Analysis
-
max time kernel
153s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
31-12-2023 00:10
General
-
Target
jre-8u191-windows-x64.exe
-
Size
71.2MB
-
MD5
f6a5f7eff45dc936968920507d7ce8bd
-
SHA1
ddebbd32ee2612114a9bec6e291e38b9b844c514
-
SHA256
605d05442c1640530a8ca2938baafb785560aefa88dc8cd0b43261ef3ecfa4bd
-
SHA512
98829c0e534c80653e121f30b44610cda9937309734a37230d6afd6ad1a39d321c30db67114d94c270e0dbf726f7601771b5690ad16da0acc60db9d01f5385cb
-
SSDEEP
1572864:XlediXMBkmNFecMUQptv3y0gsUFhra0T1+KaoLF:XLPmze1JFpUO0TKOF
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Checks processor information in registry 2 TTPs 40 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\jre-8u191-windows-x64.exe"C:\Users\Admin\AppData\Local\Temp\jre-8u191-windows-x64.exe"1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\jds259421051.tmp\jre-8u191-windows-x64.exe"C:\Users\Admin\AppData\Local\Temp\jds259421051.tmp\jre-8u191-windows-x64.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2796.0.1762287255\1824859255" -parentBuildID 20221007134813 -prefsHandle 1264 -prefMapHandle 1256 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {feb05773-3d12-485d-88f2-487be514ea75} 2796 "\\.\pipe\gecko-crash-server-pipe.2796" 1364 108d8158 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2796.1.1706701260\2005142459" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1516 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6325001f-1692-42bc-8e50-adedfe7dd74a} 2796 "\\.\pipe\gecko-crash-server-pipe.2796" 1532 fefaf58 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2796.2.141228398\546662084" -childID 1 -isForBrowser -prefsHandle 1960 -prefMapHandle 2180 -prefsLen 20868 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfea154c-3d34-43a2-887c-f64dccc11c62} 2796 "\\.\pipe\gecko-crash-server-pipe.2796" 1968 10863858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2796.3.799936710\1304326354" -childID 2 -isForBrowser -prefsHandle 2436 -prefMapHandle 2448 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e9d194e-00af-4a5c-ae55-4b3afdb47210} 2796 "\\.\pipe\gecko-crash-server-pipe.2796" 2468 1b70e458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2796.4.1853410937\1987416072" -childID 3 -isForBrowser -prefsHandle 2684 -prefMapHandle 2680 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4bd4202-d1ac-46bd-8c72-92210b36938a} 2796 "\\.\pipe\gecko-crash-server-pipe.2796" 2696 e62858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2796.6.2016098571\1732175376" -childID 5 -isForBrowser -prefsHandle 3708 -prefMapHandle 3712 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04995c08-cf2d-45e1-9804-2141d061c45a} 2796 "\\.\pipe\gecko-crash-server-pipe.2796" 3696 1e064f58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2796.5.853929429\1882113165" -childID 4 -isForBrowser -prefsHandle 3364 -prefMapHandle 3540 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d86c023c-0821-4067-afff-8c2a5afd5863} 2796 "\\.\pipe\gecko-crash-server-pipe.2796" 3628 1e064058 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2796.7.1839756\1581591212" -childID 6 -isForBrowser -prefsHandle 3892 -prefMapHandle 3896 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5118ce0-bf1d-4e40-8697-cfcb9d6509e9} 2796 "\\.\pipe\gecko-crash-server-pipe.2796" 3880 1e065858 tab3⤵
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD597488e8a39d09d7a93a14260599a122e
SHA1bfb1eb61a410e85e018208f29bb4ad6057e99d13
SHA256e19fe74aa41fe19b8b2ddd1f10d7bf404797917df5a6dfd7e4a0ff0f6c7b0428
SHA51298112e97abe9d38c7afa5713c6d2306651f2d9bae618276110bfadd9d6e6d72d2de91eda909725046e926ca790d02e10eaf5ebebc29f31f146c6c3d2d49e0d7d
-
Filesize
813KB
MD5fcad90347a1344f902cf31c42f888739
SHA1a7383d5b0e5dc040e9d5ea1521a61548794dcc85
SHA256bdcf6007de43ca028d688e1ec3bcd797985ea98aa41688c3854936906f5e7db2
SHA5123b9af07af42df89eefba22584404719b672df2fdc122a2a3645cbc6891b3c479c18a9674b6130b61bdea39e847d0ca1da6aa199efdc1f9efc359259fc172437b
