f8273617fe63d7b1e783427b76f0b250b428648e7cb47a45bcf98fa72bc708f3

General

Target

KNRyOLnGcT_UKWN.jar
Size

1.2MB
MD5

5cdffc26c265c48cdbbf1aae06cc101c
SHA1

566fb395a9586ca59c4317af8b8a6e656352d5fa
SHA256

5a894d00f75d512b8b3604dabf49b049f40721a82397ac2e6bdf3f910565c737
SHA512

f0976bf6d5d35f36a8c625b5e520c94e1569da793d3d03e86bd9c6531a0ca2790f003bd5be210267081632e21964fd81936bfbad8cd9d81918666b53514058fd
SSDEEP

24576:q5P4Aday/1OtGC/HPXubl2Emy4AK+5pCwncs9hJh0+bqbK9X2XzVR:MdX8PXuIZZLkpCts9hJh0+OuIzz

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2772	2228	java.exe	29
PID 2228 wrote to memory of 2772	2228	java.exe	29
PID 2228 wrote to memory of 2772	2228	java.exe	29
PID 2772 wrote to memory of 2424	2772	wscript.exe	30
PID 2772 wrote to memory of 2424	2772	wscript.exe	30
PID 2772 wrote to memory of 2424	2772	wscript.exe	30
PID 2772 wrote to memory of 3044	2772	wscript.exe	31
PID 2772 wrote to memory of 3044	2772	wscript.exe	31
PID 2772 wrote to memory of 3044	2772	wscript.exe	31
PID 3044 wrote to memory of 1648	3044	javaw.exe	32
PID 3044 wrote to memory of 1648	3044	javaw.exe	32
PID 3044 wrote to memory of 1648	3044	javaw.exe	32

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\KNRyOLnGcT_UKWN.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\_output.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\eVvEfMYHrV.js"
    3⤵
    PID:2424
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\lsyizhsy.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.83501278651742982926944010423067961.class
      4⤵
      PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_0.83501278651742982926944010423067961.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-452311807-3713411997-1028535425-1000\83aa4cc77f591dfc2374580bbd95f6ba_ccfa0506-02d3-430a-9cb5-3bbf5536069a

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\eVvEfMYHrV.js

Filesize
14KB

MD5
7da63b5e09aca81ff9226cb98eb7c07f

SHA1
95b8e956af1684adfa7eeb44fbb8703e314ed714

SHA256
9591223d96a8fbdef996a889892846b7162aee19904f030080dbf3ca2d966c20

SHA512
608af6335c141e95cb8b1f95dae2d47c5cc7c0ba18fbcfca851681ddabfa17be920d5d5b2986b0da69fbaec6e4cd9d3bcadc70b6c63e2f9e31957eff6d347e70

Download Submit
C:\Users\Admin\AppData\Roaming\lsyizhsy.txt

Filesize
473KB

MD5
3eea0520eabad0fdb5a63d1c85e87f25

SHA1
cade4f58a3c144d4cb4c552a2b88abe07d38cfc3

SHA256
9c2d335fb4ada120c38e26f8108a3f2c57176ec437b271635efcf52c100a3e2b

SHA512
2b718fd7e3cd07210b391be9f2ca26c7aab6bf915a10906edaf3ec0c76e3ad4a6fc81db64b9c5c9ca3fc3661bb5e59f116a918a3b8814ec1d34c1a0c9e2ec25c

Download Submit
C:\Users\Admin\_output.js

Filesize
943KB

MD5
fbb3dc1de08f6f33464857d8824e70c2

SHA1
a472f601ae386c88c3fb4473c1f258e628b6e7f1

SHA256
b4c32d05d0f9f6c411356c0257e97c08a5547c48330e643d89c5287f3fff5685

SHA512
4181cab02a6a1b48daf1ce10094e666c6124505594741c7b99a92bf78aa0c472c493f14527e2599c7f9c991336c478c1606104b33b68391480ba4549f11646ff

Download Submit
memory/1648-45-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1648-47-0x00000000021E0000-0x00000000051E0000-memory.dmp

Filesize
48.0MB

Download
memory/1648-58-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1648-62-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1648-78-0x00000000021E0000-0x00000000051E0000-memory.dmp

Filesize
48.0MB

Download
memory/2228-14-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2228-9-0x0000000002150000-0x0000000005150000-memory.dmp

Filesize
48.0MB

Download
memory/2228-10-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3044-34-0x00000000020B0000-0x00000000050B0000-memory.dmp

Filesize
48.0MB

Download
memory/3044-44-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/3044-70-0x00000000020B0000-0x00000000050B0000-memory.dmp

Filesize
48.0MB

Download

Analysis

Sharing