Analysis
-
max time kernel
163s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 20:45
Static task
static1
Behavioral task
behavioral1
Sample
6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
Resource
win10v2004-20220812-en
General
-
Target
6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe
-
Size
932KB
-
MD5
7e80342ffb90f453028d8606d219711c
-
SHA1
01994770e9fa0ed87157ae1f621c5d4e54fe2c72
-
SHA256
6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb
-
SHA512
1e2b172c941583ed5ae395f34301e0d982d397a940d01b548e803c2533a6f289c81631543d5998b7e1b1162ab0e764cfd8f1e301c356bc9ae13b33a0c7dc4f29
-
SSDEEP
12288:lDKoo9n4dhg6XpkikDinEo4ccilYWkPLk8+IPfI7oRn6xXBIedJ/RRo:7OnWg6Z3k049WwLk8G7ol6dBIeM
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
JavaControl.exeJavaControl.exepid process 2440 JavaControl.exe 444 JavaControl.exe -
Processes:
resource yara_rule behavioral2/memory/3392-135-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3392-137-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3392-138-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3392-141-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3392-142-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/444-159-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3392-162-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/444-163-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaControl = "C:\\Users\\Admin\\AppData\\Roaming\\JavaControl\\JavaControl.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exeJavaControl.exedescription pid process target process PID 3120 set thread context of 3392 3120 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe PID 2440 set thread context of 444 2440 JavaControl.exe JavaControl.exe PID 2440 set thread context of 1412 2440 JavaControl.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1100 1412 WerFault.exe svchost.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
Processes:
JavaControl.exedescription pid process Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe Token: SeDebugPrivilege 444 JavaControl.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exeJavaControl.exeJavaControl.exepid process 3120 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe 3392 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe 2440 JavaControl.exe 444 JavaControl.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.execmd.exeJavaControl.exedescription pid process target process PID 3120 wrote to memory of 3392 3120 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe PID 3120 wrote to memory of 3392 3120 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe PID 3120 wrote to memory of 3392 3120 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe PID 3120 wrote to memory of 3392 3120 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe PID 3120 wrote to memory of 3392 3120 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe PID 3120 wrote to memory of 3392 3120 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe PID 3120 wrote to memory of 3392 3120 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe PID 3120 wrote to memory of 3392 3120 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe PID 3392 wrote to memory of 788 3392 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe cmd.exe PID 3392 wrote to memory of 788 3392 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe cmd.exe PID 3392 wrote to memory of 788 3392 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe cmd.exe PID 788 wrote to memory of 5032 788 cmd.exe reg.exe PID 788 wrote to memory of 5032 788 cmd.exe reg.exe PID 788 wrote to memory of 5032 788 cmd.exe reg.exe PID 3392 wrote to memory of 2440 3392 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe JavaControl.exe PID 3392 wrote to memory of 2440 3392 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe JavaControl.exe PID 3392 wrote to memory of 2440 3392 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe JavaControl.exe PID 2440 wrote to memory of 444 2440 JavaControl.exe JavaControl.exe PID 2440 wrote to memory of 444 2440 JavaControl.exe JavaControl.exe PID 2440 wrote to memory of 444 2440 JavaControl.exe JavaControl.exe PID 2440 wrote to memory of 444 2440 JavaControl.exe JavaControl.exe PID 2440 wrote to memory of 444 2440 JavaControl.exe JavaControl.exe PID 2440 wrote to memory of 444 2440 JavaControl.exe JavaControl.exe PID 2440 wrote to memory of 444 2440 JavaControl.exe JavaControl.exe PID 2440 wrote to memory of 444 2440 JavaControl.exe JavaControl.exe PID 2440 wrote to memory of 1412 2440 JavaControl.exe svchost.exe PID 2440 wrote to memory of 1412 2440 JavaControl.exe svchost.exe PID 2440 wrote to memory of 1412 2440 JavaControl.exe svchost.exe PID 2440 wrote to memory of 1412 2440 JavaControl.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe"C:\Users\Admin\AppData\Local\Temp\6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Users\Admin\AppData\Local\Temp\6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe"C:\Users\Admin\AppData\Local\Temp\6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMQNB.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JavaControl" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JavaControl\JavaControl.exe" /f4⤵
- Adds Run key to start application
PID:5032 -
C:\Users\Admin\AppData\Roaming\JavaControl\JavaControl.exe"C:\Users\Admin\AppData\Roaming\JavaControl\JavaControl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Roaming\JavaControl\JavaControl.exe"C:\Users\Admin\AppData\Roaming\JavaControl\JavaControl.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:444 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵PID:1412
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 845⤵
- Program crash
PID:1100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1412 -ip 14121⤵PID:4904
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AMQNB.batFilesize
156B
MD5fcd9c59b7c066039276c7eaed1f56616
SHA1da17afd2b6104ba093e86b0a197e9e0e9100f4d0
SHA25668ce6fd4b029c2cd2e4c6084ce14fe110ca6171640e5fed398f68b04b97dc8f3
SHA512052ae24272bb877f0c89354ab6e10cc2a9475bc7d3c481c9ad39af5f578a2d4dd615a1183833e18e70673e24ec95195d47b36d5fc98c477336e748bc990ea69b
-
C:\Users\Admin\AppData\Roaming\JavaControl\JavaControl.exeFilesize
932KB
MD57aa75c84375a268773eb122ebf7f115c
SHA12f042da221513ed743172a5a661a704d40ee9b8f
SHA25633ce85d1c2c3ac212e9139b1aae55291764df73419a5272bd22f51a057fb859c
SHA5128a8aee87ffa1a8953f1b5829b2598f5a840d622c71d7875be54ddd41212a9a6334b390813fc63bb14f41592abcd97ecfebd51370ab33b26dc719eb289a7bcb1f
-
C:\Users\Admin\AppData\Roaming\JavaControl\JavaControl.exeFilesize
932KB
MD57aa75c84375a268773eb122ebf7f115c
SHA12f042da221513ed743172a5a661a704d40ee9b8f
SHA25633ce85d1c2c3ac212e9139b1aae55291764df73419a5272bd22f51a057fb859c
SHA5128a8aee87ffa1a8953f1b5829b2598f5a840d622c71d7875be54ddd41212a9a6334b390813fc63bb14f41592abcd97ecfebd51370ab33b26dc719eb289a7bcb1f
-
C:\Users\Admin\AppData\Roaming\JavaControl\JavaControl.exeFilesize
932KB
MD57aa75c84375a268773eb122ebf7f115c
SHA12f042da221513ed743172a5a661a704d40ee9b8f
SHA25633ce85d1c2c3ac212e9139b1aae55291764df73419a5272bd22f51a057fb859c
SHA5128a8aee87ffa1a8953f1b5829b2598f5a840d622c71d7875be54ddd41212a9a6334b390813fc63bb14f41592abcd97ecfebd51370ab33b26dc719eb289a7bcb1f
-
memory/444-163-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/444-159-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/444-151-0x0000000000000000-mapping.dmp
-
memory/788-143-0x0000000000000000-mapping.dmp
-
memory/1412-160-0x0000000000000000-mapping.dmp
-
memory/2440-146-0x0000000000000000-mapping.dmp
-
memory/3392-141-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3392-142-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3392-134-0x0000000000000000-mapping.dmp
-
memory/3392-138-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3392-137-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3392-162-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3392-135-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/5032-145-0x0000000000000000-mapping.dmp