-
Filesize
1KB
MD5895574b66186b0803c64f68972823fd0
SHA11fa20380fcc4f4644e881a023bcc52b72e56e111
SHA256c3f974ba0ed244a104fd0b2a5558ff6f579e19d8d3317443059089c89ec606e0
SHA512b1b4b5af960345a0adc483fa6fab6fdf4a434eb78f76c05ac7345e1913a6415af9ca2fe026ade5ff0d92d4cce54075f3342a7ecedeff0b8768e3703301105bc3
-
Filesize
15KB
MD5dae2c737cc0c8c8033c895df8606e589
SHA1bc792e48fe6d79e071fcef9393caf2a7033034ea
SHA25689af8af4be9cb080001d4a59b37c4c189a6d90943ab2deeb7f44a027e6e6146c
SHA512055f4a4ff517d4870cebcdd2aac40e92888f87bf3d079f1ee4b806a2368df8adfba81b54fc8444e7477d26a924641214aa4ac804104c84991025b6370f03b4d0
-
Filesize
9KB
MD5fb08d430c4858826b19cd22a1a04ce4f
SHA112b77abaf1a78b905f00994d9b4a44d62371eb99
SHA256e55429421650b046ec9e21ba833a0d273c48a8b8e5037f3c52adfdf610a0f42b
SHA512b55f6e2be6a54ec5cd037254bffd9b038d4693f0bd82654ff21f5d5d34434fc2fc6befb52ff2db904ea6361ea4caeb85f7d0c7d36afc2e457ce8e7a9a490f3a6
-
Filesize
733B
MD57d144de06602651d791a3e7994155308
SHA1592d434a72f3d1375b846606c6ff45fe3d6aff68
SHA25627bc9918d222825f74b17b0fe072515290772b24d7c2d4a9c328e9c8acb52ac2
SHA512fb18f0598393976484c7984569289d35582b5550d500f01b40dec54ae14d0a15981c2dd4542960a329b00011decb6bae50a74556d049aad7aa604e25b5262c3f
-
Filesize
6KB
MD5028bcedaacfd04965f5525bcf9dcab17
SHA19abff2605278f2ca1c4280afadbcaa06d4192d56
SHA2565e11f38b30402be5547cc4bfee1644f3b101052dfbf0c15094e1d7687e8c6436
SHA5126573086bdf71f2a44d1863421f2d8cd3da1ecca3826e13e6ef8204852a402a04fd1c3beaf94df3b47e5f9f56fc34b61e63711010e04c25f1fa59fd11f1ae8729
-
Filesize
2KB
MD545c88a94a8de0c6167f102556d7c2dc3
SHA179d0962f549aac6578f5d9607f681f61cf3559b1
SHA2567eeed271f28e08a5bf4d542b376920f829eb64d0a218ba3a6f95d27a0a2fe83c
SHA5124f8fed4e683051178f33cfb0103ffe38ad57ee14e209ac77d8494766e5c9fd2c6b6baf0ab36736b7a5fe4f9570df3567707612cfbc6bf7c1192c22cdf3d03575
-
Filesize
1KB
MD58ab6719301104a2173aabb3499703d3b
SHA1877fe60d6cf4689ec16ba5559156fd7d244725e4
SHA2569a504b99eed24573c0d7fb5a4835cefa61e8892d8cc7ceeeb6f1f976f2a76b73
SHA512f42c92795af987161876a75324010c61fad082d3c7c4b193d8f4d75c0005a91cf5fa983871ee43554c1693ee135e5e9cd11325f8d3185fefa8fde8f761a7fe88
-
Filesize
2KB
MD5ccb836ce2d7d75310c48d5d8ab5f9355
SHA1dbdd2d28d5a7694597b6f2d28d725b31afc68aee
SHA2561fc233c1d42526d8134a294258e57798a5fe8fe526377d691e4afdc3c9fa6952
SHA512aa7c68864db721c4ae10b6dddd91cdaa44454082f7337485aa20e14af184343f9790b587e1a450f12948e26d14e822c7b9a23fb6d2f3ce1b28ff1563142432cf
-
Filesize
2KB
MD5bed64eca3c1f4923d2f7e60919bacefe
SHA157bc0785d57e9b98d1ff65333a2b0a881db023a9
SHA256b8b25002354bdc8d7f8b53a8b195fcf12875413d898e959d5801d07e1e964c42
SHA512b4d2f142c17681d3de36d8fa2f6c1672b7eb76f4dad613be2cb66459b015a3cdeea2ff344bb9d0346cd365a1ae79c79baac012749cbe05a0ecce1eaeb3e69423
-
Filesize
2KB
MD58d443713796be0cf9f2d8c4c241dcd1c
SHA1eeaeec3fd47c6bdf6dbdcec1a5627ffa2f290d36
SHA256c1cb7156b631f5ee2a8b4d7b4b22d1892d35e75485857d6ca1bf4dca5b6ff17d
SHA51288af7d4982928e32f43ffef674bc5c8ea084ea103cd329bcaedae3f75d1c64eaa5c56c9c30f217a425572bc66e15c17831f1ed0f0ff3eca78cf7bb5648a35ba3
-
Filesize
1KB
MD5b40e191da0ed7ab0f1beba5699009255
SHA16dafedb584dc5e660ad335ed1acac31431d28615
SHA25674d97b0ee162ee0c564513433602f7754f3864416524f00b5f4c4e21be1772e1
SHA5121d2aa3d8f7a07e4fd700ab3146291c95580b23ead4d732e8a1a7237775a965a3e0e633f869202dfdde599b006b603f3f242e52b5af009e4415b71604bc4f5b17
-
Filesize
2.1MB
MD5beefec0ce622239fc95c0e635ff78a52
SHA1d44db2b6b38ecbe8efa007297911e7a9cd6d9727
SHA256dba733fadd6b22a3026af853024300f5e37eafc59514c485c5b2f83bbaec70a6
SHA512fd5df4a7373e91379680e6e6cd2b66460c3cd1e0adb0793b4a2e8239385087160d2be7abd04836dffc5a6dd1470d125881878cf661b9c8ca913af38cd7d7718a
-
Filesize
925KB
MD505a58bf6a8b8aa105466a5b8dee3ad8d
SHA19395ca6c16c28f11a9be72bf186b862fa640f869
SHA2568e765873d759b80128150dbde4e966e74085580edf61503cb5aed43bb140c492
SHA5123abbc9e2a4ebe685a644d6006dba742faa14343024c06a3b78bc569d9cfafbfa482e82208cda7d2f5d2b8d6ce33fb446a21937997c683d78bd5e6973372b6851