Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2023 06:47
Static task
static1
Behavioral task
behavioral1
Sample
QUOTAZIONI-Offerta.jar
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
QUOTAZIONI-Offerta.jar
Resource
win10v2004-20230621-en
General
-
Target
QUOTAZIONI-Offerta.jar
-
Size
70KB
-
MD5
1a4ac030a58da776cfe4a9c81e563bd4
-
SHA1
3159dc0894baaf593e1365921cdbfd580a5885ae
-
SHA256
49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
-
SHA512
f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520
-
SSDEEP
1536:ETgNpqksfYxlEnBQ1taArWKnrw4S3gDhpK1s207Oc3au1r3bQnsYuPjRwnQHzOi+:vhDHE27nfS3gLK1s26aWr3bQnuLViS3Y
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
java.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUOTAZIONI-Offerta.jar java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
java.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONI-Offerta = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONI-Offerta.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONI-Offerta = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONI-Offerta.jar\"" java.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
java.execmd.exedescription pid Process procid_target PID 3224 wrote to memory of 3676 3224 java.exe 80 PID 3224 wrote to memory of 3676 3224 java.exe 80 PID 3224 wrote to memory of 3084 3224 java.exe 82 PID 3224 wrote to memory of 3084 3224 java.exe 82 PID 3676 wrote to memory of 1208 3676 cmd.exe 84 PID 3676 wrote to memory of 1208 3676 cmd.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONI-Offerta.jar1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SYSTEM32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"3⤵
- Creates scheduled task(s)
PID:1208
-
-
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\QUOTAZIONI-Offerta.jar"2⤵PID:3084
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD51a4ac030a58da776cfe4a9c81e563bd4
SHA13159dc0894baaf593e1365921cdbfd580a5885ae
SHA25649ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
SHA512f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520
-
Filesize
50B
MD5b84781050ec25d24feea2366dde06fd0
SHA100d5741b102fbc4b8fc479c6a76ff71659858bb0
SHA256ef9157d086ffa50096b13a042061a165b3e7e5e2603d7fc9687b73159b8ab2a7
SHA51296bce048a07aed2940057f01af27430fafb1f7bb75b6b164c120885e737361e9e868663da1a76b6e5b01f70af50a935de0cb7bd2faba3308e3c7ce3f427afb82
-
Filesize
70KB
MD51a4ac030a58da776cfe4a9c81e563bd4
SHA13159dc0894baaf593e1365921cdbfd580a5885ae
SHA25649ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
SHA512f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520