Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
27-06-2023 14:21
Static task
static1
Behavioral task
behavioral1
Sample
QUOTAZIONIOffertajar.jar
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
QUOTAZIONIOffertajar.jar
Resource
win10v2004-20230621-en
General
-
Target
QUOTAZIONIOffertajar.jar
-
Size
70KB
-
MD5
1a4ac030a58da776cfe4a9c81e563bd4
-
SHA1
3159dc0894baaf593e1365921cdbfd580a5885ae
-
SHA256
49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
-
SHA512
f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520
-
SSDEEP
1536:ETgNpqksfYxlEnBQ1taArWKnrw4S3gDhpK1s207Oc3au1r3bQnsYuPjRwnQHzOi+:vhDHE27nfS3gLK1s26aWr3bQnuLViS3Y
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
java.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUOTAZIONIOffertajar.jar java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
java.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONIOffertajar = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONIOffertajar.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONIOffertajar = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONIOffertajar.jar\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid Process Token: SeIncreaseQuotaPrivilege 1484 WMIC.exe Token: SeSecurityPrivilege 1484 WMIC.exe Token: SeTakeOwnershipPrivilege 1484 WMIC.exe Token: SeLoadDriverPrivilege 1484 WMIC.exe Token: SeSystemProfilePrivilege 1484 WMIC.exe Token: SeSystemtimePrivilege 1484 WMIC.exe Token: SeProfSingleProcessPrivilege 1484 WMIC.exe Token: SeIncBasePriorityPrivilege 1484 WMIC.exe Token: SeCreatePagefilePrivilege 1484 WMIC.exe Token: SeBackupPrivilege 1484 WMIC.exe Token: SeRestorePrivilege 1484 WMIC.exe Token: SeShutdownPrivilege 1484 WMIC.exe Token: SeDebugPrivilege 1484 WMIC.exe Token: SeSystemEnvironmentPrivilege 1484 WMIC.exe Token: SeRemoteShutdownPrivilege 1484 WMIC.exe Token: SeUndockPrivilege 1484 WMIC.exe Token: SeManageVolumePrivilege 1484 WMIC.exe Token: 33 1484 WMIC.exe Token: 34 1484 WMIC.exe Token: 35 1484 WMIC.exe Token: SeIncreaseQuotaPrivilege 1484 WMIC.exe Token: SeSecurityPrivilege 1484 WMIC.exe Token: SeTakeOwnershipPrivilege 1484 WMIC.exe Token: SeLoadDriverPrivilege 1484 WMIC.exe Token: SeSystemProfilePrivilege 1484 WMIC.exe Token: SeSystemtimePrivilege 1484 WMIC.exe Token: SeProfSingleProcessPrivilege 1484 WMIC.exe Token: SeIncBasePriorityPrivilege 1484 WMIC.exe Token: SeCreatePagefilePrivilege 1484 WMIC.exe Token: SeBackupPrivilege 1484 WMIC.exe Token: SeRestorePrivilege 1484 WMIC.exe Token: SeShutdownPrivilege 1484 WMIC.exe Token: SeDebugPrivilege 1484 WMIC.exe Token: SeSystemEnvironmentPrivilege 1484 WMIC.exe Token: SeRemoteShutdownPrivilege 1484 WMIC.exe Token: SeUndockPrivilege 1484 WMIC.exe Token: SeManageVolumePrivilege 1484 WMIC.exe Token: 33 1484 WMIC.exe Token: 34 1484 WMIC.exe Token: 35 1484 WMIC.exe Token: SeIncreaseQuotaPrivilege 1952 WMIC.exe Token: SeSecurityPrivilege 1952 WMIC.exe Token: SeTakeOwnershipPrivilege 1952 WMIC.exe Token: SeLoadDriverPrivilege 1952 WMIC.exe Token: SeSystemProfilePrivilege 1952 WMIC.exe Token: SeSystemtimePrivilege 1952 WMIC.exe Token: SeProfSingleProcessPrivilege 1952 WMIC.exe Token: SeIncBasePriorityPrivilege 1952 WMIC.exe Token: SeCreatePagefilePrivilege 1952 WMIC.exe Token: SeBackupPrivilege 1952 WMIC.exe Token: SeRestorePrivilege 1952 WMIC.exe Token: SeShutdownPrivilege 1952 WMIC.exe Token: SeDebugPrivilege 1952 WMIC.exe Token: SeSystemEnvironmentPrivilege 1952 WMIC.exe Token: SeRemoteShutdownPrivilege 1952 WMIC.exe Token: SeUndockPrivilege 1952 WMIC.exe Token: SeManageVolumePrivilege 1952 WMIC.exe Token: 33 1952 WMIC.exe Token: 34 1952 WMIC.exe Token: 35 1952 WMIC.exe Token: SeIncreaseQuotaPrivilege 1952 WMIC.exe Token: SeSecurityPrivilege 1952 WMIC.exe Token: SeTakeOwnershipPrivilege 1952 WMIC.exe Token: SeLoadDriverPrivilege 1952 WMIC.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
java.execmd.exejava.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 2012 wrote to memory of 684 2012 java.exe 29 PID 2012 wrote to memory of 684 2012 java.exe 29 PID 2012 wrote to memory of 684 2012 java.exe 29 PID 2012 wrote to memory of 1920 2012 java.exe 30 PID 2012 wrote to memory of 1920 2012 java.exe 30 PID 2012 wrote to memory of 1920 2012 java.exe 30 PID 684 wrote to memory of 1416 684 cmd.exe 31 PID 684 wrote to memory of 1416 684 cmd.exe 31 PID 684 wrote to memory of 1416 684 cmd.exe 31 PID 1920 wrote to memory of 604 1920 java.exe 32 PID 1920 wrote to memory of 604 1920 java.exe 32 PID 1920 wrote to memory of 604 1920 java.exe 32 PID 604 wrote to memory of 1484 604 cmd.exe 33 PID 604 wrote to memory of 1484 604 cmd.exe 33 PID 604 wrote to memory of 1484 604 cmd.exe 33 PID 1920 wrote to memory of 1160 1920 java.exe 35 PID 1920 wrote to memory of 1160 1920 java.exe 35 PID 1920 wrote to memory of 1160 1920 java.exe 35 PID 1160 wrote to memory of 1952 1160 cmd.exe 36 PID 1160 wrote to memory of 1952 1160 cmd.exe 36 PID 1160 wrote to memory of 1952 1160 cmd.exe 36 PID 1920 wrote to memory of 1928 1920 java.exe 37 PID 1920 wrote to memory of 1928 1920 java.exe 37 PID 1920 wrote to memory of 1928 1920 java.exe 37 PID 1928 wrote to memory of 848 1928 cmd.exe 38 PID 1928 wrote to memory of 848 1928 cmd.exe 38 PID 1928 wrote to memory of 848 1928 cmd.exe 38 PID 1920 wrote to memory of 1380 1920 java.exe 39 PID 1920 wrote to memory of 1380 1920 java.exe 39 PID 1920 wrote to memory of 1380 1920 java.exe 39 PID 1380 wrote to memory of 1560 1380 cmd.exe 40 PID 1380 wrote to memory of 1560 1380 cmd.exe 40 PID 1380 wrote to memory of 1560 1380 cmd.exe 40 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONIOffertajar.jar1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"3⤵
- Creates scheduled task(s)
PID:1416
-
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list4⤵PID:848
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list4⤵PID:1560
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD51a4ac030a58da776cfe4a9c81e563bd4
SHA13159dc0894baaf593e1365921cdbfd580a5885ae
SHA25649ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
SHA512f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520
-
Filesize
70KB
MD51a4ac030a58da776cfe4a9c81e563bd4
SHA13159dc0894baaf593e1365921cdbfd580a5885ae
SHA25649ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
SHA512f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520