8203759ecc16dbf3ce8449eb6708ed7f570541e9aac0594592c4212c9fa1bc34

Analysis

max time kernel
178s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08be18909434c8678da1720717f05625.exe
Size

120KB
MD5

08be18909434c8678da1720717f05625
SHA1

594da69b4adbddf7e850a8b6cbebcab2d8489007
SHA256

8203759ecc16dbf3ce8449eb6708ed7f570541e9aac0594592c4212c9fa1bc34
SHA512

b0df49e9fd97478a4285f0f08ce0e099aab86d11c81749cda3fab644fe441bff3487688422939c9d0212072af681d1e1b55c0e3fbafca328828efac2796754d8
SSDEEP

1536:QIDThSFWEv7NyArVF3qmRIjbPT6XpOPzmsLPtTh0PE:phSFWETNykFaygbipEzLLPRh0M

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
2272	08be18909434c8678da1720717f05625.exe
1576	08be18909434c8678da1720717f05625.exe
776	MGQLH86.exe
1452	jar.exe
1660	jar.exe
1400	jar.exe
2696	jar.exe
348	javavm.exe
1020	javavm.exe
2964	javavm.exe
1376	BVF96.exe
2452	jar.exe
2436	jar.exe
2152	jar.exe
1120	jar.exe
2304	javavm.exe
1032	javavm.exe
2820	javavm.exe
1092	jar.exe
2160	JDNJ14.exe
2516	jar.exe
776	jar.exe
2984	jar.exe

Loads dropped DLL 37 IoCs

pid	Process
2692	08be18909434c8678da1720717f05625.exe
2272	08be18909434c8678da1720717f05625.exe
2272	08be18909434c8678da1720717f05625.exe
2272	08be18909434c8678da1720717f05625.exe
2272	08be18909434c8678da1720717f05625.exe
776	MGQLH86.exe
776	MGQLH86.exe
776	MGQLH86.exe
1576	08be18909434c8678da1720717f05625.exe
1576	08be18909434c8678da1720717f05625.exe
1576	08be18909434c8678da1720717f05625.exe
1576	08be18909434c8678da1720717f05625.exe
1576	08be18909434c8678da1720717f05625.exe
1020	javavm.exe
1020	javavm.exe
1020	javavm.exe
1020	javavm.exe
1376	BVF96.exe
1376	BVF96.exe
1376	BVF96.exe
2964	javavm.exe
2964	javavm.exe
2964	javavm.exe
2964	javavm.exe
1120	jar.exe
1120	jar.exe
2820	javavm.exe
2820	javavm.exe
2820	javavm.exe
2820	javavm.exe
1032	javavm.exe
1032	javavm.exe
1032	javavm.exe
1032	javavm.exe
2160	JDNJ14.exe
2160	JDNJ14.exe
2160	JDNJ14.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2272-98-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2272-100-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2272-104-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2272-109-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2272-112-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1576-115-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2272-114-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1576-118-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1576-124-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1576-127-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1576-128-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1576-129-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2272-169-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1576-170-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1576-210-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1660-331-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2696-339-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1576-342-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2696-346-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2696-356-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2272-362-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1400-491-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2436-656-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1020-667-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1120-670-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1120-673-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2964-672-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1120-687-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1020-813-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2152-817-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2516-974-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2984-997-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2984-1000-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1032-993-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2820-1001-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1032-1008-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/776-1012-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2984-1013-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobesystems = "C:\\Users\\Admin\\AppData\\Roaming\\java updates\\jar.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\java = "\"C:\\Users\\Admin\\AppData\\Roaming\\java updates\\jar.exe\""	jar.exe

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 2692 set thread context of 2272	2692	08be18909434c8678da1720717f05625.exe	30
PID 2692 set thread context of 1576	2692	08be18909434c8678da1720717f05625.exe	31
PID 1452 set thread context of 1660	1452	jar.exe	39
PID 1452 set thread context of 1400	1452	jar.exe	40
PID 1452 set thread context of 2696	1452	jar.exe	41
PID 348 set thread context of 1020	348	javavm.exe	43
PID 348 set thread context of 2964	348	javavm.exe	44
PID 2452 set thread context of 2436	2452	jar.exe	48
PID 2452 set thread context of 2152	2452	jar.exe	49
PID 2452 set thread context of 1120	2452	jar.exe	50
PID 2304 set thread context of 1032	2304	javavm.exe	52
PID 2304 set thread context of 2820	2304	javavm.exe	53
PID 1092 set thread context of 2516	1092	jar.exe	56
PID 1092 set thread context of 776	1092	jar.exe	57
PID 1092 set thread context of 2984	1092	jar.exe	58

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	\??\c:\windows\javavm.exe	jar.exe
File opened for modification	\??\c:\windows\javavm.exe	jar.exe
File opened for modification	C:\windows\javavm.exe	javavm.exe
File created	\??\c:\windows\javavm.exe	jar.exe
File created	\??\c:\windows\javavm.exe	jar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2692	08be18909434c8678da1720717f05625.exe
Token: SeShutdownPrivilege	2692	08be18909434c8678da1720717f05625.exe
Token: SeShutdownPrivilege	2692	08be18909434c8678da1720717f05625.exe
Token: SeShutdownPrivilege	2692	08be18909434c8678da1720717f05625.exe
Token: SeShutdownPrivilege	2692	08be18909434c8678da1720717f05625.exe
Token: SeShutdownPrivilege	2692	08be18909434c8678da1720717f05625.exe
Token: SeShutdownPrivilege	2692	08be18909434c8678da1720717f05625.exe
Token: SeShutdownPrivilege	2692	08be18909434c8678da1720717f05625.exe
Token: SeShutdownPrivilege	2692	08be18909434c8678da1720717f05625.exe
Token: SeShutdownPrivilege	2692	08be18909434c8678da1720717f05625.exe
Token: SeShutdownPrivilege	2692	08be18909434c8678da1720717f05625.exe
Token: SeShutdownPrivilege	2692	08be18909434c8678da1720717f05625.exe
Token: SeShutdownPrivilege	2692	08be18909434c8678da1720717f05625.exe
Token: SeShutdownPrivilege	2692	08be18909434c8678da1720717f05625.exe
Token: SeShutdownPrivilege	1452	jar.exe
Token: SeShutdownPrivilege	1452	jar.exe
Token: SeShutdownPrivilege	1452	jar.exe
Token: SeShutdownPrivilege	1452	jar.exe
Token: SeShutdownPrivilege	1452	jar.exe
Token: SeShutdownPrivilege	1452	jar.exe
Token: SeShutdownPrivilege	1452	jar.exe
Token: SeShutdownPrivilege	1452	jar.exe
Token: SeShutdownPrivilege	1452	jar.exe
Token: SeShutdownPrivilege	1452	jar.exe
Token: SeShutdownPrivilege	1452	jar.exe
Token: SeShutdownPrivilege	1452	jar.exe
Token: SeShutdownPrivilege	1452	jar.exe
Token: SeShutdownPrivilege	1452	jar.exe
Token: SeDebugPrivilege	1400	jar.exe
Token: SeDebugPrivilege	1400	jar.exe
Token: SeDebugPrivilege	1400	jar.exe
Token: SeDebugPrivilege	1400	jar.exe
Token: SeDebugPrivilege	1400	jar.exe
Token: SeShutdownPrivilege	348	javavm.exe
Token: SeShutdownPrivilege	348	javavm.exe
Token: SeShutdownPrivilege	348	javavm.exe
Token: SeShutdownPrivilege	348	javavm.exe
Token: SeShutdownPrivilege	348	javavm.exe
Token: SeShutdownPrivilege	348	javavm.exe
Token: SeShutdownPrivilege	348	javavm.exe
Token: SeShutdownPrivilege	348	javavm.exe
Token: SeShutdownPrivilege	348	javavm.exe
Token: SeDebugPrivilege	1400	jar.exe
Token: SeShutdownPrivilege	348	javavm.exe
Token: SeShutdownPrivilege	348	javavm.exe
Token: SeShutdownPrivilege	348	javavm.exe
Token: SeShutdownPrivilege	348	javavm.exe
Token: SeShutdownPrivilege	348	javavm.exe
Token: SeDebugPrivilege	1400	jar.exe
Token: SeDebugPrivilege	1400	jar.exe
Token: SeDebugPrivilege	1400	jar.exe
Token: SeShutdownPrivilege	2452	jar.exe
Token: SeShutdownPrivilege	2452	jar.exe
Token: SeShutdownPrivilege	2452	jar.exe
Token: SeShutdownPrivilege	2452	jar.exe
Token: SeShutdownPrivilege	2452	jar.exe
Token: SeShutdownPrivilege	2452	jar.exe
Token: SeShutdownPrivilege	2452	jar.exe
Token: SeShutdownPrivilege	2452	jar.exe
Token: SeShutdownPrivilege	2452	jar.exe
Token: SeShutdownPrivilege	2452	jar.exe
Token: SeShutdownPrivilege	2452	jar.exe
Token: SeShutdownPrivilege	2452	jar.exe
Token: SeDebugPrivilege	1400	jar.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2692	08be18909434c8678da1720717f05625.exe
2272	08be18909434c8678da1720717f05625.exe
1576	08be18909434c8678da1720717f05625.exe
776	MGQLH86.exe
1452	jar.exe
1660	jar.exe
1400	jar.exe
348	javavm.exe
1020	javavm.exe
2964	javavm.exe
1376	BVF96.exe
2452	jar.exe
2436	jar.exe
2152	jar.exe
2304	javavm.exe
1032	javavm.exe
2820	javavm.exe
1092	jar.exe
2160	JDNJ14.exe
2516	jar.exe
776	jar.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2272	2692	08be18909434c8678da1720717f05625.exe	30
PID 2692 wrote to memory of 2272	2692	08be18909434c8678da1720717f05625.exe	30
PID 2692 wrote to memory of 2272	2692	08be18909434c8678da1720717f05625.exe	30
PID 2692 wrote to memory of 2272	2692	08be18909434c8678da1720717f05625.exe	30
PID 2692 wrote to memory of 2272	2692	08be18909434c8678da1720717f05625.exe	30
PID 2692 wrote to memory of 2272	2692	08be18909434c8678da1720717f05625.exe	30
PID 2692 wrote to memory of 2272	2692	08be18909434c8678da1720717f05625.exe	30
PID 2692 wrote to memory of 2272	2692	08be18909434c8678da1720717f05625.exe	30
PID 2692 wrote to memory of 1576	2692	08be18909434c8678da1720717f05625.exe	31
PID 2692 wrote to memory of 1576	2692	08be18909434c8678da1720717f05625.exe	31
PID 2692 wrote to memory of 1576	2692	08be18909434c8678da1720717f05625.exe	31
PID 2692 wrote to memory of 1576	2692	08be18909434c8678da1720717f05625.exe	31
PID 2692 wrote to memory of 1576	2692	08be18909434c8678da1720717f05625.exe	31
PID 2692 wrote to memory of 1576	2692	08be18909434c8678da1720717f05625.exe	31
PID 2692 wrote to memory of 1576	2692	08be18909434c8678da1720717f05625.exe	31
PID 2692 wrote to memory of 1576	2692	08be18909434c8678da1720717f05625.exe	31
PID 2272 wrote to memory of 776	2272	08be18909434c8678da1720717f05625.exe	32
PID 2272 wrote to memory of 776	2272	08be18909434c8678da1720717f05625.exe	32
PID 2272 wrote to memory of 776	2272	08be18909434c8678da1720717f05625.exe	32
PID 2272 wrote to memory of 776	2272	08be18909434c8678da1720717f05625.exe	32
PID 2272 wrote to memory of 776	2272	08be18909434c8678da1720717f05625.exe	32
PID 2272 wrote to memory of 776	2272	08be18909434c8678da1720717f05625.exe	32
PID 2272 wrote to memory of 776	2272	08be18909434c8678da1720717f05625.exe	32
PID 1576 wrote to memory of 1520	1576	08be18909434c8678da1720717f05625.exe	35
PID 1576 wrote to memory of 1520	1576	08be18909434c8678da1720717f05625.exe	35
PID 1576 wrote to memory of 1520	1576	08be18909434c8678da1720717f05625.exe	35
PID 1576 wrote to memory of 1520	1576	08be18909434c8678da1720717f05625.exe	35
PID 1520 wrote to memory of 1348	1520	cmd.exe	37
PID 1520 wrote to memory of 1348	1520	cmd.exe	37
PID 1520 wrote to memory of 1348	1520	cmd.exe	37
PID 1520 wrote to memory of 1348	1520	cmd.exe	37
PID 1576 wrote to memory of 1452	1576	08be18909434c8678da1720717f05625.exe	38
PID 1576 wrote to memory of 1452	1576	08be18909434c8678da1720717f05625.exe	38
PID 1576 wrote to memory of 1452	1576	08be18909434c8678da1720717f05625.exe	38
PID 1576 wrote to memory of 1452	1576	08be18909434c8678da1720717f05625.exe	38
PID 1452 wrote to memory of 1660	1452	jar.exe	39
PID 1452 wrote to memory of 1660	1452	jar.exe	39
PID 1452 wrote to memory of 1660	1452	jar.exe	39
PID 1452 wrote to memory of 1660	1452	jar.exe	39
PID 1452 wrote to memory of 1660	1452	jar.exe	39
PID 1452 wrote to memory of 1660	1452	jar.exe	39
PID 1452 wrote to memory of 1660	1452	jar.exe	39
PID 1452 wrote to memory of 1660	1452	jar.exe	39
PID 1452 wrote to memory of 1400	1452	jar.exe	40
PID 1452 wrote to memory of 1400	1452	jar.exe	40
PID 1452 wrote to memory of 1400	1452	jar.exe	40
PID 1452 wrote to memory of 1400	1452	jar.exe	40
PID 1452 wrote to memory of 1400	1452	jar.exe	40
PID 1452 wrote to memory of 1400	1452	jar.exe	40
PID 1452 wrote to memory of 1400	1452	jar.exe	40
PID 1452 wrote to memory of 1400	1452	jar.exe	40
PID 1452 wrote to memory of 2696	1452	jar.exe	41
PID 1452 wrote to memory of 2696	1452	jar.exe	41
PID 1452 wrote to memory of 2696	1452	jar.exe	41
PID 1452 wrote to memory of 2696	1452	jar.exe	41
PID 1452 wrote to memory of 2696	1452	jar.exe	41
PID 1452 wrote to memory of 2696	1452	jar.exe	41
PID 1452 wrote to memory of 2696	1452	jar.exe	41
PID 1452 wrote to memory of 2696	1452	jar.exe	41
PID 2696 wrote to memory of 348	2696	jar.exe	42
PID 2696 wrote to memory of 348	2696	jar.exe	42
PID 2696 wrote to memory of 348	2696	jar.exe	42
PID 2696 wrote to memory of 348	2696	jar.exe	42
PID 348 wrote to memory of 1020	348	javavm.exe	43

C:\Users\Admin\AppData\Local\Temp\08be18909434c8678da1720717f05625.exe
"C:\Users\Admin\AppData\Local\Temp\08be18909434c8678da1720717f05625.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\08be18909434c8678da1720717f05625.exe
  "C:\Users\Admin\AppData\Local\Temp\08be18909434c8678da1720717f05625.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\MGQLH86.exe
    "C:\Users\Admin\AppData\Local\Temp\MGQLH86.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:776
- C:\Users\Admin\AppData\Local\Temp\08be18909434c8678da1720717f05625.exe
  "C:\Users\Admin\AppData\Local\Temp\08be18909434c8678da1720717f05625.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\VHPGY.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "adobesystems" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\java updates\jar.exe" /f
      4⤵
      Adds Run key to start application
      PID:1348
- - C:\Users\Admin\AppData\Roaming\java updates\jar.exe
    "C:\Users\Admin\AppData\Roaming\java updates\jar.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Users\Admin\AppData\Roaming\java updates\jar.exe
      "C:\Users\Admin\AppData\Roaming\java updates\jar.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1660
  - - C:\Users\Admin\AppData\Roaming\java updates\jar.exe
      "C:\Users\Admin\AppData\Roaming\java updates\jar.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1400
  - - C:\Users\Admin\AppData\Roaming\java updates\jar.exe
      "C:\Users\Admin\AppData\Roaming\java updates\jar.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\windows\javavm.exe
        
        "C:\windows\javavm.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:348
      - C:\windows\javavm.exe
        
        "C:\windows\javavm.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\BVF96.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BVF96.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1376
      - C:\windows\javavm.exe
        
        "C:\windows\javavm.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\java updates\jar.exe
        
        "C:\Users\Admin\AppData\Roaming\java updates\jar.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Users\Admin\AppData\Roaming\java updates\jar.exe
        
        "C:\Users\Admin\AppData\Roaming\java updates\jar.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\java updates\jar.exe
        
        "C:\Users\Admin\AppData\Roaming\java updates\jar.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\java updates\jar.exe
        
        "C:\Users\Admin\AppData\Roaming\java updates\jar.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1120
        
        C:\Users\Admin\appdata\local\javavm.exe
        
        "C:\Users\Admin\appdata\local\javavm.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Users\Admin\appdata\local\javavm.exe
        
        "C:\Users\Admin\appdata\local\javavm.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\JDNJ14.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JDNJ14.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Users\Admin\appdata\local\javavm.exe
        
        "C:\Users\Admin\appdata\local\javavm.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\java updates\jar.exe
        
        "C:\Users\Admin\AppData\Roaming\java updates\jar.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\java updates\jar.exe
        
        "C:\Users\Admin\AppData\Roaming\java updates\jar.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\java updates\jar.exe
        
        "C:\Users\Admin\AppData\Roaming\java updates\jar.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Users\Admin\AppData\Roaming\java updates\jar.exe
        
        "C:\Users\Admin\AppData\Roaming\java updates\jar.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\08be18909434c8678da1720717f05625.exe

Filesize
120KB

MD5
08be18909434c8678da1720717f05625

SHA1
594da69b4adbddf7e850a8b6cbebcab2d8489007

SHA256
8203759ecc16dbf3ce8449eb6708ed7f570541e9aac0594592c4212c9fa1bc34

SHA512
b0df49e9fd97478a4285f0f08ce0e099aab86d11c81749cda3fab644fe441bff3487688422939c9d0212072af681d1e1b55c0e3fbafca328828efac2796754d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VHPGY.bat

Filesize
150B

MD5
81df3b8a10ca19433610ef5127f94e7f

SHA1
e2d930947eea7778946db57f8443dfe4fb572d32

SHA256
482846af5c8edbe00e11c3d00bf7a191307e61432bfada78e816ba9bbb65ee4b

SHA512
6438b66001d2e303b5f65f09996b977874efa2202485afcd694cfeeb280af7112286372cd5d6e8fad06ce20f67eb5ea263db82bf40db2db66d083138d808a0aa

Download Submit
\Users\Admin\AppData\Local\Temp\MGQLH86.exe

Filesize
24KB

MD5
eb1917a361249a07c637f4dff6e4f71c

SHA1
93753a9fc7ce2095ddde763f52182b9cec015a16

SHA256
638922d340eb16d99715eceeedf1c7d572b9e1a076ff475cd8f07a328a7b0d5c

SHA512
b11bec255c0d8b96d35c45b78fcc52bc5a90e75da69c10b285f7f04d9974ff2551020b12b10a3b49244c3168f3f2927a53d5b844c9a24a35b548c14525c05668

Download Submit
\Users\Admin\AppData\Roaming\java updates\jar.exe

Filesize
120KB

MD5
dd0e222b3048048e042667ca6f9a2416

SHA1
506744cc0fc79db0c96d3b1dcf774700f2f00cd0

SHA256
c8d251e7379ad5e05039af1769ae47e2e0ce4f3c908a90b8e33f22bf78d8498d

SHA512
523cb30a7050fc16a7f4989dc397ab49a66c7324a46f5d1e889864c72ed783890f6a805346a59c19871dd45ab40fad736f61fae6e22e9b2163511916faa1a698

Download Submit
memory/776-1012-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1020-667-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1020-813-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1032-993-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1032-1008-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1120-687-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1120-673-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1120-670-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1400-491-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-210-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-342-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-128-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-129-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-124-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-118-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-170-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-111-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-115-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-127-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1660-331-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2152-817-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2272-169-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-100-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-98-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-362-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-96-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-114-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-112-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-109-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-102-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2272-104-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2436-656-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2516-974-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2692-10-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2696-356-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2696-346-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2696-339-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2820-1001-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2964-672-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2984-997-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2984-1000-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2984-1013-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads