Overview

overview

6

Static

static

1

DbConnection.java

windows7-x64

6

DbConnection.java

windows10-2004-x64

3

Resubmissions

24/03/2023, 14:21 UTC

230324-rn8tfahb2z 3

24/03/2023, 14:18 UTC

230324-rmdxnsgh8v 6

Analysis

  • max time kernel
    63s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    24/03/2023, 14:18 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DbConnection.java

  • Size

    806B

  • MD5

    24fd8d7777f0b44e4aba321841f729c5

  • SHA1

    bd0e751139420bc6e57f02bee0fe84474f5b9db5

  • SHA256

    56b8eb4751b74f827d773e17afe912c8e0957bb0538cf235b4c4a511eb93cf17

  • SHA512

    2d015aa3f698429f86b09d071836911bc032c8f463a061e7ff2283709dfe27327a168ca40173e967a6ce591c62addff0931126cd5a2bd61575eee7aad96bd014

Score
6/10

Malware Config

Signatures

  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 21 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\DbConnection.java
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\DbConnection.java
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\DbConnection.java
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1948
  • C:\Program Files\Microsoft Games\solitaire\solitaire.exe
    "C:\Program Files\Microsoft Games\solitaire\solitaire.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    PID:1624
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x508
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1916
  • C:\Windows\helppane.exe
    C:\Windows\helppane.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1176

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1176-94-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1624-112-0x0000000001D70000-0x0000000001D7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-110-0x0000000001D70000-0x0000000001D7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-80-0x0000000001D70000-0x0000000001D7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-82-0x0000000001D70000-0x0000000001D7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-84-0x0000000001E30000-0x0000000001E3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-83-0x0000000001E30000-0x0000000001E3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-88-0x0000000001E30000-0x0000000001E3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-89-0x0000000001E30000-0x0000000001E3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-79-0x0000000001D70000-0x0000000001D7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-78-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1624-81-0x0000000001D70000-0x0000000001D7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-109-0x0000000001D70000-0x0000000001D7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-111-0x0000000001D70000-0x0000000001D7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-108-0x0000000001D70000-0x0000000001D7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-107-0x0000000001D70000-0x0000000001D7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-106-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1624-115-0x0000000001E30000-0x0000000001E3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-114-0x0000000001E30000-0x0000000001E3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-113-0x0000000001E30000-0x0000000001E3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-116-0x0000000001E30000-0x0000000001E3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1624-117-0x0000000001E30000-0x0000000001E3A000-memory.dmp

    Filesize

    40KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.