6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb

General

Target

6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
Size

932KB
MD5

7e80342ffb90f453028d8606d219711c
SHA1

01994770e9fa0ed87157ae1f621c5d4e54fe2c72
SHA256

6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb
SHA512

1e2b172c941583ed5ae395f34301e0d982d397a940d01b548e803c2533a6f289c81631543d5998b7e1b1162ab0e764cfd8f1e301c356bc9ae13b33a0c7dc4f29
SSDEEP

12288:lDKoo9n4dhg6XpkikDinEo4ccilYWkPLk8+IPfI7oRn6xXBIedJ/RRo:7OnWg6Z3k049WwLk8G7ol6dBIeM

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

JavaControl.exeJavaControl.exe

pid process

2440 JavaControl.exe
444 JavaControl.exe

pid	process
2440	JavaControl.exe
444	JavaControl.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3392-135-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3392-137-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3392-138-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3392-141-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3392-142-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/444-159-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3392-162-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/444-163-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaControl = "C:\\Users\\Admin\\AppData\\Roaming\\JavaControl\\JavaControl.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exeJavaControl.exe

description	pid	process	target process
PID 3120 set thread context of 3392	3120	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
PID 2440 set thread context of 444	2440	JavaControl.exe	JavaControl.exe
PID 2440 set thread context of 1412	2440	JavaControl.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1100 1412 WerFault.exe svchost.exe

pid	pid_target	process	target process
1100	1412	WerFault.exe	svchost.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

JavaControl.exe

description	pid	process
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe
Token: SeDebugPrivilege	444	JavaControl.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exeJavaControl.exeJavaControl.exe

pid	process
3120	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
3392	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
2440	JavaControl.exe
444	JavaControl.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.execmd.exeJavaControl.exe

description	pid	process	target process
PID 3120 wrote to memory of 3392	3120	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
PID 3120 wrote to memory of 3392	3120	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
PID 3120 wrote to memory of 3392	3120	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
PID 3120 wrote to memory of 3392	3120	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
PID 3120 wrote to memory of 3392	3120	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
PID 3120 wrote to memory of 3392	3120	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
PID 3120 wrote to memory of 3392	3120	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
PID 3120 wrote to memory of 3392	3120	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
PID 3392 wrote to memory of 788	3392	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe	cmd.exe
PID 3392 wrote to memory of 788	3392	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe	cmd.exe
PID 3392 wrote to memory of 788	3392	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe	cmd.exe
PID 788 wrote to memory of 5032	788	cmd.exe	reg.exe
PID 788 wrote to memory of 5032	788	cmd.exe	reg.exe
PID 788 wrote to memory of 5032	788	cmd.exe	reg.exe
PID 3392 wrote to memory of 2440	3392	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe	JavaControl.exe
PID 3392 wrote to memory of 2440	3392	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe	JavaControl.exe
PID 3392 wrote to memory of 2440	3392	6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe	JavaControl.exe
PID 2440 wrote to memory of 444	2440	JavaControl.exe	JavaControl.exe
PID 2440 wrote to memory of 444	2440	JavaControl.exe	JavaControl.exe
PID 2440 wrote to memory of 444	2440	JavaControl.exe	JavaControl.exe
PID 2440 wrote to memory of 444	2440	JavaControl.exe	JavaControl.exe
PID 2440 wrote to memory of 444	2440	JavaControl.exe	JavaControl.exe
PID 2440 wrote to memory of 444	2440	JavaControl.exe	JavaControl.exe
PID 2440 wrote to memory of 444	2440	JavaControl.exe	JavaControl.exe
PID 2440 wrote to memory of 444	2440	JavaControl.exe	JavaControl.exe
PID 2440 wrote to memory of 1412	2440	JavaControl.exe	svchost.exe
PID 2440 wrote to memory of 1412	2440	JavaControl.exe	svchost.exe
PID 2440 wrote to memory of 1412	2440	JavaControl.exe	svchost.exe
PID 2440 wrote to memory of 1412	2440	JavaControl.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
"C:\Users\Admin\AppData\Local\Temp\6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3120

C:\Users\Admin\AppData\Local\Temp\6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
"C:\Users\Admin\AppData\Local\Temp\6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMQNB.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JavaControl" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaControl\JavaControl.exe" /f
4⤵
- Adds Run key to start application
PID:5032

C:\Users\Admin\AppData\Roaming\JavaControl\JavaControl.exe
"C:\Users\Admin\AppData\Roaming\JavaControl\JavaControl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Roaming\JavaControl\JavaControl.exe
"C:\Users\Admin\AppData\Roaming\JavaControl\JavaControl.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:444

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 84
5⤵
- Program crash
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1412 -ip 1412
1⤵
PID:4904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AMQNB.bat
Filesize
156B

MD5
fcd9c59b7c066039276c7eaed1f56616

SHA1
da17afd2b6104ba093e86b0a197e9e0e9100f4d0

SHA256
68ce6fd4b029c2cd2e4c6084ce14fe110ca6171640e5fed398f68b04b97dc8f3

SHA512
052ae24272bb877f0c89354ab6e10cc2a9475bc7d3c481c9ad39af5f578a2d4dd615a1183833e18e70673e24ec95195d47b36d5fc98c477336e748bc990ea69b

Download Submit
C:\Users\Admin\AppData\Roaming\JavaControl\JavaControl.exe
Filesize
932KB

MD5
7aa75c84375a268773eb122ebf7f115c

SHA1
2f042da221513ed743172a5a661a704d40ee9b8f

SHA256
33ce85d1c2c3ac212e9139b1aae55291764df73419a5272bd22f51a057fb859c

SHA512
8a8aee87ffa1a8953f1b5829b2598f5a840d622c71d7875be54ddd41212a9a6334b390813fc63bb14f41592abcd97ecfebd51370ab33b26dc719eb289a7bcb1f

Download Submit
C:\Users\Admin\AppData\Roaming\JavaControl\JavaControl.exe
Filesize
932KB

MD5
7aa75c84375a268773eb122ebf7f115c

SHA1
2f042da221513ed743172a5a661a704d40ee9b8f

SHA256
33ce85d1c2c3ac212e9139b1aae55291764df73419a5272bd22f51a057fb859c

SHA512
8a8aee87ffa1a8953f1b5829b2598f5a840d622c71d7875be54ddd41212a9a6334b390813fc63bb14f41592abcd97ecfebd51370ab33b26dc719eb289a7bcb1f

Download Submit
C:\Users\Admin\AppData\Roaming\JavaControl\JavaControl.exe
Filesize
932KB

MD5
7aa75c84375a268773eb122ebf7f115c

SHA1
2f042da221513ed743172a5a661a704d40ee9b8f

SHA256
33ce85d1c2c3ac212e9139b1aae55291764df73419a5272bd22f51a057fb859c

SHA512
8a8aee87ffa1a8953f1b5829b2598f5a840d622c71d7875be54ddd41212a9a6334b390813fc63bb14f41592abcd97ecfebd51370ab33b26dc719eb289a7bcb1f

Download Submit
memory/444-163-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/444-159-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/444-151-0x0000000000000000-mapping.dmp

Download
memory/788-143-0x0000000000000000-mapping.dmp

Download
memory/1412-160-0x0000000000000000-mapping.dmp

Download
memory/2440-146-0x0000000000000000-mapping.dmp

Download
memory/3392-141-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3392-142-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3392-134-0x0000000000000000-mapping.dmp

Download
memory/3392-138-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3392-137-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3392-162-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3392-135-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5032-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads