4fd35bac44069b2b56e43aabd6d5920c8dd9af455548e0e82eb929ea3085a206

General

Target

wwe.jar
Size

4.8MB
MD5

2283fdced7d5e73ba68c9f0c82f44746
SHA1

67bd39b82a7ca4824d8df2fcf05a7051da3dd207
SHA256

4fd35bac44069b2b56e43aabd6d5920c8dd9af455548e0e82eb929ea3085a206
SHA512

4e346c3b736b3b84386fa30b3fc33f16addd71aa0cc800e645106bfba061488a04c1f207244663e0b80ed6ea123a5b4320f33c265f7e7303f51e190a887116fb
SSDEEP

98304:78Ig7RjgywUSyf88I6LmpwiG7x6LlB0YK8b:7o53cavj6pY7x6L1b

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
512	chrome.exe
512	chrome.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe
Token: SeShutdownPrivilege	512	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe
512	chrome.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 1512	512	chrome.exe	30
PID 512 wrote to memory of 1512	512	chrome.exe	30
PID 512 wrote to memory of 1512	512	chrome.exe	30
PID 512 wrote to memory of 1816	512	chrome.exe	32
PID 512 wrote to memory of 1816	512	chrome.exe	32
PID 512 wrote to memory of 1816	512	chrome.exe	32
PID 512 wrote to memory of 1816	512	chrome.exe	32
PID 512 wrote to memory of 1816	512	chrome.exe	32
PID 512 wrote to memory of 1816	512	chrome.exe	32

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\wwe.jar
1⤵
PID:1744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7129758,0x7fef7129768,0x7fef7129778
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1340,i,13449832616485615804,7287037722072953253,131072 /prefetch:2
  2⤵
  PID:1816

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5c61819d-e9fd-4930-a34e-e8dfc1af297b.tmp

Filesize
4KB

MD5
7c818c976f6419e83160e10263afba41

SHA1
f5fd48970e81bc2442e24ca38173501b16f7611c

SHA256
bbbc83a2417682b397cc9ab7129e6d1c867d1b58fa2e29861249ffea30faca2b

SHA512
50070d24daf45ca47ffa5e7561ddc24f73f6396bc1cebc890d4f09abc710b928a93e26a18eeb17302773f1622c1d917903307a678354bd60f2656e9c23470678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF6e254d.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
8dd3583d1fa6c2facb3ed12f1af7123f

SHA1
c430178f8cb2b5265853bc1317c038247d7ee8cd

SHA256
5e55a538b4077c8d580eca78c221ebf7941114b81a06b55e83a9df417b796275

SHA512
d4a47988f405ca01c889b190da6ad12fa2730b69e5cdf587ab028780e68597da6469074bef91a974bc58909f71f86ffa73712395d40fbe26e0edd5283f299fec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
memory/1744-63-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1816-66-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing