e28f198ca200445ab45dd4e94d49993ad1a9a21548908ca9c09ade6419c2e079

Analysis

max time kernel
39s
max time network
103s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-03-2023 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JavaSetup8u361.exe
Size

2.2MB
MD5

d3809baddaf7b1e7d94484160043328b
SHA1

e1979f5248d3b20858b11386ce22b1ccb0a9bfb5
SHA256

e28f198ca200445ab45dd4e94d49993ad1a9a21548908ca9c09ade6419c2e079
SHA512

96350ef6c81a1bc7d3c6b29c2a66ffaa1cf4f86172d3f52d39bcbf3886da41208b75cfe16bbf4ea23e04b2e0616637083eeacdefb8c0edc3ce6d0f2f89f881c6
SSDEEP

49152:OOt2ad8mKKue2/8cTs0HFTPO86O3jUfkptVx41inlc8z+o2:OOt2yMT/8cTs09RjUu54Ai

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

JavaSetup8u361.exeLZMA_EXE

pid process

1476 JavaSetup8u361.exe
1504 LZMA_EXE
Loads dropped DLL 3 IoCs

Processes:

JavaSetup8u361.exeJavaSetup8u361.exe

pid process

928 JavaSetup8u361.exe
1476 JavaSetup8u361.exe
1476 JavaSetup8u361.exe

pid	process
1476	JavaSetup8u361.exe
1504	LZMA_EXE

pid	process
928	JavaSetup8u361.exe
1476	JavaSetup8u361.exe
1476	JavaSetup8u361.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

JavaSetup8u361.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	JavaSetup8u361.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

JavaSetup8u361.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	JavaSetup8u361.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	JavaSetup8u361.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

JavaSetup8u361.exe

pid process

1476 JavaSetup8u361.exe
1476 JavaSetup8u361.exe

pid	process
1476	JavaSetup8u361.exe
1476	JavaSetup8u361.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

JavaSetup8u361.exeJavaSetup8u361.exe

description	pid	process	target process
PID 928 wrote to memory of 1476	928	JavaSetup8u361.exe	JavaSetup8u361.exe
PID 928 wrote to memory of 1476	928	JavaSetup8u361.exe	JavaSetup8u361.exe
PID 928 wrote to memory of 1476	928	JavaSetup8u361.exe	JavaSetup8u361.exe
PID 928 wrote to memory of 1476	928	JavaSetup8u361.exe	JavaSetup8u361.exe
PID 928 wrote to memory of 1476	928	JavaSetup8u361.exe	JavaSetup8u361.exe
PID 928 wrote to memory of 1476	928	JavaSetup8u361.exe	JavaSetup8u361.exe
PID 928 wrote to memory of 1476	928	JavaSetup8u361.exe	JavaSetup8u361.exe
PID 1476 wrote to memory of 1504	1476	JavaSetup8u361.exe	LZMA_EXE
PID 1476 wrote to memory of 1504	1476	JavaSetup8u361.exe	LZMA_EXE
PID 1476 wrote to memory of 1504	1476	JavaSetup8u361.exe	LZMA_EXE
PID 1476 wrote to memory of 1504	1476	JavaSetup8u361.exe	LZMA_EXE

C:\Users\Admin\AppData\Local\Temp\JavaSetup8u361.exe
"C:\Users\Admin\AppData\Local\Temp\JavaSetup8u361.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\Temp\jds7080183.tmp\JavaSetup8u361.exe
"C:\Users\Admin\AppData\Local\Temp\jds7080183.tmp\JavaSetup8u361.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
"C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp"
3⤵
- Executes dropped EXE
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\au.msi
Filesize
843KB

MD5
c95a831719a0a8659911c2d961a9e425

SHA1
84e5db605edecd9976f2a7d45b00c2c5deabe11d

SHA256
bb5d1befb8970ee28066d13727056d54e0ee624564556757c26c75d6faafcc9d

SHA512
073f2e9ce88f18ddf6d5e9d1d47a142b68a4935d73854580ca6d5b619473632965051e398bf5485ff0664d2caf2ed13d4260ab64428c7ea2cce78983feed3069

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\au.msi
Filesize
843KB

MD5
c95a831719a0a8659911c2d961a9e425

SHA1
84e5db605edecd9976f2a7d45b00c2c5deabe11d

SHA256
bb5d1befb8970ee28066d13727056d54e0ee624564556757c26c75d6faafcc9d

SHA512
073f2e9ce88f18ddf6d5e9d1d47a142b68a4935d73854580ca6d5b619473632965051e398bf5485ff0664d2caf2ed13d4260ab64428c7ea2cce78983feed3069

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\jre1.8.0_361.msi
Filesize
52.6MB

MD5
1aa57a5a04ec43b25937efa2a3f0f0ad

SHA1
6121bef34c9c603e8b03140c05e0418096ac7bb6

SHA256
66a697fe354addb90ae4e3c6b617f9ca0e5a65a439435f674e3f6d8c7db85b6b

SHA512
1461ff7fc5d3a1e3fff20bd42324f0dc6f82bbdb9d35cc425535449a0f8e346599c4012802f0a801cce243eea4d878e6430a02db5b24fe6cc99b24cdad31c4e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp
Filesize
1016KB

MD5
459a51b2e65d53e4e568215e77317cc5

SHA1
f2308f14d1033f79a1d10b392520cb2459b0e737

SHA256
9da5f7bb7d99c3b8d5c9100a0573e928f48452319989ab026af5fcff1119a5d9

SHA512
7e3b8cb97c4c61eb147473d62dc163205ecd85235e6c711b39c4a76b06e8cee7d70f2594e0710df90e1b949c4bdb442a759912afeb72c6b4f0a34750daf17886

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7080183.tmp\JavaSetup8u361.exe
Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7080183.tmp\JavaSetup8u361.exe
Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
34KB

MD5
dff92283c82175bed708b15efea7727a

SHA1
5a9f05cd50430dd9608ac4493aff5da9437bdf11

SHA256
a895c885a695c5e5bbda105969dd43c2152a13c66d7742a0bb842a663fbed6da

SHA512
79245c7c853a14b78539f014c0c7bfbe5daa362055cd12bd0fd481347396d91894ff4dfe3146ca7a318dd7724b7b648aae3288d82880e10934afe27119844afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
1KB

MD5
c7b9f1d3d2768f503d448b6114390215

SHA1
f39dd4df98af8c8772c92da42b31c53f144e677c

SHA256
6da59a24912c9d75a34d0bb98cd7976059de095944f9c6fb6d7c7642584fd1e4

SHA512
1d71818aa1b96c3c7fcd79bb7c961d215a08d7b49a762b53a370d170cd7f97632a13c7a24e08a331242d3df0c92faf133bb00cdf7df4b4cd8b5f3f2f2b849474

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
6KB

MD5
b7569a030cc62fe64cb1392168ed7b0d

SHA1
825d5ae11322297fa509f938cfbb7f12d69cf5f8

SHA256
ad77d393029a34481be57cacc236be5e837ca0f59140880054b35a04586f83b6

SHA512
53d7143c3f41f58ac7f8d035a2ef8e992a07f9bed17c3726f1d5a4d6760436eebf4d9aa3abe50b9f7e369c89b6c061792c788b23088e46e92f2fd3b4a244deb4

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\Local\Temp\jds7080183.tmp\JavaSetup8u361.exe
Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit