Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 12:50
Static task
static1
Behavioral task
behavioral1
Sample
KNRyOLnGcT_UKWN.jar
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
KNRyOLnGcT_UKWN.jar
Resource
win10v2004-20231222-en
General
-
Target
KNRyOLnGcT_UKWN.jar
-
Size
1.2MB
-
MD5
5cdffc26c265c48cdbbf1aae06cc101c
-
SHA1
566fb395a9586ca59c4317af8b8a6e656352d5fa
-
SHA256
5a894d00f75d512b8b3604dabf49b049f40721a82397ac2e6bdf3f910565c737
-
SHA512
f0976bf6d5d35f36a8c625b5e520c94e1569da793d3d03e86bd9c6531a0ca2790f003bd5be210267081632e21964fd81936bfbad8cd9d81918666b53514058fd
-
SSDEEP
24576:q5P4Aday/1OtGC/HPXubl2Emy4AK+5pCwncs9hJh0+bqbK9X2XzVR:MdX8PXuIZZLkpCts9hJh0+OuIzz
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVvEfMYHrV.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eVvEfMYHrV.js WScript.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4988 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\eVvEfMYHrV.js\"" WScript.exe -
Drops file in Program Files directory 24 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings wscript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2956 javaw.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1984 wrote to memory of 4988 1984 java.exe 89 PID 1984 wrote to memory of 4988 1984 java.exe 89 PID 1984 wrote to memory of 1456 1984 java.exe 90 PID 1984 wrote to memory of 1456 1984 java.exe 90 PID 1456 wrote to memory of 1164 1456 wscript.exe 91 PID 1456 wrote to memory of 1164 1456 wscript.exe 91 PID 1456 wrote to memory of 2956 1456 wscript.exe 92 PID 1456 wrote to memory of 2956 1456 wscript.exe 92 PID 2956 wrote to memory of 3144 2956 javaw.exe 94 PID 2956 wrote to memory of 3144 2956 javaw.exe 94
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\KNRyOLnGcT_UKWN.jar1⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
PID:4988
-
-
C:\Windows\SYSTEM32\wscript.exewscript C:\Users\Admin\_output.js2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\eVvEfMYHrV.js"3⤵
- Drops startup file
- Adds Run key to start application
PID:1164
-
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\cjyqkrlqj.txt"3⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Program Files\Java\jre-1.8\bin\java.exe"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.364944536271687359294783800238803.class4⤵
- Drops file in Program Files directory
PID:3144
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
Filesize
44KB
MD5227be10986cca71f0e5fd278eed19db5
SHA1d3a07185303858415f4390c202d9b16a4a1430b7
SHA256be0a70d41f2f69dc7d4587d87ce5a35a468a7d45d9d1be73e7d63fb403d736bd
SHA512961e164b4f1f2433a031fcbed719b6d6d59112725896b83940b641e9f001bd1a87556a31bd313cc262bbbe90d67b44070da632953c4c3ec1e1aeeade2c3f99ae
-
Filesize
14KB
MD57da63b5e09aca81ff9226cb98eb7c07f
SHA195b8e956af1684adfa7eeb44fbb8703e314ed714
SHA2569591223d96a8fbdef996a889892846b7162aee19904f030080dbf3ca2d966c20
SHA512608af6335c141e95cb8b1f95dae2d47c5cc7c0ba18fbcfca851681ddabfa17be920d5d5b2986b0da69fbaec6e4cd9d3bcadc70b6c63e2f9e31957eff6d347e70
-
Filesize
110KB
MD56b4a26f340e75e0c105ccb9e8f9b847b
SHA1122f0c02898e3529fe56375438b3ad7dc6c3dd49
SHA2567b017dde40cef9aa1813cf5b2af7dfab5869973794062b56cb7eec6165264d4b
SHA5129aabe84fbdc8a104e8e434281f0b2b3f64763c7295c6689c8fdb54d3d39b02b679beb3937f38e320426e4593028d7ec70f7ce408e20644f3803263c492e152ce