Overview

overview

8

Static

static

1c3b271f96...41.jar

windows7-x64

8

1c3b271f96...41.jar

windows10-2004-x64

8

Analysis

  • max time kernel
    169s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 17:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c3b271f968b45773005a216c6505f23066f4b54f2c3c7b3b000a83cdf20f041.jar

  • Size

    4.1MB

  • MD5

    ec976b857d9e92c111868d9049c425e4

  • SHA1

    c32760f9e7d37a800de227416744565403f4c70e

  • SHA256

    1c3b271f968b45773005a216c6505f23066f4b54f2c3c7b3b000a83cdf20f041

  • SHA512

    83d1c2061520580e96dee497ecf6a3c9c8af0ae88fe6157d203fddd43d5f4cacd1507d78e6f41b32570e03e1eee80e193826cb8c0f54c0643d686c9b494c065d

  • SSDEEP

    98304:cHZztJVudVKkGxbbPsGQA9037qhLqbVe1pxmo6W9pTIgbyRsS:cHZzcXnGtb7XOmcVvnsIgO2S

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Sets file execution options in registry 2 TTPs 2 IoCs
    persistence
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 4 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\1c3b271f968b45773005a216c6505f23066f4b54f2c3c7b3b000a83cdf20f041.jar
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\asdqw629754719231483017013.jar"
      2⤵
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Windows\system32\reg.exe
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Javaw /t REG_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\Java TM\Java.txt\"" /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:676
      • C:\Windows\system32\reg.exe
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Javaw /f
        3⤵
        • Modifies registry key
        PID:580
      • C:\Windows\system32\attrib.exe
        attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Java TM\*.*"
        3⤵
        • Sets file to hidden
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:696
      • C:\Windows\system32\attrib.exe
        attrib +s +h +r "C:\Users\Admin\AppData\Roaming\Java TM"
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:576
      • C:\Program Files\Java\jre7\bin\javaw.exe
        "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Java TM\Java.txt"
        3⤵
          PID:1188
          • C:\Windows\system32\reg.exe
            reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Javaw /t REG_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\Java TM\Java.txt\"" /f
            4⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:1984
          • C:\Windows\system32\reg.exe
            reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Javaw /f
            4⤵
            • Modifies registry key
            PID:888
          • C:\Windows\system32\cmd.exe
            cmd.exe /c regedit /s C:\Users\Admin\AppData\Local\Temp\TaskNetworkGathor7114091144738536518.reg
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1692
            • C:\Windows\regedit.exe
              regedit /s C:\Users\Admin\AppData\Local\Temp\TaskNetworkGathor7114091144738536518.reg
              5⤵
              • Sets file execution options in registry
              • Runs .reg file with regedit
              PID:1516
      • C:\Windows\system32\cmd.exe
        cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asdqw24373473647141030381payment_reminder.pdf
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\asdqw24373473647141030381payment_reminder.pdf"
          3⤵
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of SetWindowsHookEx
          PID:1912

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\asdqw24373473647141030381payment_reminder.pdf
      Filesize

      4.3MB

      MD5

      a21d2a19a4c66cce8e4d7975604dfac7

      SHA1

      ce77aa7b9f3af5f091c0fa18ae18f310bd89df85

      SHA256

      634dafa7a5591d5425b4fa4e46d71f429aba805972b605f8576df57241901eaf

      SHA512

      b5d72080e52af8706a04e7fdebc34d46a6713848330566a3f441fc1d84f13da036a082dd08c6a2dfc3154d1780a7f81afd6461c554aee8dae15ffc1eef7ad161

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\asdqw629754719231483017013.jar
      Filesize

      47KB

      MD5

      6f705ddb7b6e05abaa659642c569d7ed

      SHA1

      53227c1b29ed8290263fc9bdccaaf7a03ec6aba2

      SHA256

      4f2aefa4c0b242741f3d32f65969e595859fadb8929f95e9c1195daef8172fa0

      SHA512

      8ae341008fde4f9d08b8884b993e7ddbda6821099668d932385649b00c30b24cc934637389f7b70615b6a5a0e3614185da4c3049b7f5a7fb18858b158f31a065

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Java TM\Desktop.ini
      Filesize

      63B

      MD5

      e783bdd20a976eaeaae1ff4624487420

      SHA1

      c2a44fab9df00b3e11582546b16612333c2f9286

      SHA256

      2f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3

      SHA512

      8c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Java TM\Java.txt
      Filesize

      47KB

      MD5

      6f705ddb7b6e05abaa659642c569d7ed

      SHA1

      53227c1b29ed8290263fc9bdccaaf7a03ec6aba2

      SHA256

      4f2aefa4c0b242741f3d32f65969e595859fadb8929f95e9c1195daef8172fa0

      SHA512

      8ae341008fde4f9d08b8884b993e7ddbda6821099668d932385649b00c30b24cc934637389f7b70615b6a5a0e3614185da4c3049b7f5a7fb18858b158f31a065

      Download Submit

    • memory/848-54-0x000007FEFC291000-0x000007FEFC293000-memory.dmp

      Filesize

      8KB

      Download

    • memory/848-64-0x0000000002140000-0x0000000005140000-memory.dmp

      Filesize

      48.0MB

      Download

    • memory/1912-110-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1952-79-0x0000000002420000-0x0000000005420000-memory.dmp

      Filesize

      48.0MB

      Download