Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2024 09:53
Static task
static1
Behavioral task
behavioral1
Sample
LEIDA IMPEX SRL TRADING CO. INQUIRY.jar
Resource
win7-20231129-en
General
-
Target
LEIDA IMPEX SRL TRADING CO. INQUIRY.jar
-
Size
1.8MB
-
MD5
c43c2a5d2bab9cd217e91c14d302c835
-
SHA1
943495ff135a870fe8d0a9886593b7610f0a4a05
-
SHA256
44fbccda88d6e6050b012ee0d4d32c20a832f6ffe1d90158f4b0a3d42578ae18
-
SHA512
b8673280a0e468b9921df960216ea0123b4e75a7e325072d26ac214528d51964b32ba604e1d97ca6676cbd4ef3645452958a15b0a0b3ad70704bff532b3d0c7d
-
SSDEEP
24576:qgeLSt2iaVQY0Vdn/Q55O6tIPHvNP1D1KZm6LSt2iaVQY0Vdn/Q55O6tIPHvNP1j:UfVQfoCNPN0ZmofVQfoCNPN0Zml
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
alWFwCPZYm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation alWFwCPZYm.exe -
Executes dropped EXE 2 IoCs
Processes:
alWFwCPZYm.exexXM7jN.exepid process 1848 alWFwCPZYm.exe 4508 xXM7jN.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
alWFwCPZYm.exedescription pid process target process PID 1848 set thread context of 2724 1848 alWFwCPZYm.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4708 4508 WerFault.exe xXM7jN.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
alWFwCPZYm.exexXM7jN.exepowershell.exepid process 1848 alWFwCPZYm.exe 4508 xXM7jN.exe 4508 xXM7jN.exe 1848 alWFwCPZYm.exe 4508 xXM7jN.exe 1848 alWFwCPZYm.exe 1848 alWFwCPZYm.exe 1848 alWFwCPZYm.exe 2284 powershell.exe 2284 powershell.exe 2284 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
alWFwCPZYm.exexXM7jN.exepowershell.exedescription pid process Token: SeDebugPrivilege 1848 alWFwCPZYm.exe Token: SeDebugPrivilege 4508 xXM7jN.exe Token: SeDebugPrivilege 2284 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
java.exeMSBuild.exepid process 4664 java.exe 2724 MSBuild.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
java.exealWFwCPZYm.exedescription pid process target process PID 4664 wrote to memory of 4268 4664 java.exe icacls.exe PID 4664 wrote to memory of 4268 4664 java.exe icacls.exe PID 4664 wrote to memory of 1848 4664 java.exe alWFwCPZYm.exe PID 4664 wrote to memory of 1848 4664 java.exe alWFwCPZYm.exe PID 4664 wrote to memory of 1848 4664 java.exe alWFwCPZYm.exe PID 4664 wrote to memory of 4508 4664 java.exe xXM7jN.exe PID 4664 wrote to memory of 4508 4664 java.exe xXM7jN.exe PID 4664 wrote to memory of 4508 4664 java.exe xXM7jN.exe PID 1848 wrote to memory of 2284 1848 alWFwCPZYm.exe powershell.exe PID 1848 wrote to memory of 2284 1848 alWFwCPZYm.exe powershell.exe PID 1848 wrote to memory of 2284 1848 alWFwCPZYm.exe powershell.exe PID 1848 wrote to memory of 2444 1848 alWFwCPZYm.exe schtasks.exe PID 1848 wrote to memory of 2444 1848 alWFwCPZYm.exe schtasks.exe PID 1848 wrote to memory of 2444 1848 alWFwCPZYm.exe schtasks.exe PID 1848 wrote to memory of 2724 1848 alWFwCPZYm.exe MSBuild.exe PID 1848 wrote to memory of 2724 1848 alWFwCPZYm.exe MSBuild.exe PID 1848 wrote to memory of 2724 1848 alWFwCPZYm.exe MSBuild.exe PID 1848 wrote to memory of 2724 1848 alWFwCPZYm.exe MSBuild.exe PID 1848 wrote to memory of 2724 1848 alWFwCPZYm.exe MSBuild.exe PID 1848 wrote to memory of 2724 1848 alWFwCPZYm.exe MSBuild.exe PID 1848 wrote to memory of 2724 1848 alWFwCPZYm.exe MSBuild.exe PID 1848 wrote to memory of 2724 1848 alWFwCPZYm.exe MSBuild.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\LEIDA IMPEX SRL TRADING CO. INQUIRY.jar"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
PID:4268 -
C:\Users\Admin\alWFwCPZYm.exeC:\Users\Admin\alWFwCPZYm.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JZxmqkq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE89.tmp"3⤵
- Creates scheduled task(s)
PID:2444 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JZxmqkq.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2724 -
C:\Users\Admin\xXM7jN.exe"C:\Users\Admin\xXM7jN.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 12843⤵
- Program crash
PID:4708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4508 -ip 45081⤵PID:2712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD531238beea1da2441e737243c7bf7eef1
SHA13dca080f1b8d273f4141fcfcd563bafbe3cf6e19
SHA256cf3fd3c008c48db96c9892214c6ae5190c299c1bea44d029db1bdd0cb779740b
SHA512bb5606d4845226c35cbcdbae0bc32af9819f83c5ac3f5caa05faf7803d1971499e44fe850a79f920282a39b134d53a21aa753bb3932345c87035bf2bedebe43e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD53ba1e01e023355281bf152bf2af6bcb7
SHA1d96da9eb2d2de95775c6af47e4e210d1c0c2e600
SHA25649c6985bfec5e7f0649ee264697daab57cb7bd77f301ef63bbec57e0156be9f3
SHA512e56459ca7ad15ca9189ab1cb7024aa1545b9af32bae900db68019bcf2c2eeffa942d45b91bb38639205b47502a6808cadf3ce4016e8415ab9c5f6912686df2f6
-
Filesize
278KB
MD5ee32f219486ce1932227f04eebf658c9
SHA14e09377d4c70f802976cdf3e4ca1147031fddb90
SHA25609dca263933ec219226d1f0da9d886e7c5ddf5fef52f3a0232f8e6fc07a7db5d
SHA512ca3c4e744bc7f72a21cae45c2155e57cb334d5b98233ed420d6b2de762085621b85564f4a279d7539f704364f3703eff0f9e07ce2fa2a872f1aa3608f9e91940
-
Filesize
421KB
MD56b51945da574b5a59949da9ec64634ac
SHA14b5d014cd2fbfe841635958f290f2bfb5d6aa8c4
SHA256b1a7b2f08874731e125d79556afc3fb4689e2472971beb42ff709fe2c15caa8d
SHA5120a95ec7e5a9726e931c791d89ed218e8ba9c3fcb6fa08ec2b3ee319142773486b3b0531bfddd69f92fec66b4c0715e388193ed4760e924e82bad899528ed620e
-
Filesize
103KB
MD5486b2bfa2c194ec6bac4582f90ec5abf
SHA192c8fe1a9027a3918b1324ca010ae6bc2cbc6e59
SHA2569d4a521e9a4370d4fa97783403cfdc12489a2ec8b19c56508aac149491e66517
SHA512007a7dfc4ea48523c8233bcae086d33106d0dfb6483e2bc270e172180abbd8604112cb74daaf204eb81cceb2e20cab8464491a569467c0fc0c027238f6191275
-
Filesize
26KB
MD59e5a5cd97d0d2fd85c73eb768b71eafa
SHA1a67af7b93c92dc65c3cbec84ecc1d82e4b50bf99
SHA256ac5ba2f18dee1e8f6700e63f5ac09831ebdd725b24b3c83fcf5280023455518c
SHA5122f44ee8a86277344b0a2c9223e4107f85abd03e57a8c0c8fe7ec2af309559e6a7eea16e6475c157891402e54a79dca09e9250bbbefb5fdb23510ce990ac45007
-
Filesize
55KB
MD5d1428f4056286654353dce96ec2d51ef
SHA15c8b5b9aa451a659e5d131ee290bbcbc27f4b2d8
SHA2567efded20320193cdab8e8aa636c477d87376a1851b4ac036b2b1b5c94cc77b50
SHA5122b55969ddf1cf682cc4116ff32ba98626dca16fce4a207e327908b3884fad82d853d5a613ff2ae90d2e8bec265d93d1da9e6bb9958b01778eee1945c8b0f1746