Analysis
-
max time kernel
143s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 09:53
Static task
static1
Behavioral task
behavioral1
Sample
LEIDA IMPEX SRL TRADING CO. INQUIRY.jar
Resource
win7-20231129-en
General
-
Target
LEIDA IMPEX SRL TRADING CO. INQUIRY.jar
-
Size
1.8MB
-
MD5
c43c2a5d2bab9cd217e91c14d302c835
-
SHA1
943495ff135a870fe8d0a9886593b7610f0a4a05
-
SHA256
44fbccda88d6e6050b012ee0d4d32c20a832f6ffe1d90158f4b0a3d42578ae18
-
SHA512
b8673280a0e468b9921df960216ea0123b4e75a7e325072d26ac214528d51964b32ba604e1d97ca6676cbd4ef3645452958a15b0a0b3ad70704bff532b3d0c7d
-
SSDEEP
24576:qgeLSt2iaVQY0Vdn/Q55O6tIPHvNP1D1KZm6LSt2iaVQY0Vdn/Q55O6tIPHvNP1j:UfVQfoCNPN0ZmofVQfoCNPN0Zml
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
alWFwCPZYm.exexXM7jN.exepid process 2276 alWFwCPZYm.exe 2716 xXM7jN.exe -
Loads dropped DLL 5 IoCs
Processes:
WerFault.exepid process 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
alWFwCPZYm.exedescription pid process target process PID 2276 set thread context of 1824 2276 alWFwCPZYm.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2412 2716 WerFault.exe xXM7jN.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
alWFwCPZYm.exexXM7jN.exepowershell.exepid process 2276 alWFwCPZYm.exe 2716 xXM7jN.exe 2276 alWFwCPZYm.exe 2716 xXM7jN.exe 2276 alWFwCPZYm.exe 2716 xXM7jN.exe 2276 alWFwCPZYm.exe 2432 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
alWFwCPZYm.exexXM7jN.exepowershell.exedescription pid process Token: SeDebugPrivilege 2276 alWFwCPZYm.exe Token: SeDebugPrivilege 2716 xXM7jN.exe Token: SeDebugPrivilege 2432 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
java.exeMSBuild.exepid process 1884 java.exe 1824 MSBuild.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
java.exexXM7jN.exealWFwCPZYm.exedescription pid process target process PID 1884 wrote to memory of 2276 1884 java.exe alWFwCPZYm.exe PID 1884 wrote to memory of 2276 1884 java.exe alWFwCPZYm.exe PID 1884 wrote to memory of 2276 1884 java.exe alWFwCPZYm.exe PID 1884 wrote to memory of 2276 1884 java.exe alWFwCPZYm.exe PID 1884 wrote to memory of 2716 1884 java.exe xXM7jN.exe PID 1884 wrote to memory of 2716 1884 java.exe xXM7jN.exe PID 1884 wrote to memory of 2716 1884 java.exe xXM7jN.exe PID 1884 wrote to memory of 2716 1884 java.exe xXM7jN.exe PID 2716 wrote to memory of 2412 2716 xXM7jN.exe WerFault.exe PID 2716 wrote to memory of 2412 2716 xXM7jN.exe WerFault.exe PID 2716 wrote to memory of 2412 2716 xXM7jN.exe WerFault.exe PID 2716 wrote to memory of 2412 2716 xXM7jN.exe WerFault.exe PID 2276 wrote to memory of 2432 2276 alWFwCPZYm.exe powershell.exe PID 2276 wrote to memory of 2432 2276 alWFwCPZYm.exe powershell.exe PID 2276 wrote to memory of 2432 2276 alWFwCPZYm.exe powershell.exe PID 2276 wrote to memory of 2432 2276 alWFwCPZYm.exe powershell.exe PID 2276 wrote to memory of 1932 2276 alWFwCPZYm.exe schtasks.exe PID 2276 wrote to memory of 1932 2276 alWFwCPZYm.exe schtasks.exe PID 2276 wrote to memory of 1932 2276 alWFwCPZYm.exe schtasks.exe PID 2276 wrote to memory of 1932 2276 alWFwCPZYm.exe schtasks.exe PID 2276 wrote to memory of 1824 2276 alWFwCPZYm.exe MSBuild.exe PID 2276 wrote to memory of 1824 2276 alWFwCPZYm.exe MSBuild.exe PID 2276 wrote to memory of 1824 2276 alWFwCPZYm.exe MSBuild.exe PID 2276 wrote to memory of 1824 2276 alWFwCPZYm.exe MSBuild.exe PID 2276 wrote to memory of 1824 2276 alWFwCPZYm.exe MSBuild.exe PID 2276 wrote to memory of 1824 2276 alWFwCPZYm.exe MSBuild.exe PID 2276 wrote to memory of 1824 2276 alWFwCPZYm.exe MSBuild.exe PID 2276 wrote to memory of 1824 2276 alWFwCPZYm.exe MSBuild.exe PID 2276 wrote to memory of 1824 2276 alWFwCPZYm.exe MSBuild.exe
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\LEIDA IMPEX SRL TRADING CO. INQUIRY.jar"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\alWFwCPZYm.exeC:\Users\Admin\alWFwCPZYm.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JZxmqkq.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JZxmqkq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp909C.tmp"3⤵
- Creates scheduled task(s)
PID:1932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:1824 -
C:\Users\Admin\xXM7jN.exe"C:\Users\Admin\xXM7jN.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 7843⤵
- Loads dropped DLL
- Program crash
PID:2412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d4f7a36de6b965659e253861f14f2054
SHA1fb4716216d3f75dfbbd0e49ca55a9afcddd990e7
SHA256e7004db110f0c2ab42c62737234e4ccca048dee78c2d8b4a2dc3b073e4545a76
SHA5122ca8ca88ffbb3545ca36d64bbd6ed004013e7ade49759e6820db68777a69a16ca5fe5df3f144919afa0991b05792083d459ae11fa4955c40e100b6bef1a4c4ac
-
Filesize
291KB
MD558eac77d1aa3ff75210f7ed838a2b2d1
SHA1d8614698478d7f1c66867aeece4323ba985f808f
SHA2568f290eafa3d91156164ca70cb019c4cfe8aa4c597decadc5590fba6702974ed9
SHA5120286ba716a1d426e6c8f98ad9fe9954b54135e4112dca737f7a9e9599c5d160fa3f8668f108548eb978b3ffb06fa992d9ed882c59d47088fbbf54899a92dbdc7
-
Filesize
234KB
MD5200f2fe8d562d184fc9863ddbf0e95c8
SHA133797d41be7b611063f6fb7a3e39f73a6262eb68
SHA256b33d5c8ec05997b6a789545572867f1c99640baa05cfe2eb6fff91de5152f885
SHA512780994418614242a28955d484c87fe1d3c552165feee49019771bcdf346a8e408371db8f0d68344e05c8e40be2b256f14616ac8292a2eeae9b3b467cde7185fd
-
Filesize
784KB
MD547be3e83ec08edb76de9ecb7f566a746
SHA1598a46b9f7b721e5ca92136bb03f6e5b2a719403
SHA25638de8c55f982ce0020138b434450288f92a4021ed5fc739b5edee0ff1c731061
SHA512833445e031581afcf8cc17ef66f82a5aee22903fb916565296b2eaaf1d57eca5be18c862f9f54953a6eb2e460373b15a1140cede49a13ae75e4f9de1832ff2ae
-
Filesize
861KB
MD5b5b885a9364af1d12775a15b6d5085f1
SHA183c01d72699b6dfafdf9cacbbfa8bdbb5679be94
SHA256fa044aa2c24825d2ab0ef1861c44a9ebeb35818632e4a73a508b2650f6953304
SHA5121555415b73b1dcfb5296f8389b523a3f26acae5e543cdcc9fd0d15d7005de6345bd441fb567cbeccfd91dcdf6b16455e6978ac5e260b83fb71a162fcaedccf9b
-
Filesize
781KB
MD52d4688243e467c2ab4b663a93b60ce1a
SHA174e3d1d84907b7b0b609fc871589a754d6468bf1
SHA2560a3f899b9c96e5409fd0e4cda05946bbb03c8c6ffe6cdc6417ddedb2028d15e9
SHA5128cdfe7a4dcbbeab474889b5c8c5544a5d3b736571f1bdcf3cd9fe197072a9c3945004f83500ab8a7669144008451a8dff18717e40911d017e133a3f5299cec21
-
Filesize
165KB
MD546f9b1955e49c2fbe747d4e6c6a0b1a9
SHA1eff7dc65fcd6266cf6e45d0c45c6e9651d9aff55
SHA256fbf6317a3fb8be6bd2c14657a735be9ae3987340d14db8c6b91d4a6f632bc134
SHA512ecc0b210b43a23e35baaa71862e658bc008245ac4710d0d05aed167361088516fb6021c0505e28ab8758802816ce2c52df8d404acb7be443886c6a577d375401
-
Filesize
231KB
MD541270dfb714e4ab0896d50703fb49a4c
SHA10b5596ea5ebc335a60b2bf43c8e5ae747c4c8a7f
SHA2567acc8377eb60581e1dfb7012cb8f7738d5d2284dc8b0c956e8612458d2bc02ff
SHA512cdfe0df8f822282404d7704afadc8df5b8d1b092a1f73410735db35dea780ea6d90bcafe4a131a07e4c5fd1d02537cc1f78516a2444231ef6dcd1c599e3e2850
-
Filesize
198KB
MD500f0350335eda0bfea6e66cfadd8e47d
SHA1f2f389163bbfad1e4e9d8aa82841ed6a51a1b7fd
SHA256ee1be26cf9c729fa4f69485b862d6914d5bd29eb475a55ac20033b0cb1c2ec88
SHA512de800db9d0ab28398cfb226fc93f2a06bb2b7a4cb6f7be0630072c91d2967c525232c580df9971412d3618f04438c07f986327c1adc43784925131a430111ac8
-
Filesize
219KB
MD568bb2e7cb0458ec74cb2a6a1f0340079
SHA1ef835ab6c7b5a12304e39f48604bf60844883a74
SHA256f97e451aa5d0567cb5bb86aa1512730a5c5f885778ec38a030a553b97502fbfc
SHA512398ec6efc051e8fddae6d0fe23bf771f80f138c5e79ae87c80481c14e1dd4b7c48eeed183223f28ce3fb3ecf91afdf3bab2b674719d21b0cfbd3deb97e6b55ae
-
Filesize
252KB
MD56e2206b17b0e0ac9d4fc0b939d1ccc06
SHA1a3e4cc8d3f44edd96aaf1ab15e5b3d0d97c982b1
SHA256419f950c4e3f5a5b2c686d5d6548f12bd0556498a02df9518c5201c0c8274ff3
SHA512916b418c15ea97737a1657464af3781a7477bc4907053ebba7a020e21188a18b688d3719dd9b8432c202233fd9cddfb2a26c78d4b6f867b083a55b27115937b6