Resubmissions

24-08-2023 10:27

230824-mhhb3sdc41 4

24-08-2022 10:00

220824-l1xztacgh9 10

Analysis

  • max time kernel
    8s
  • max time network
    98s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-08-2023 10:27

General

  • Target

    2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e.jar

  • Size

    626KB

  • MD5

    4529ccc406e6fc95f2dcdc5f6bae28a5

  • SHA1

    aa84655568ea4727d742c13b10f8d159ee7926e6

  • SHA256

    2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e

  • SHA512

    77a6b73c52650846523e9cdcbf637fca33f00986cf13b68d1bf9a3ffa9c5eed9cabc72261a3f47bb3e27245ccc56c13be567254275a88c311a21bf6555b040f4

  • SSDEEP

    12288:UPNuogFSuOJlMO4r8ajpm3AI8u0BxuPTNHVWPK0U6qTaDYZXUr11CO004gaOezNk:UPQoXumMO4r8Am301BUPTN1WPK0UhTa1

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\auadjkcvuo.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5116
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\MHsaSuFjvX.js"
        3⤵
          PID:4204
        • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
          "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\prpqwy.txt"
          3⤵
            PID:4824
            • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
              "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.047072078428894053091465460767613926.class
              4⤵
                PID:1348
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4720

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

          Filesize

          50B

          MD5

          378f8128f46ac560c99ea774d9ebd411

          SHA1

          4e8a1d3177fe5fd9f716acd920b71c87935db46c

          SHA256

          f28a9e4139addf5b53fd040af5e03730db7fc90e3fcfa32d800e426118f2f102

          SHA512

          8b26353587cd86301a18ab41f4ec02724abed3962310e59a7f3b1ff040f89dafd75b34b186bd568abda5a64fc5422999dbe0e26562cbae9442930d0474e51f5a

        • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

          Filesize

          50B

          MD5

          c4a42ad6ac77d770171fd843920e30e2

          SHA1

          8940bd231cfd1d468755e1d169a67a047cc2f91a

          SHA256

          21dbe776da7740502efc56731b477fa03dd97e3574f1318c03efd8204ac53285

          SHA512

          36f6e1e8500485d2c00399b7593f89edc4458588b3e6eed502d568df7b7d5070064fff172db75cf33e8bec19d0f3d122800ea80b1b7d7cb6035a948723bb80f6

        • C:\Users\Admin\AppData\Local\Temp\_0.047072078428894053091465460767613926.class

          Filesize

          241KB

          MD5

          781fb531354d6f291f1ccab48da6d39f

          SHA1

          9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

          SHA256

          97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

          SHA512

          3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

        • C:\Users\Admin\AppData\Roaming\MHsaSuFjvX.js

          Filesize

          6KB

          MD5

          75570c99891c0563e8d1ab94999955a7

          SHA1

          fd9fe8d5d438d1a7b12069ee770654a5a283d08d

          SHA256

          1c47f96f2b1be9434870a1fec926c344ef74106ed2c0fd4c9c0f985c5607e775

          SHA512

          b64f2bf6dbb8cb97106760a37fbdab600e8c71f0a668f6f10a5155543294c2ac310b6becfdccc306d12e26b84e1fe7a264894411e751e3e2d0b9c87bb4221ec5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1148472871-1113856141-1322182616-1000\83aa4cc77f591dfc2374580bbd95f6ba_56102b4f-820e-4a73-b05f-d08577ab0d91

          Filesize

          45B

          MD5

          c8366ae350e7019aefc9d1e6e6a498c6

          SHA1

          5731d8a3e6568a5f2dfbbc87e3db9637df280b61

          SHA256

          11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

          SHA512

          33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

        • C:\Users\Admin\AppData\Roaming\prpqwy.txt

          Filesize

          479KB

          MD5

          e4b4412a2e52f64ef1beb46cd4721869

          SHA1

          0d0f4da4f00ae3f424c3d70dd8a0426110696c4c

          SHA256

          7b7eb48626556344bbdddfb6d37173be5032093087635c81cb236e1d43c94b3c

          SHA512

          38e2e1813dcc5c7770d46611dde3cfebab1773c1837659ec662c0f38690d95aa48e3f732ff210e61216f9d3dc5530c8b754fb29c17cb3990409364acd8856144

        • C:\Users\Admin\auadjkcvuo.js

          Filesize

          907KB

          MD5

          e6ed63c61a7ca096c6f6c34a2fee8f3e

          SHA1

          d30f07297d8721b6bdd1d4fb0ae3fd2974756cce

          SHA256

          fd7bd01b7bfae6a1e7b081bfd04199063e3155cd9744142b136c6bcbfe6bd4a0

          SHA512

          933f539ac918eaa17d8a4e01c354ea4078a6239702e90bb7e32e51d15156bd8053a37c4fd5c3ace2d2f22857600b92e3a78e7fb90184806e9a20d48b12b61123

        • memory/1100-13-0x0000000000960000-0x0000000000961000-memory.dmp

          Filesize

          4KB

        • memory/1100-4-0x0000000002490000-0x0000000003490000-memory.dmp

          Filesize

          16.0MB

        • memory/1348-88-0x0000000002F90000-0x0000000002F91000-memory.dmp

          Filesize

          4KB

        • memory/1348-62-0x0000000002F90000-0x0000000002F91000-memory.dmp

          Filesize

          4KB

        • memory/1348-58-0x0000000002F90000-0x0000000002F91000-memory.dmp

          Filesize

          4KB

        • memory/1348-100-0x0000000002F90000-0x0000000002F91000-memory.dmp

          Filesize

          4KB

        • memory/1348-56-0x0000000003290000-0x0000000004290000-memory.dmp

          Filesize

          16.0MB

        • memory/4824-38-0x0000000000780000-0x0000000000781000-memory.dmp

          Filesize

          4KB

        • memory/4824-74-0x0000000000780000-0x0000000000781000-memory.dmp

          Filesize

          4KB

        • memory/4824-78-0x0000000000780000-0x0000000000781000-memory.dmp

          Filesize

          4KB

        • memory/4824-80-0x0000000000780000-0x0000000000781000-memory.dmp

          Filesize

          4KB

        • memory/4824-72-0x0000000002780000-0x0000000003780000-memory.dmp

          Filesize

          16.0MB

        • memory/4824-92-0x0000000000780000-0x0000000000781000-memory.dmp

          Filesize

          4KB

        • memory/4824-94-0x0000000002780000-0x0000000003780000-memory.dmp

          Filesize

          16.0MB

        • memory/4824-101-0x0000000000780000-0x0000000000781000-memory.dmp

          Filesize

          4KB

        • memory/4824-31-0x0000000002780000-0x0000000003780000-memory.dmp

          Filesize

          16.0MB