Overview
overview
10Static
static
10SS Tools SafePvP.rar
windows10-1703-x64
3Srenshare ...os.lnk
windows10-1703-x64
3Srenshare ...mp.lnk
windows10-1703-x64
3Srenshare ...SS.exe
windows10-1703-x64
3Srenshare ...up.exe
windows10-1703-x64
7Srenshare ...s-.url
windows10-1703-x64
1Srenshare ...1).exe
windows10-1703-x64
7Srenshare ...ew.exe
windows10-1703-x64
6Srenshare ...in.exe
windows10-1703-x64
5Srenshare ... 2.lnk
windows10-1703-x64
3Srenshare ...er.exe
windows10-1703-x64
9Srenshare ...ew.exe
windows10-1703-x64
6Srenshare ...ew.exe
windows10-1703-x64
9Srenshare ....5.exe
windows10-1703-x64
4Analysis
-
max time kernel
50s -
max time network
72s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
05-02-2023 01:39
Behavioral task
behavioral1
Sample
SS Tools SafePvP.rar
Resource
win10-20220901-en
Behavioral task
behavioral2
Sample
Srenshare tool/Atajos/Iconos.lnk
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
Srenshare tool/Atajos/Temp.lnk
Resource
win10-20220812-en
Behavioral task
behavioral4
Sample
Srenshare tool/LandSS.exe
Resource
win10-20220812-en
Behavioral task
behavioral5
Sample
Srenshare tool/Tools/Everything-1.4.1.935.x86-Setup.exe
Resource
win10-20220901-en
Behavioral task
behavioral6
Sample
Srenshare tool/Tools/Jitter Click Training-How fast can you click in 10 seconds-.url
Resource
win10-20220812-en
Behavioral task
behavioral7
Sample
Srenshare tool/Tools/Kangaroo (1).exe
Resource
win10-20220812-en
Behavioral task
behavioral8
Sample
Srenshare tool/Tools/LastActivityView.exe
Resource
win10-20220812-en
Behavioral task
behavioral9
Sample
Srenshare tool/Tools/Paladin.exe
Resource
win10-20220901-en
Behavioral task
behavioral10
Sample
Srenshare tool/Tools/Process Hacker 2.lnk
Resource
win10-20220812-en
Behavioral task
behavioral11
Sample
Srenshare tool/Tools/RegScanner.exe
Resource
win10-20220812-en
Behavioral task
behavioral12
Sample
Srenshare tool/Tools/USBDeview.exe
Resource
win10-20220901-en
Behavioral task
behavioral13
Sample
Srenshare tool/Tools/UserAssistView.exe
Resource
win10-20220812-en
Behavioral task
behavioral14
Sample
Srenshare tool/Tools/luyten-0.4.5.exe
Resource
win10-20220812-en
General
-
Target
Srenshare tool/Tools/luyten-0.4.5.exe
-
Size
3.7MB
-
MD5
810a0255f0a13a895172caeb3b8a47fa
-
SHA1
b22532caf079fc1b2c81c29fd17d7065c773c542
-
SHA256
8c37240aaddc1da68bcfd6570463c590cfa9fecb6bb250a9970a0061897ae341
-
SHA512
a112b0e8ef1578f66578beeb40402e49c24398d3d2ce85a70dffaf4bade2a92a0b5b7e395fd0f25baffd7a038fa8cc03d521d840a1b5382aae4bedc5804b343d
-
SSDEEP
98304:OjzDT2Hg0WbBhvc3YapZKNIvCjn2cEbTj:qDT2A0WbHvvap4IvCBKn
Malware Config
Signatures
-
Drops file in Program Files directory 12 IoCs
Processes:
javaw.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
javaw.exepid process 4492 javaw.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
luyten-0.4.5.exedescription pid process target process PID 2832 wrote to memory of 4492 2832 luyten-0.4.5.exe javaw.exe PID 2832 wrote to memory of 4492 2832 luyten-0.4.5.exe javaw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Srenshare tool\Tools\luyten-0.4.5.exe"C:\Users\Admin\AppData\Local\Temp\Srenshare tool\Tools\luyten-0.4.5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Xms128m -Xmx1024m -classpath "C:\Users\Admin\AppData\Local\Temp\Srenshare tool\Tools\luyten-0.4.5.exe;rsyntaxtextarea-2.5.8.jar;procyon-core-0.5.32.jar;procyon-expressions-0.5.32.jar;procyon-reflection-0.5.32.jar;procyon-compilertools-0.5.32.jar" us.deathmarine.luyten.Luyten2⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2832-116-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-117-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-118-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-119-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-120-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-121-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-123-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-122-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-125-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-126-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-127-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-128-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-129-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-124-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-130-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-131-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-132-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-133-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-134-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-135-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-136-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-137-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-138-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-139-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-140-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-141-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-142-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-143-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-144-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-145-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/2832-146-0x00000000771B0000-0x000000007733E000-memory.dmpFilesize
1.6MB
-
memory/4492-147-0x0000000000000000-mapping.dmp
-
memory/4492-156-0x0000000002B20000-0x0000000003B20000-memory.dmpFilesize
16.0MB