory of 2700 4460 java.exe 84 PID 4460 wrote to memory of 2700 4460 java.exe 84 PID 4460 wrote to memory of 884 4460 java.exe 87 PID 4460 wrote to memory of 884 4460 java.exe 87 PID 884 wrote to memory of 3632 884 javaw.exe 88 PID 884 wrote to memory of 3632 884 javaw.exe 88 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2828 attrib.exe 2700 attrib.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\f2be302712cf964184b2817333fb2a30ddb27ce667af58228fbc0056fe0b360a.jar1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SYSTEM32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v DOsW1fb3MJ /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\BRMEuz4akD\puyx8f9QIQ.txt\"" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:1956
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\BRMEuz4akD\*.*"2⤵
- Sets file to hidden
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:2828
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\BRMEuz4akD"2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2700
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\BRMEuz4akD\puyx8f9QIQ.txt"2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SYSTEM32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v DOsW1fb3MJ /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\BRMEuz4akD\puyx8f9QIQ.txt\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:3632
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5e1ab0096207f1b079c6f6bbb26151ef4
SHA1866d4d5488da29cd5b9aaa6d68d7bd4c4ace21d9
SHA2568e30982965e1f51897d4b16da1cfe83585f0f56e44821decd9fdfb9cbc8e0ccb
SHA5122cfb550825057388ee91fb5a425c4fe2524cba82535ae7f50afe36e2e96352fbe5656b2bd3b367ef8293f0cf510e6c023c9fc582e3f81d60e4e70e952aa93c72
-
Filesize
63B
MD5e783bdd20a976eaeaae1ff4624487420
SHA1c2a44fab9df00b3e11582546b16612333c2f9286
SHA2562f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3
SHA5128c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80
-
Filesize
49KB
MD5c083fea491f147194d3b90d4e48cfa49
SHA1a5af55828ff27ea611e2eca3f19301297572ef7d
SHA256f2be302712cf964184b2817333fb2a30ddb27ce667af58228fbc0056fe0b360a
SHA512c6209ab3684de5e15a4f9a3f2c87d659f63635916945014df6adffdb5126a5bd8c0aaaaf529e5a94aeb922a1136b85bdffbec2cae1bc72cfc4b1104b3bf70f98