Analysis
-
max time kernel
148s -
max time network
76s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 12:05
Static task
static1
Behavioral task
behavioral1
Sample
888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exe
Resource
win10v2004-20220812-en
General
-
Target
888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exe
-
Size
69KB
-
MD5
f074556b4be98813ee28a8bacf6bc8b4
-
SHA1
2b4ab011bb9e7490a3cb74892d47e8fe8e033566
-
SHA256
888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105
-
SHA512
6dd7a66bcf8cd34440be3ebb1d93650af13b358759865e7dbb02aa8cd3760be16f8aadbe4e8fda8a4497c0e38bd2e459c1e8211031a5f8c78449659d7bb47015
-
SSDEEP
1536:fvzDxcAxg2oucEYl0a7y9jjO8ueosFIzh:fJcAxg2ohlR7wjipPzh
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
java.exepid process 1984 java.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2004 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
java.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\Java\\java.exe" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iCloud = "C:\\Users\\Admin\\AppData\\Roaming\\Java\\java.exe" java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exejava.exepid process 908 888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exe 908 888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exe 1984 java.exe 1984 java.exe 1984 java.exe 1984 java.exe 1984 java.exe 1984 java.exe 1984 java.exe 1984 java.exe 1984 java.exe 1984 java.exe 1984 java.exe 1984 java.exe 1984 java.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exejava.exedescription pid process Token: SeDebugPrivilege 908 888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exe Token: SeDebugPrivilege 1984 java.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
java.exepid process 1984 java.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.execmd.exedescription pid process target process PID 908 wrote to memory of 2004 908 888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exe cmd.exe PID 908 wrote to memory of 2004 908 888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exe cmd.exe PID 908 wrote to memory of 2004 908 888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exe cmd.exe PID 2004 wrote to memory of 1752 2004 cmd.exe PING.EXE PID 2004 wrote to memory of 1752 2004 cmd.exe PING.EXE PID 2004 wrote to memory of 1752 2004 cmd.exe PING.EXE PID 908 wrote to memory of 1984 908 888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exe java.exe PID 908 wrote to memory of 1984 908 888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exe java.exe PID 908 wrote to memory of 1984 908 888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exe java.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exe"C:\Users\Admin\AppData\Local\Temp\888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c ping -n 3 127.0.0.1 > nul & del "C:\Users\Admin\AppData\Local\Temp\888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.13⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Java\java.exe"C:\Users\Admin\AppData\Roaming\Java\java.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Java\java.exeFilesize
69KB
MD5f074556b4be98813ee28a8bacf6bc8b4
SHA12b4ab011bb9e7490a3cb74892d47e8fe8e033566
SHA256888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105
SHA5126dd7a66bcf8cd34440be3ebb1d93650af13b358759865e7dbb02aa8cd3760be16f8aadbe4e8fda8a4497c0e38bd2e459c1e8211031a5f8c78449659d7bb47015
-
C:\Users\Admin\AppData\Roaming\Java\java.exeFilesize
69KB
MD5f074556b4be98813ee28a8bacf6bc8b4
SHA12b4ab011bb9e7490a3cb74892d47e8fe8e033566
SHA256888cef07ce0e3d3b5f9d0862e5ff1286049028204046ade72f16fce735a44105
SHA5126dd7a66bcf8cd34440be3ebb1d93650af13b358759865e7dbb02aa8cd3760be16f8aadbe4e8fda8a4497c0e38bd2e459c1e8211031a5f8c78449659d7bb47015
-
memory/908-62-0x0000000000A86000-0x0000000000AA5000-memory.dmpFilesize
124KB
-
memory/908-55-0x0000000000A86000-0x0000000000AA5000-memory.dmpFilesize
124KB
-
memory/908-56-0x000007FEF2A30000-0x000007FEF3AC6000-memory.dmpFilesize
16.6MB
-
memory/908-58-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmpFilesize
8KB
-
memory/908-54-0x000007FEF3D10000-0x000007FEF4733000-memory.dmpFilesize
10.1MB
-
memory/1752-59-0x0000000000000000-mapping.dmp
-
memory/1984-60-0x0000000000000000-mapping.dmp
-
memory/1984-64-0x000007FEF3D10000-0x000007FEF4733000-memory.dmpFilesize
10.1MB
-
memory/1984-65-0x000007FEF2A30000-0x000007FEF3AC6000-memory.dmpFilesize
16.6MB
-
memory/1984-66-0x0000000002217000-0x0000000002236000-memory.dmpFilesize
124KB
-
memory/1984-67-0x0000000002217000-0x0000000002236000-memory.dmpFilesize
124KB
-
memory/2004-57-0x0000000000000000-mapping.dmp