Analysis
-
max time kernel
150s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 08:44
Static task
static1
Behavioral task
behavioral1
Sample
0de21e4e566f35d8ce3b060c9fc09e0fde04e3ef016c0f8d2e4a68f584f2dcb2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0de21e4e566f35d8ce3b060c9fc09e0fde04e3ef016c0f8d2e4a68f584f2dcb2.exe
Resource
win10v2004-20220812-en
General
-
Target
0de21e4e566f35d8ce3b060c9fc09e0fde04e3ef016c0f8d2e4a68f584f2dcb2.exe
-
Size
43KB
-
MD5
b3b7928df11b3aaec19591b4e3b7b46a
-
SHA1
0476371c4c6a11ba1cb345df83645b88c49001af
-
SHA256
0de21e4e566f35d8ce3b060c9fc09e0fde04e3ef016c0f8d2e4a68f584f2dcb2
-
SHA512
0a329afee4c977e60db155fb3cba84441621c25524f88ae6e3b83957c2458521845269f98c059ecd2eb0e4f580b74ceb43ef05c4d1f89feaf2100962f760b869
-
SSDEEP
768:Ki/Pl86Jgr/SuuEf+rG9WTnu2GB581M6HDjH+Qqvtq1ssIl1qd46QBMNMp2mF6H2:5WWbrBJPE22qd4lBMxHCCrk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
java.exepid process 4740 java.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0de21e4e566f35d8ce3b060c9fc09e0fde04e3ef016c0f8d2e4a68f584f2dcb2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 0de21e4e566f35d8ce3b060c9fc09e0fde04e3ef016c0f8d2e4a68f584f2dcb2.exe -
Drops startup file 2 IoCs
Processes:
java.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b782f73214429c3d9bc5c4dba38019f.exe java.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b782f73214429c3d9bc5c4dba38019f.exe java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
java.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6b782f73214429c3d9bc5c4dba38019f = "\"C:\\Users\\Admin\\AppData\\Roaming\\java.exe\" .." java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6b782f73214429c3d9bc5c4dba38019f = "\"C:\\Users\\Admin\\AppData\\Roaming\\java.exe\" .." java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
java.exepid process 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe 4740 java.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
java.exedescription pid process Token: SeDebugPrivilege 4740 java.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0de21e4e566f35d8ce3b060c9fc09e0fde04e3ef016c0f8d2e4a68f584f2dcb2.exejava.exedescription pid process target process PID 4004 wrote to memory of 4740 4004 0de21e4e566f35d8ce3b060c9fc09e0fde04e3ef016c0f8d2e4a68f584f2dcb2.exe java.exe PID 4004 wrote to memory of 4740 4004 0de21e4e566f35d8ce3b060c9fc09e0fde04e3ef016c0f8d2e4a68f584f2dcb2.exe java.exe PID 4004 wrote to memory of 4740 4004 0de21e4e566f35d8ce3b060c9fc09e0fde04e3ef016c0f8d2e4a68f584f2dcb2.exe java.exe PID 4740 wrote to memory of 4760 4740 java.exe netsh.exe PID 4740 wrote to memory of 4760 4740 java.exe netsh.exe PID 4740 wrote to memory of 4760 4740 java.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0de21e4e566f35d8ce3b060c9fc09e0fde04e3ef016c0f8d2e4a68f584f2dcb2.exe"C:\Users\Admin\AppData\Local\Temp\0de21e4e566f35d8ce3b060c9fc09e0fde04e3ef016c0f8d2e4a68f584f2dcb2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\java.exe"C:\Users\Admin\AppData\Roaming\java.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\java.exe" "java.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\java.exeFilesize
43KB
MD5b3b7928df11b3aaec19591b4e3b7b46a
SHA10476371c4c6a11ba1cb345df83645b88c49001af
SHA2560de21e4e566f35d8ce3b060c9fc09e0fde04e3ef016c0f8d2e4a68f584f2dcb2
SHA5120a329afee4c977e60db155fb3cba84441621c25524f88ae6e3b83957c2458521845269f98c059ecd2eb0e4f580b74ceb43ef05c4d1f89feaf2100962f760b869
-
C:\Users\Admin\AppData\Roaming\java.exeFilesize
43KB
MD5b3b7928df11b3aaec19591b4e3b7b46a
SHA10476371c4c6a11ba1cb345df83645b88c49001af
SHA2560de21e4e566f35d8ce3b060c9fc09e0fde04e3ef016c0f8d2e4a68f584f2dcb2
SHA5120a329afee4c977e60db155fb3cba84441621c25524f88ae6e3b83957c2458521845269f98c059ecd2eb0e4f580b74ceb43ef05c4d1f89feaf2100962f760b869
-
memory/4004-132-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/4004-136-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/4740-133-0x0000000000000000-mapping.dmp
-
memory/4740-138-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/4740-139-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/4760-137-0x0000000000000000-mapping.dmp