Analysis Overview
SHA256
2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e
Threat Level: Likely benign
The file 2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e.jar was found to be: Likely benign.
Malicious Activity Summary
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-24 10:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-24 10:27
Reported
2023-08-24 10:29
Platform
win10-20230703-en
Max time kernel
8s
Max time network
98s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\810424605.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1100 wrote to memory of 5116 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\wscript.exe |
| PID 1100 wrote to memory of 5116 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\wscript.exe |
| PID 5116 wrote to memory of 4204 | N/A | C:\Windows\SYSTEM32\wscript.exe | C:\Windows\System32\WScript.exe |
| PID 5116 wrote to memory of 4204 | N/A | C:\Windows\SYSTEM32\wscript.exe | C:\Windows\System32\WScript.exe |
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\2b497ad1ec1cc4c7ea45b070c2cb3f2f78b0f06e128225df43980abd05d9fb1e.jar
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\auadjkcvuo.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\MHsaSuFjvX.js"
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\prpqwy.txt"
C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.047072078428894053091465460767613926.class
Network
Files
memory/1100-4-0x0000000002490000-0x0000000003490000-memory.dmp
memory/1100-13-0x0000000000960000-0x0000000000961000-memory.dmp
C:\Users\Admin\auadjkcvuo.js
| MD5 | e6ed63c61a7ca096c6f6c34a2fee8f3e |
| SHA1 | d30f07297d8721b6bdd1d4fb0ae3fd2974756cce |
| SHA256 | fd7bd01b7bfae6a1e7b081bfd04199063e3155cd9744142b136c6bcbfe6bd4a0 |
| SHA512 | 933f539ac918eaa17d8a4e01c354ea4078a6239702e90bb7e32e51d15156bd8053a37c4fd5c3ace2d2f22857600b92e3a78e7fb90184806e9a20d48b12b61123 |
C:\Users\Admin\AppData\Roaming\MHsaSuFjvX.js
| MD5 | 75570c99891c0563e8d1ab94999955a7 |
| SHA1 | fd9fe8d5d438d1a7b12069ee770654a5a283d08d |
| SHA256 | 1c47f96f2b1be9434870a1fec926c344ef74106ed2c0fd4c9c0f985c5607e775 |
| SHA512 | b64f2bf6dbb8cb97106760a37fbdab600e8c71f0a668f6f10a5155543294c2ac310b6becfdccc306d12e26b84e1fe7a264894411e751e3e2d0b9c87bb4221ec5 |
C:\Users\Admin\AppData\Roaming\prpqwy.txt
| MD5 | e4b4412a2e52f64ef1beb46cd4721869 |
| SHA1 | 0d0f4da4f00ae3f424c3d70dd8a0426110696c4c |
| SHA256 | 7b7eb48626556344bbdddfb6d37173be5032093087635c81cb236e1d43c94b3c |
| SHA512 | 38e2e1813dcc5c7770d46611dde3cfebab1773c1837659ec662c0f38690d95aa48e3f732ff210e61216f9d3dc5530c8b754fb29c17cb3990409364acd8856144 |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | 378f8128f46ac560c99ea774d9ebd411 |
| SHA1 | 4e8a1d3177fe5fd9f716acd920b71c87935db46c |
| SHA256 | f28a9e4139addf5b53fd040af5e03730db7fc90e3fcfa32d800e426118f2f102 |
| SHA512 | 8b26353587cd86301a18ab41f4ec02724abed3962310e59a7f3b1ff040f89dafd75b34b186bd568abda5a64fc5422999dbe0e26562cbae9442930d0474e51f5a |
memory/4824-31-0x0000000002780000-0x0000000003780000-memory.dmp
memory/4824-38-0x0000000000780000-0x0000000000781000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_0.047072078428894053091465460767613926.class
| MD5 | 781fb531354d6f291f1ccab48da6d39f |
| SHA1 | 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68 |
| SHA256 | 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9 |
| SHA512 | 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8 |
memory/1348-56-0x0000000003290000-0x0000000004290000-memory.dmp
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | c4a42ad6ac77d770171fd843920e30e2 |
| SHA1 | 8940bd231cfd1d468755e1d169a67a047cc2f91a |
| SHA256 | 21dbe776da7740502efc56731b477fa03dd97e3574f1318c03efd8204ac53285 |
| SHA512 | 36f6e1e8500485d2c00399b7593f89edc4458588b3e6eed502d568df7b7d5070064fff172db75cf33e8bec19d0f3d122800ea80b1b7d7cb6035a948723bb80f6 |
memory/1348-58-0x0000000002F90000-0x0000000002F91000-memory.dmp
memory/1348-62-0x0000000002F90000-0x0000000002F91000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1148472871-1113856141-1322182616-1000\83aa4cc77f591dfc2374580bbd95f6ba_56102b4f-820e-4a73-b05f-d08577ab0d91
| MD5 | c8366ae350e7019aefc9d1e6e6a498c6 |
| SHA1 | 5731d8a3e6568a5f2dfbbc87e3db9637df280b61 |
| SHA256 | 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238 |
| SHA512 | 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd |
memory/4824-72-0x0000000002780000-0x0000000003780000-memory.dmp
memory/4824-74-0x0000000000780000-0x0000000000781000-memory.dmp
memory/4824-78-0x0000000000780000-0x0000000000781000-memory.dmp
memory/4824-80-0x0000000000780000-0x0000000000781000-memory.dmp
memory/1348-88-0x0000000002F90000-0x0000000002F91000-memory.dmp
memory/4824-92-0x0000000000780000-0x0000000000781000-memory.dmp
memory/4824-94-0x0000000002780000-0x0000000003780000-memory.dmp
memory/1348-100-0x0000000002F90000-0x0000000002F91000-memory.dmp
memory/4824-101-0x0000000000780000-0x0000000000781000-memory.dmp