Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2023 14:21
Static task
static1
Behavioral task
behavioral1
Sample
QUOTAZIONIOffertajar.jar
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
QUOTAZIONIOffertajar.jar
Resource
win10v2004-20230621-en
General
-
Target
QUOTAZIONIOffertajar.jar
-
Size
70KB
-
MD5
1a4ac030a58da776cfe4a9c81e563bd4
-
SHA1
3159dc0894baaf593e1365921cdbfd580a5885ae
-
SHA256
49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
-
SHA512
f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520
-
SSDEEP
1536:ETgNpqksfYxlEnBQ1taArWKnrw4S3gDhpK1s207Oc3au1r3bQnsYuPjRwnQHzOi+:vhDHE27nfS3gLK1s26aWr3bQnuLViS3Y
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
java.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUOTAZIONIOffertajar.jar java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
java.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONIOffertajar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONIOffertajar.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONIOffertajar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONIOffertajar.jar\"" java.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 ip-api.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid Process Token: SeIncreaseQuotaPrivilege 3776 WMIC.exe Token: SeSecurityPrivilege 3776 WMIC.exe Token: SeTakeOwnershipPrivilege 3776 WMIC.exe Token: SeLoadDriverPrivilege 3776 WMIC.exe Token: SeSystemProfilePrivilege 3776 WMIC.exe Token: SeSystemtimePrivilege 3776 WMIC.exe Token: SeProfSingleProcessPrivilege 3776 WMIC.exe Token: SeIncBasePriorityPrivilege 3776 WMIC.exe Token: SeCreatePagefilePrivilege 3776 WMIC.exe Token: SeBackupPrivilege 3776 WMIC.exe Token: SeRestorePrivilege 3776 WMIC.exe Token: SeShutdownPrivilege 3776 WMIC.exe Token: SeDebugPrivilege 3776 WMIC.exe Token: SeSystemEnvironmentPrivilege 3776 WMIC.exe Token: SeRemoteShutdownPrivilege 3776 WMIC.exe Token: SeUndockPrivilege 3776 WMIC.exe Token: SeManageVolumePrivilege 3776 WMIC.exe Token: 33 3776 WMIC.exe Token: 34 3776 WMIC.exe Token: 35 3776 WMIC.exe Token: 36 3776 WMIC.exe Token: SeIncreaseQuotaPrivilege 3776 WMIC.exe Token: SeSecurityPrivilege 3776 WMIC.exe Token: SeTakeOwnershipPrivilege 3776 WMIC.exe Token: SeLoadDriverPrivilege 3776 WMIC.exe Token: SeSystemProfilePrivilege 3776 WMIC.exe Token: SeSystemtimePrivilege 3776 WMIC.exe Token: SeProfSingleProcessPrivilege 3776 WMIC.exe Token: SeIncBasePriorityPrivilege 3776 WMIC.exe Token: SeCreatePagefilePrivilege 3776 WMIC.exe Token: SeBackupPrivilege 3776 WMIC.exe Token: SeRestorePrivilege 3776 WMIC.exe Token: SeShutdownPrivilege 3776 WMIC.exe Token: SeDebugPrivilege 3776 WMIC.exe Token: SeSystemEnvironmentPrivilege 3776 WMIC.exe Token: SeRemoteShutdownPrivilege 3776 WMIC.exe Token: SeUndockPrivilege 3776 WMIC.exe Token: SeManageVolumePrivilege 3776 WMIC.exe Token: 33 3776 WMIC.exe Token: 34 3776 WMIC.exe Token: 35 3776 WMIC.exe Token: 36 3776 WMIC.exe Token: SeIncreaseQuotaPrivilege 2220 WMIC.exe Token: SeSecurityPrivilege 2220 WMIC.exe Token: SeTakeOwnershipPrivilege 2220 WMIC.exe Token: SeLoadDriverPrivilege 2220 WMIC.exe Token: SeSystemProfilePrivilege 2220 WMIC.exe Token: SeSystemtimePrivilege 2220 WMIC.exe Token: SeProfSingleProcessPrivilege 2220 WMIC.exe Token: SeIncBasePriorityPrivilege 2220 WMIC.exe Token: SeCreatePagefilePrivilege 2220 WMIC.exe Token: SeBackupPrivilege 2220 WMIC.exe Token: SeRestorePrivilege 2220 WMIC.exe Token: SeShutdownPrivilege 2220 WMIC.exe Token: SeDebugPrivilege 2220 WMIC.exe Token: SeSystemEnvironmentPrivilege 2220 WMIC.exe Token: SeRemoteShutdownPrivilege 2220 WMIC.exe Token: SeUndockPrivilege 2220 WMIC.exe Token: SeManageVolumePrivilege 2220 WMIC.exe Token: 33 2220 WMIC.exe Token: 34 2220 WMIC.exe Token: 35 2220 WMIC.exe Token: 36 2220 WMIC.exe Token: SeIncreaseQuotaPrivilege 2220 WMIC.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
java.execmd.exejava.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 4364 wrote to memory of 1120 4364 java.exe 84 PID 4364 wrote to memory of 1120 4364 java.exe 84 PID 4364 wrote to memory of 2472 4364 java.exe 86 PID 4364 wrote to memory of 2472 4364 java.exe 86 PID 1120 wrote to memory of 3588 1120 cmd.exe 88 PID 1120 wrote to memory of 3588 1120 cmd.exe 88 PID 2472 wrote to memory of 4160 2472 java.exe 90 PID 2472 wrote to memory of 4160 2472 java.exe 90 PID 4160 wrote to memory of 3776 4160 cmd.exe 92 PID 4160 wrote to memory of 3776 4160 cmd.exe 92 PID 2472 wrote to memory of 4780 2472 java.exe 93 PID 2472 wrote to memory of 4780 2472 java.exe 93 PID 4780 wrote to memory of 2220 4780 cmd.exe 95 PID 4780 wrote to memory of 2220 4780 cmd.exe 95 PID 2472 wrote to memory of 1400 2472 java.exe 96 PID 2472 wrote to memory of 1400 2472 java.exe 96 PID 1400 wrote to memory of 2196 1400 cmd.exe 98 PID 1400 wrote to memory of 2196 1400 cmd.exe 98 PID 2472 wrote to memory of 2156 2472 java.exe 99 PID 2472 wrote to memory of 2156 2472 java.exe 99 PID 2156 wrote to memory of 4268 2156 cmd.exe 101 PID 2156 wrote to memory of 4268 2156 cmd.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONIOffertajar.jar1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SYSTEM32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"3⤵
- Creates scheduled task(s)
PID:3588
-
-
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list4⤵PID:2196
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"3⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list4⤵PID:4268
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD51a4ac030a58da776cfe4a9c81e563bd4
SHA13159dc0894baaf593e1365921cdbfd580a5885ae
SHA25649ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
SHA512f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520
-
Filesize
50B
MD589aefbc3d85ecb573ce79c224a33c35d
SHA164cb422e1941963cad61334d97e61e3515f426f9
SHA256e5ec5feb5c11b538ba1472c5e5c17ebf07eac2b09214c0c296a9a605412b3a0c
SHA51275a76837f0d8892fb667d5d8506fc9bb34a77aac2eb795315d277bd69bbbcddcb93ee3f375c70351ff2688ee6096c8e66819e7ebcb0ab252dc056af21807940e
-
Filesize
70KB
MD51a4ac030a58da776cfe4a9c81e563bd4
SHA13159dc0894baaf593e1365921cdbfd580a5885ae
SHA25649ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
SHA512f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520