Malware Analysis Report

2024-12-07 20:39

Sample ID 230821-wy3gmagg3z
Target ec15235a6a5d1b8bad0f3fbd78840131-sample.zip
SHA256 5482ee474243ec4ce50149fae0706f48d7dc8bb7e89632bfa4d78569c6312fb3
Tags
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

5482ee474243ec4ce50149fae0706f48d7dc8bb7e89632bfa4d78569c6312fb3

Threat Level: Likely benign

The file ec15235a6a5d1b8bad0f3fbd78840131-sample.zip was found to be: Likely benign.

Malicious Activity Summary


Drops file in Program Files directory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-08-21 18:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-21 18:20

Reported

2023-08-21 18:25

Platform

win7-20230712-en

Max time kernel

121s

Max time network

124s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\Invoice no17684.jar"

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\Invoice no17684.jar"

Network

N/A

Files

memory/2224-56-0x0000000002240000-0x0000000005240000-memory.dmp

memory/2224-64-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2224-66-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2224-67-0x0000000002240000-0x0000000005240000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-21 18:20

Reported

2023-08-21 18:25

Platform

win10v2004-20230703-en

Max time kernel

208s

Max time network

265s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\Invoice no17684.jar"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\Invoice no17684.jar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Invoice no17684\" -spe -an -ai#7zMap1091:110:7zEvent18102

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 254.210.247.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/2988-137-0x0000000002C90000-0x0000000003C90000-memory.dmp

memory/2988-144-0x0000000002710000-0x0000000002711000-memory.dmp

memory/2988-156-0x0000000002710000-0x0000000002711000-memory.dmp

memory/2988-157-0x0000000002710000-0x0000000002711000-memory.dmp

memory/2988-161-0x0000000002F00000-0x0000000002F10000-memory.dmp

memory/2988-162-0x0000000002F10000-0x0000000002F20000-memory.dmp

memory/2988-163-0x0000000002F20000-0x0000000002F30000-memory.dmp

memory/2988-164-0x0000000002C90000-0x0000000003C90000-memory.dmp

memory/2988-165-0x0000000002F30000-0x0000000002F40000-memory.dmp

memory/2988-166-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/2988-167-0x0000000002F60000-0x0000000002F70000-memory.dmp

memory/2988-168-0x0000000002F70000-0x0000000002F80000-memory.dmp

memory/2988-169-0x0000000002C90000-0x0000000003C90000-memory.dmp

memory/2988-170-0x0000000002C90000-0x0000000003C90000-memory.dmp