Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
27-06-2023 06:47
Static task
static1
Behavioral task
behavioral1
Sample
QUOTAZIONI-Offerta.jar
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
QUOTAZIONI-Offerta.jar
Resource
win10v2004-20230621-en
General
-
Target
QUOTAZIONI-Offerta.jar
-
Size
70KB
-
MD5
1a4ac030a58da776cfe4a9c81e563bd4
-
SHA1
3159dc0894baaf593e1365921cdbfd580a5885ae
-
SHA256
49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
-
SHA512
f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520
-
SSDEEP
1536:ETgNpqksfYxlEnBQ1taArWKnrw4S3gDhpK1s207Oc3au1r3bQnsYuPjRwnQHzOi+:vhDHE27nfS3gLK1s26aWr3bQnuLViS3Y
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
java.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUOTAZIONI-Offerta.jar java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
java.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONI-Offerta = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONI-Offerta.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONI-Offerta = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONI-Offerta.jar\"" java.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
java.execmd.exedescription pid Process procid_target PID 1416 wrote to memory of 1900 1416 java.exe 29 PID 1416 wrote to memory of 1900 1416 java.exe 29 PID 1416 wrote to memory of 1900 1416 java.exe 29 PID 1416 wrote to memory of 872 1416 java.exe 30 PID 1416 wrote to memory of 872 1416 java.exe 30 PID 1416 wrote to memory of 872 1416 java.exe 30 PID 1900 wrote to memory of 688 1900 cmd.exe 31 PID 1900 wrote to memory of 688 1900 cmd.exe 31 PID 1900 wrote to memory of 688 1900 cmd.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONI-Offerta.jar1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"3⤵
- Creates scheduled task(s)
PID:688
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"2⤵PID:872
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD51a4ac030a58da776cfe4a9c81e563bd4
SHA13159dc0894baaf593e1365921cdbfd580a5885ae
SHA25649ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
SHA512f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520
-
Filesize
70KB
MD51a4ac030a58da776cfe4a9c81e563bd4
SHA13159dc0894baaf593e1365921cdbfd580a5885ae
SHA25649ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
SHA512f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520