cce2dc0e46ba5dd734800c37dc01ef27ea23b912ee98f65e3b5d89f7c7883c64

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

utrstartupbuild.jar
Size

67KB
MD5

be65f99135c22a4a761f8261cd991632
SHA1

ada0f871e4e56715c789d8b731e5e420f4eed488
SHA256

cce2dc0e46ba5dd734800c37dc01ef27ea23b912ee98f65e3b5d89f7c7883c64
SHA512

bccc06ed8fc4b852a0a5487310934b939a900b22855209a088815405ca1e4626f5eba4c7793d2770368aab526e28489e1a90c3828a41d23c3bd2e0c5451e5021
SSDEEP

1536:7Bzg681/iD1LCZ43l5ucF8upA++wcgIF8TBZNIuzd:7iJ1/wLCW155pyfFCBnIuzd

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad = "C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw -jar \"C:\\Users\\Admin\\AppData\\Local\\Temp\\notepad1218227924348445288.jar\""	java.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

javaw.exe

pid process

3244 javaw.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

java.exe

description pid process target process

PID 748 wrote to memory of 3244 748 java.exe javaw.exe
PID 748 wrote to memory of 3244 748 java.exe javaw.exe

pid	process
3244	javaw.exe

description	pid	process	target process
PID 748 wrote to memory of 3244	748	java.exe	javaw.exe
PID 748 wrote to memory of 3244	748	java.exe	javaw.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\utrstartupbuild.jar
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:748

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw" -jar "C:\Users\Admin\AppData\Local\Temp\notepad1218227924348445288.jar"
2⤵
- Suspicious use of SetWindowsHookEx
PID:3244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
2a6576062ef83d7535825c3ae9d91dfd

SHA1
88bf397df5709503ebe4e3ea3adec32542c1b42f

SHA256
4d924f5a27f93cba8d1011083e434cabb8cded9a6eeb5c97c1c126084ffaad53

SHA512
08e3f71ed3b3c035676c1d325969064ab41fc08807b144d12ceda36655b80acdf2b0091b71ece8e05b8a17c88b9b9465e4eaeaf982260b9517d38dabf89216b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad1218227924348445288.jar
Filesize
51KB

MD5
a505ffe5cf1afc29c367ad059ec349ba

SHA1
aedb07825a91e0258faaa0081521ff08218c7a74

SHA256
d7bc8901279ee603cfe31884f44430e570864e3b6f6c5cd2a13c0bc9a088549d

SHA512
2e7b4e204143a23332e2b3cdfe96cba374eac0a995ca7a2692440fa67379f61550ef81c6bf3ec664f4ea80c5b854cba0f5a1fdfd52b51b256a40f00da8982af9

Download Submit
memory/748-143-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/3244-168-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/3244-177-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/3244-189-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download