Analysis
-
max time kernel
8s -
max time network
98s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
24-08-2023 10:27
Static task
static1
Behavioral task
behavioral1
Sample
2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e.jar
Resource
win10-20230703-en
General
-
Target
2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e.jar
-
Size
626KB
-
MD5
4529ccc406e6fc95f2dcdc5f6bae28a5
-
SHA1
aa84655568ea4727d742c13b10f8d159ee7926e6
-
SHA256
2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e
-
SHA512
77a6b73c52650846523e9cdcbf637fca33f00986cf13b68d1bf9a3ffa9c5eed9cabc72261a3f47bb3e27245ccc56c13be567254275a88c311a21bf6555b040f4
-
SSDEEP
12288:UPNuogFSuOJlMO4r8ajpm3AI8u0BxuPTNHVWPK0U6qTaDYZXUr11CO004gaOezNk:UPQoXumMO4r8Am301BUPTN1WPK0UhTa1
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc Process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
taskmgr.exepid Process 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid Process Token: SeDebugPrivilege 4720 taskmgr.exe Token: SeSystemProfilePrivilege 4720 taskmgr.exe Token: SeCreateGlobalPrivilege 4720 taskmgr.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
taskmgr.exepid Process 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
taskmgr.exepid Process 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe 4720 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
java.exewscript.exedescription pid Process procid_target PID 1100 wrote to memory of 5116 1100 java.exe 72 PID 1100 wrote to memory of 5116 1100 java.exe 72 PID 5116 wrote to memory of 4204 5116 wscript.exe 73 PID 5116 wrote to memory of 4204 5116 wscript.exe 73
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e.jar1⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SYSTEM32\wscript.exewscript C:\Users\Admin\auadjkcvuo.js2⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\MHsaSuFjvX.js"3⤵PID:4204
-
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\prpqwy.txt"3⤵PID:4824
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.047072078428894053091465460767613926.class4⤵PID:1348
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5378f8128f46ac560c99ea774d9ebd411
SHA14e8a1d3177fe5fd9f716acd920b71c87935db46c
SHA256f28a9e4139addf5b53fd040af5e03730db7fc90e3fcfa32d800e426118f2f102
SHA5128b26353587cd86301a18ab41f4ec02724abed3962310e59a7f3b1ff040f89dafd75b34b186bd568abda5a64fc5422999dbe0e26562cbae9442930d0474e51f5a
-
Filesize
50B
MD5c4a42ad6ac77d770171fd843920e30e2
SHA18940bd231cfd1d468755e1d169a67a047cc2f91a
SHA25621dbe776da7740502efc56731b477fa03dd97e3574f1318c03efd8204ac53285
SHA51236f6e1e8500485d2c00399b7593f89edc4458588b3e6eed502d568df7b7d5070064fff172db75cf33e8bec19d0f3d122800ea80b1b7d7cb6035a948723bb80f6
-
Filesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
Filesize
6KB
MD575570c99891c0563e8d1ab94999955a7
SHA1fd9fe8d5d438d1a7b12069ee770654a5a283d08d
SHA2561c47f96f2b1be9434870a1fec926c344ef74106ed2c0fd4c9c0f985c5607e775
SHA512b64f2bf6dbb8cb97106760a37fbdab600e8c71f0a668f6f10a5155543294c2ac310b6becfdccc306d12e26b84e1fe7a264894411e751e3e2d0b9c87bb4221ec5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1148472871-1113856141-1322182616-1000\83aa4cc77f591dfc2374580bbd95f6ba_56102b4f-820e-4a73-b05f-d08577ab0d91
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
479KB
MD5e4b4412a2e52f64ef1beb46cd4721869
SHA10d0f4da4f00ae3f424c3d70dd8a0426110696c4c
SHA2567b7eb48626556344bbdddfb6d37173be5032093087635c81cb236e1d43c94b3c
SHA51238e2e1813dcc5c7770d46611dde3cfebab1773c1837659ec662c0f38690d95aa48e3f732ff210e61216f9d3dc5530c8b754fb29c17cb3990409364acd8856144
-
Filesize
907KB
MD5e6ed63c61a7ca096c6f6c34a2fee8f3e
SHA1d30f07297d8721b6bdd1d4fb0ae3fd2974756cce
SHA256fd7bd01b7bfae6a1e7b081bfd04199063e3155cd9744142b136c6bcbfe6bd4a0
SHA512933f539ac918eaa17d8a4e01c354ea4078a6239702e90bb7e32e51d15156bd8053a37c4fd5c3ace2d2f22857600b92e3a78e7fb90184806e9a20d48b12b61123