Malware Analysis Report

2024-12-07 20:45

Sample ID 230627-rn2p5aee27
Target QUOTAZIONIOffertajar.jar
SHA256 49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680

Threat Level: Known bad

The file QUOTAZIONIOffertajar.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-27 14:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-27 14:21

Reported

2023-06-27 14:23

Platform

win7-20230621-en

Max time kernel

153s

Max time network

156s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONIOffertajar.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUOTAZIONIOffertajar.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONIOffertajar = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONIOffertajar.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONIOffertajar = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONIOffertajar.jar\"" C:\Windows\system32\java.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 684 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 684 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 684 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 1920 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2012 wrote to memory of 1920 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2012 wrote to memory of 1920 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 684 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 684 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 684 wrote to memory of 1416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1920 wrote to memory of 604 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 604 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 604 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 604 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 604 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 604 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1920 wrote to memory of 1160 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1160 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1160 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1160 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1160 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1160 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1920 wrote to memory of 1928 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1928 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1928 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1928 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1928 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1920 wrote to memory of 1380 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1380 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1380 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1380 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1380 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1380 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONIOffertajar.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list

Network

Country Destination Domain Proto
US 8.8.8.8:53 elastsolek1.duckdns.org udp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2012-63-0x0000000000420000-0x0000000000421000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QUOTAZIONIOffertajar.jar

MD5 1a4ac030a58da776cfe4a9c81e563bd4
SHA1 3159dc0894baaf593e1365921cdbfd580a5885ae
SHA256 49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
SHA512 f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar

MD5 1a4ac030a58da776cfe4a9c81e563bd4
SHA1 3159dc0894baaf593e1365921cdbfd580a5885ae
SHA256 49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
SHA512 f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

memory/1920-80-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1920-82-0x0000000000330000-0x0000000000331000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-27 14:21

Reported

2023-06-27 14:23

Platform

win10v2004-20230621-en

Max time kernel

147s

Max time network

151s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONIOffertajar.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUOTAZIONIOffertajar.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONIOffertajar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONIOffertajar.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUOTAZIONIOffertajar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\QUOTAZIONIOffertajar.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4364 wrote to memory of 1120 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4364 wrote to memory of 1120 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4364 wrote to memory of 2472 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 4364 wrote to memory of 2472 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 1120 wrote to memory of 3588 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1120 wrote to memory of 3588 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2472 wrote to memory of 4160 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2472 wrote to memory of 4160 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4160 wrote to memory of 3776 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4160 wrote to memory of 3776 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2472 wrote to memory of 4780 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2472 wrote to memory of 4780 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4780 wrote to memory of 2220 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4780 wrote to memory of 2220 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2472 wrote to memory of 1400 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2472 wrote to memory of 1400 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1400 wrote to memory of 2196 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1400 wrote to memory of 2196 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2472 wrote to memory of 2156 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2472 wrote to memory of 2156 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2156 wrote to memory of 4268 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2156 wrote to memory of 4268 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\QUOTAZIONIOffertajar.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.7.248.8.in-addr.arpa udp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
RU 194.147.140.241:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 241.140.147.194.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 20.42.73.25:443 tcp
US 192.229.221.95:80 tcp
US 2.18.121.75:80 tcp
US 2.18.121.83:80 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp

Files

memory/4364-144-0x0000000002770000-0x0000000002771000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\QUOTAZIONIOffertajar.jar

MD5 1a4ac030a58da776cfe4a9c81e563bd4
SHA1 3159dc0894baaf593e1365921cdbfd580a5885ae
SHA256 49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
SHA512 f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

C:\Users\Admin\AppData\Roaming\QUOTAZIONIOffertajar.jar

MD5 1a4ac030a58da776cfe4a9c81e563bd4
SHA1 3159dc0894baaf593e1365921cdbfd580a5885ae
SHA256 49ff3a5373588c3e2a8d117ffa091662f87045ae3ec828f3223e65649a5b4680
SHA512 f5d43ff7760bc42da348d1be78d2c0833be5326843a65010e2105bd17486dc62fd3f064f70d18d8e26af6664bc8652e5f5de6186c3e20db4fda0b10aee89b520

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 89aefbc3d85ecb573ce79c224a33c35d
SHA1 64cb422e1941963cad61334d97e61e3515f426f9
SHA256 e5ec5feb5c11b538ba1472c5e5c17ebf07eac2b09214c0c296a9a605412b3a0c
SHA512 75a76837f0d8892fb667d5d8506fc9bb34a77aac2eb795315d277bd69bbbcddcb93ee3f375c70351ff2688ee6096c8e66819e7ebcb0ab252dc056af21807940e

memory/2472-164-0x0000000000940000-0x0000000000941000-memory.dmp

memory/2472-165-0x0000000000940000-0x0000000000941000-memory.dmp

memory/2472-170-0x0000000000940000-0x0000000000941000-memory.dmp