Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2023 06:47

General

  • Target

    QUOTAZIONI-Offerta.jar

  • Size

    70KB

  • MD5

    1a4ac030a58da776cfe4a9c81e563bd4

  • SHA1

    3159dc0894baaf593e1365921cdbfd580a5885ae

  • SHA256

    49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680

  • SHA512

    f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

  • SSDEEP

    1536:ETgNpqksfYxlEnBQ1taArWKnrw4S3gDhpK1s207Oc3au1r3bQnsYuPjRwnQHzOi+:vhDHE27nfS3gLK1s26aWr3bQnuLViS3Y

Malware Config

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONI-Offerta.jar
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Windows\system32\cmd.exe
      cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"
        3⤵
        • Creates scheduled task(s)
        PID:688
    • C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"
      2⤵
        PID:872

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QUOTAZIONI-Offerta.jar

      Filesize

      70KB

      MD5

      1a4ac030a58da776cfe4a9c81e563bd4

      SHA1

      3159dc0894baaf593e1365921cdbfd580a5885ae

      SHA256

      49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680

      SHA512

      f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

    • C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar

      Filesize

      70KB

      MD5

      1a4ac030a58da776cfe4a9c81e563bd4

      SHA1

      3159dc0894baaf593e1365921cdbfd580a5885ae

      SHA256

      49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680

      SHA512

      f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

    • memory/872-81-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

    • memory/1416-63-0x0000000000430000-0x0000000000431000-memory.dmp

      Filesize

      4KB