Analysis Overview
SHA256
5482ee474243ec4ce50149fae0706f48d7dc8bb7e89632bfa4d78569c6312fb3
Threat Level: Likely benign
The file ec15235a6a5d1b8bad0f3fbd78840131-sample.zip was found to be: Likely benign.
Malicious Activity Summary
Drops file in Program Files directory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-08-21 18:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-21 18:20
Reported
2023-08-21 18:25
Platform
win7-20230712-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Invoice no17684.jar"
Network
Files
memory/2224-56-0x0000000002240000-0x0000000005240000-memory.dmp
memory/2224-64-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2224-66-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2224-67-0x0000000002240000-0x0000000005240000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-21 18:20
Reported
2023-08-21 18:25
Platform
win10v2004-20230703-en
Max time kernel
208s
Max time network
265s
Command Line
Signatures
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Invoice no17684.jar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Invoice no17684\" -spe -an -ai#7zMap1091:110:7zEvent18102
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.210.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/2988-137-0x0000000002C90000-0x0000000003C90000-memory.dmp
memory/2988-144-0x0000000002710000-0x0000000002711000-memory.dmp
memory/2988-156-0x0000000002710000-0x0000000002711000-memory.dmp
memory/2988-157-0x0000000002710000-0x0000000002711000-memory.dmp
memory/2988-161-0x0000000002F00000-0x0000000002F10000-memory.dmp
memory/2988-162-0x0000000002F10000-0x0000000002F20000-memory.dmp
memory/2988-163-0x0000000002F20000-0x0000000002F30000-memory.dmp
memory/2988-164-0x0000000002C90000-0x0000000003C90000-memory.dmp
memory/2988-165-0x0000000002F30000-0x0000000002F40000-memory.dmp
memory/2988-166-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/2988-167-0x0000000002F60000-0x0000000002F70000-memory.dmp
memory/2988-168-0x0000000002F70000-0x0000000002F80000-memory.dmp
memory/2988-169-0x0000000002C90000-0x0000000003C90000-memory.dmp
memory/2988-170-0x0000000002C90000-0x0000000003C90000-memory.dmp