Analysis
-
max time kernel
139s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
29/09/2023, 20:33
Static task
static1
Behavioral task
behavioral1
Sample
READ!.txt
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
READ!.txt
Resource
win10v2004-20230915-en
Behavioral task
behavioral3
Sample
Stub-Harma-Crypter10042023.jar
Resource
win7-20230831-en
Behavioral task
behavioral4
Sample
Stub-Harma-Crypter10042023.jar
Resource
win10v2004-20230915-en
General
-
Target
Stub-Harma-Crypter10042023.jar
-
Size
639KB
-
MD5
a743d1723cec2364537ca8da4a63accb
-
SHA1
c7f2c306f4d94038aa9f644232e9dabcb6f7095a
-
SHA256
6e952d44629b791f45274abefa549008414b8a1c3bfcb3f64b904e2a6aec82e8
-
SHA512
affc04589b4c52f3df00f8463417e86a90906d816006236ef0e0b4d20cfbf8f17822cf466c1be8ad1c55b486586f5868660efea5240ea299f863c782f982f010
-
SSDEEP
12288:HD5gQ2/qIiZIn4/80AL3gI/dR7+tquNaZTgYt2RgR3Wuk2loStTDss:HDKQ6WZs4kL3gInaHaZ0WnWu5lztTDss
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1696019632395.tmp" reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3064 java.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3064 wrote to memory of 5104 3064 java.exe 85 PID 3064 wrote to memory of 5104 3064 java.exe 85 PID 3064 wrote to memory of 3300 3064 java.exe 87 PID 3064 wrote to memory of 3300 3064 java.exe 87 PID 3300 wrote to memory of 4896 3300 cmd.exe 89 PID 3300 wrote to memory of 4896 3300 cmd.exe 89 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5104 attrib.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\Stub-Harma-Crypter10042023.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1696019632395.tmp2⤵
- Views/modifies file attributes
PID:5104
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1696019632395.tmp" /f"2⤵
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1696019632395.tmp" /f3⤵
- Adds Run key to start application
PID:4896
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
639KB
MD5a743d1723cec2364537ca8da4a63accb
SHA1c7f2c306f4d94038aa9f644232e9dabcb6f7095a
SHA2566e952d44629b791f45274abefa549008414b8a1c3bfcb3f64b904e2a6aec82e8
SHA512affc04589b4c52f3df00f8463417e86a90906d816006236ef0e0b4d20cfbf8f17822cf466c1be8ad1c55b486586f5868660efea5240ea299f863c782f982f010