8875f7104cd2c1c5d5eef7f06b841e239254c62792ffb601a2f46e96c2f67cc3

General

Target

jre.exe
Size

71.2MB
MD5

b8774375de02c58381f9d5215731a7ea
SHA1

10e428c0b52e89feb71c485bc4098768ff39c390
SHA256

8875f7104cd2c1c5d5eef7f06b841e239254c62792ffb601a2f46e96c2f67cc3
SHA512

7175bad0c3c6b3409d9effea8d76ecc8bdf608f7b91017c8c8fac2902960c8d00a6e297b02c203ac29f4af956a01be29aea266a65bea861a16826f0b0becf1d3
SSDEEP

1572864:EXARH5MRWYsnIUQru78RIS7UiOnVLhSiKfF8JPUVDaFeHjoM:+q5MRW37WISQfLYnfyUD9H

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1264	jre.exe

Loads dropped DLL 1 IoCs

pid	Process
904	jre.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main	jre.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	jre.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	jre.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1264	jre.exe
1264	jre.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 1264	904	jre.exe	27
PID 904 wrote to memory of 1264	904	jre.exe	27
PID 904 wrote to memory of 1264	904	jre.exe	27
PID 904 wrote to memory of 1264	904	jre.exe	27
PID 904 wrote to memory of 1264	904	jre.exe	27
PID 904 wrote to memory of 1264	904	jre.exe	27
PID 904 wrote to memory of 1264	904	jre.exe	27

C:\Users\Admin\AppData\Local\Temp\jre.exe
"C:\Users\Admin\AppData\Local\Temp\jre.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904
- C:\Users\Admin\AppData\Local\Temp\jds7087109.tmp\jre.exe
  "C:\Users\Admin\AppData\Local\Temp\jds7087109.tmp\jre.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jds7087109.tmp\jre.exe

Filesize
70.9MB

MD5
4b8e09f7e127b5a688f5948a0c9ffa17

SHA1
6a74ced94605fc41e066ae62a4b553ae2c4fd8c3

SHA256
a371762f524f63b00fb6acaff3883b15c614ff9743355b087e62ba5319d46a6b

SHA512
dd8285345b6726bf5130c649d898b6911faa1c60c9d1f94d202221473d9e94d4c449e581a82b03ec43254a8e3b8ea1bf5b6a6f23135bc9f3cd8d6646c46fe8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds7087109.tmp\jre.exe

Filesize
70.9MB

MD5
4b8e09f7e127b5a688f5948a0c9ffa17

SHA1
6a74ced94605fc41e066ae62a4b553ae2c4fd8c3

SHA256
a371762f524f63b00fb6acaff3883b15c614ff9743355b087e62ba5319d46a6b

SHA512
dd8285345b6726bf5130c649d898b6911faa1c60c9d1f94d202221473d9e94d4c449e581a82b03ec43254a8e3b8ea1bf5b6a6f23135bc9f3cd8d6646c46fe8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
2KB

MD5
98cb98c6dc40bb5133d19a4c1d3e9b4f

SHA1
dcd78b8f877b60057b50fbd6fdddfff45b0cc556

SHA256
dc3220198941027c41818013b5eb4d6885b2a03036677155f5939477230815d0

SHA512
81996807e6071ac2bc95d8f72a1802db301d015666b9bff4d405d83671d10341eed2b6c2b40b6d502ba120798321e9b50f16a907db98b03d75ecb25d435a42bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
2KB

MD5
98cb98c6dc40bb5133d19a4c1d3e9b4f

SHA1
dcd78b8f877b60057b50fbd6fdddfff45b0cc556

SHA256
dc3220198941027c41818013b5eb4d6885b2a03036677155f5939477230815d0

SHA512
81996807e6071ac2bc95d8f72a1802db301d015666b9bff4d405d83671d10341eed2b6c2b40b6d502ba120798321e9b50f16a907db98b03d75ecb25d435a42bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
11KB

MD5
4d04d768a9e95fe6def26748bb835848

SHA1
1df43707aeafbd57adbb4699b2ebbea0fba583d9

SHA256
79313579510e209ae815e1f360fc6633b9f6a57e6bde067c39420a6b5390edf2

SHA512
14a9f12da6d7aadddb9721a4093a56f800f278f34078c863acd2351d1edfe2ad8d73e0452c1968baac4eee88211afaa5d82e1db4201df26cf9dcfc3155bf5bd0

Download Submit
\Users\Admin\AppData\Local\Temp\jds7087109.tmp\jre.exe

Filesize
70.9MB

MD5
4b8e09f7e127b5a688f5948a0c9ffa17

SHA1
6a74ced94605fc41e066ae62a4b553ae2c4fd8c3

SHA256
a371762f524f63b00fb6acaff3883b15c614ff9743355b087e62ba5319d46a6b

SHA512
dd8285345b6726bf5130c649d898b6911faa1c60c9d1f94d202221473d9e94d4c449e581a82b03ec43254a8e3b8ea1bf5b6a6f23135bc9f3cd8d6646c46fe8a0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads