5ab65dec1c7cc7dfd104388e6c4538a0c6d748742bb4126b8634615e5639168a

Analysis

max time kernel
143s
max time network
130s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ipchanger/Installer.exe
Size

1.7MB
MD5

d41ac75f93a8630513c960af97330c13
SHA1

9c288e1efd2da8c5701f0f1957e5eff60a7ef0be
SHA256

3b9f6b54369dfbe2609ed8d9f2c703d87606ceb555da926de068756484f34ec7
SHA512

ed26df6e6f77c5bdd30525cb7409e727aaa8fad2c960f00e7c62fab8e03c3e1e787121f7ae237b2c49d31e7b6a791c642e9567028a8b7c8f6a3e2801863529e6
SSDEEP

49152:nLAIyRbJwyvQRQYR7c6GpSAC2BwVKmbJLBCaRTbV:nLAJ+klplwRXV

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2792	javaw.exe
2552	javaw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Oracle Java = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\java_u.jar\""	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2792	2400	Installer.exe	28
PID 2400 wrote to memory of 2792	2400	Installer.exe	28
PID 2400 wrote to memory of 2792	2400	Installer.exe	28
PID 2400 wrote to memory of 2792	2400	Installer.exe	28
PID 2792 wrote to memory of 2552	2792	javaw.exe	29
PID 2792 wrote to memory of 2552	2792	javaw.exe	29
PID 2792 wrote to memory of 2552	2792	javaw.exe	29

C:\Users\Admin\AppData\Local\Temp\ipchanger\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\ipchanger\Installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Yaasiu.jar"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\java_u.jar"
    3⤵
    - Loads dropped DLL
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Yaasiu.jar

Filesize
752KB

MD5
bf9d26b84f4609bd2c935094e886fa91

SHA1
285be267b189c64095a79008b6b22aaf8836bcb5

SHA256
27b0a363ff635e6760a773a1ec68e5bf534081555303432086ec6ec30b7238cb

SHA512
194e0f8a7a306f699fcb9bf83f88bbab91d067f7632aa33b2d8b494e5bf4cfa30f9f674821ca9c0e2dc66b5f5785af67139208fda70d3523234685c1b3b62521

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3427588347-1492276948-3422228430-1000\83aa4cc77f591dfc2374580bbd95f6ba_d944c546-b3e1-4f8c-a2cd-c02cbd20099d

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
\Users\Admin\AppData\Local\Temp\jna\jna2632911205001106480.dll

Filesize
195KB

MD5
715c98aa5955e7e07fb99d87f522e73a

SHA1
0981d98dd34df47cd4bb915e5d20b5750eb33ef2

SHA256
b7f1133492a060a857a1ef0877e18e382f1c418e5dac2e674abc65f336241d61

SHA512
2f7e6458753770f5cccc9f7a61a314bc4d927a441f436db55b805e23cfdfacb006697b1bd8b5c305bb9e136a157f71ebd61eba0c7c6d722531e75e0de725ee32

Download Submit
memory/2552-83-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2552-47-0x0000000002220000-0x0000000005220000-memory.dmp

Filesize
48.0MB

Download
memory/2552-48-0x0000000001E70000-0x0000000001E80000-memory.dmp

Filesize
64KB

Download
memory/2552-49-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2552-57-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2552-61-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2552-73-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2552-88-0x0000000002220000-0x0000000005220000-memory.dmp

Filesize
48.0MB

Download
memory/2552-92-0x0000000001E70000-0x0000000001E80000-memory.dmp

Filesize
64KB

Download
memory/2792-27-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2792-16-0x00000000020F0000-0x00000000050F0000-memory.dmp

Filesize
48.0MB

Download
memory/2792-15-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2792-85-0x00000000020F0000-0x00000000050F0000-memory.dmp

Filesize
48.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads