ebf760dbfa32628221a5a902ffd7e98f560d181225e260ed4326aa36aa99f659

Analysis

max time kernel
38s
max time network
36s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

App.exe
Size

2.9MB
MD5

d6655c8f5158766bf2e91da966403580
SHA1

85da9aa520bee8965af536347a1c05d54b6410fd
SHA256

5a7bce33bbc1301553999bbd79747e8cef41dfae07e95474bd61cd5ae501f326
SHA512

f2bf55cac91325c99372609777cfd08d0510b59886055b3e436dbedffc84dbf45ba237593cf2399f1795279a7df412a4a7ef73dce5b6abc9dfdb3f0b5bc4e6c5
SSDEEP

49152:XnQT/qnwwnZQKuvYSKU/ESvdaU+c0/IVes7kJXBjYOMjUfkptVxOdxiy:XQTdwnBgYSKU/xvzg/IVeMjUu5

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\App.jar	App.exe

Executes dropped EXE 3 IoCs

pid	Process
1528	jdk_installer.exe
2204	jdk_installer.exe
1636	LZMA_EXE

Loads dropped DLL 4 IoCs

pid	Process
3000	App.exe
1528	jdk_installer.exe
2204	jdk_installer.exe
2204	jdk_installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	jdk_installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	jdk_installer.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1528	3000	App.exe	28
PID 3000 wrote to memory of 1528	3000	App.exe	28
PID 3000 wrote to memory of 1528	3000	App.exe	28
PID 3000 wrote to memory of 1528	3000	App.exe	28
PID 3000 wrote to memory of 1528	3000	App.exe	28
PID 3000 wrote to memory of 1528	3000	App.exe	28
PID 3000 wrote to memory of 1528	3000	App.exe	28
PID 1528 wrote to memory of 2204	1528	jdk_installer.exe	29
PID 1528 wrote to memory of 2204	1528	jdk_installer.exe	29
PID 1528 wrote to memory of 2204	1528	jdk_installer.exe	29
PID 1528 wrote to memory of 2204	1528	jdk_installer.exe	29
PID 1528 wrote to memory of 2204	1528	jdk_installer.exe	29
PID 1528 wrote to memory of 2204	1528	jdk_installer.exe	29
PID 1528 wrote to memory of 2204	1528	jdk_installer.exe	29
PID 2204 wrote to memory of 1636	2204	jdk_installer.exe	31
PID 2204 wrote to memory of 1636	2204	jdk_installer.exe	31
PID 2204 wrote to memory of 1636	2204	jdk_installer.exe	31
PID 2204 wrote to memory of 1636	2204	jdk_installer.exe	31

C:\Users\Admin\AppData\Local\Temp\App.exe
"C:\Users\Admin\AppData\Local\Temp\App.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\jdk_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\jdk_installer.exe" /s /L 1033
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\jds259409522.tmp\jdk_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\jds259409522.tmp\jdk_installer.exe" "/s" "/L" "1033"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\LZMA_EXE
      "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\msi.tmp"
      4⤵
      Executes dropped EXE
      PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\au.msi

Filesize
652KB

MD5
1770c99e5bffa27201ac00a4c97c38f6

SHA1
649577c35528a1e560b866a93544dd52eb0221c9

SHA256
9005062b798980e312344109b20a381e6aff93ec0337842079293d5eb4d35488

SHA512
80383cd5e2528c2a9aed69d5bb378772587762458c657cb6d02752236ff3a429d587d8788f077467a71da4a683dd9d6e00f67328b2e392b91a6b778d5a05a47d

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\au.msi

Filesize
354KB

MD5
f367bf7abc69aff419017bed036bcbd3

SHA1
96a0ad154dd8ea8475b2b055bf9795cfde98a7bf

SHA256
b83e99123f86d3a13e33d8d22c03aee6909ea324d99581469bfbbbd5d60cb2de

SHA512
6794cd33f33fa1a3006b4247dc65eea9c531e27c89d8141767dbb3485656ba7885415db55a067b2bb18c37cf59eb32d4e573394604baec98304e4ea29fa97bd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\jre1.8.0_391.msi

Filesize
850KB

MD5
81de95ca2ae8af374061543fa395ca13

SHA1
686b16a8975d46026b87dc7e402c7af615f080c5

SHA256
25fb6e474050d7a622c066310665a50a045ab2e8cd39b3d08f9df0787b90e063

SHA512
b3405bc1ca2fceb4b8c3227e41664c32f44964dea82f6bb8d2387bf336153e592998b97044b25c9d767564c337f9fbf1f566e55ca6be657900a01d1329f06b53

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\msi.tmp

Filesize
154KB

MD5
591e5d6edbeb20276a3a2fc082f1e290

SHA1
fac7ad5834fed96286138e68214887dba8d4b11f

SHA256
a556434249cc1c540913edf1709d6b0cfe5363f5188af685ba122b17732cf25d

SHA512
7afeddb07a6f97ffc4f95f858520eff7aa52c9dfbd7e6e13e59df5f7e5fee4b15e77026c097b150304ddbf8958f81d0c9beddba3efefb4ffa05d918d0aea2ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdk_installer.exe

Filesize
1.9MB

MD5
07d8b9f02f9c628baa78e4aa6180ecbd

SHA1
67f1d6bbef5a3cb4c98c88657e4c96cb95b3ce20

SHA256
68d5cb444428d78fa6fdb5dc5f50b00d18fe9b5c2bc98dbca50e3ad3e6291af2

SHA512
99a63357ba3c124f39131e0a55c594ca7c817b4a0a68f0711aacaf34e3f3c74e76dda845b143260bad2e9b087fbc3d6495df3cc36f5f3b0623a6f200623e7aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259409522.tmp\jdk_installer.exe

Filesize
1.9MB

MD5
75d9ccd961bf6a9a479da2ef26d81b3b

SHA1
920f6bf9ec385cab84de5339089946a787c44618

SHA256
eadeddda2ca9d88d666ce6614389cdba25f518132e8245c5454b98a09888d252

SHA512
3dcfef4cd2c43137977b56931d920b43e86985722e05079863457b5c2ddf433f04be074fc719256fec372932b9f9ab87e7930a0cc8208f322cd0896e18a2cca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
beb86d250978a715f1e64836e1baacd3

SHA1
45d0f31b68d9bf2262cc815ad679ec8ab9e6b73e

SHA256
bdd41a5a2b0a2ad83bad4cc4c989611c79f53f9b899ce56c8ae3d168223f9901

SHA512
e0257b81cdd5142784d2c669891e524c0358f355b71dd4ce7ebaf4ef118591e0adfd2870203479a90d74cadc517b34af6b567d640441a7ceba62d0f5df107467

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
35KB

MD5
b1a8539d1dc1d2dd5413827391a50878

SHA1
c79dae2850630d582e0b579d9d742ffb40f30b1a

SHA256
ad9dce9904b425949450a7a895508290d0d09f9ba73175ce98fed383dab95647

SHA512
dc928e9d91e10a2c4e9665374bb869b2d3f07570870d56d40cd27c14a760afec0d1bafc84cbf58d55838cbfbcf29c6ed9233ded682b20c0570b4f673e254f5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
5KB

MD5
e7a834fd4c9c540ce1e20072a9433287

SHA1
07ecf153c1d24a50acef19998946b724da515e69

SHA256
59e06e9569b99c1ff9c69b47951f635b36465e6a767f90aa62d9778bfbcfe0a0

SHA512
f37c5d0c2258c879a22bf8c679f7f76b1e85ae114eeae89ff6c62305130daff3febfd21bae94bc0755f17c2de7edbd1cf08275b071684a39e4e592af263d32c3

Download Submit
\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
\Users\Admin\AppData\Local\Temp\jdk_installer.exe

Filesize
2.2MB

MD5
fadfbd359df6594813e08f66c7dfee20

SHA1
5c21766b1ee29aff104ecaa45b366153c4d1fe29

SHA256
74d5d5124de9e19f325953932c8c3198eaf8e10e9ba146ee9c673d0dcd9822e8

SHA512
5ad70026e5da443c501d4700f0dad16633f3cab41f74660a53ac5d57ded2de1740b4036dfe722cfaaeb9e07ecec484fcd3ee43fb7597f8cd454d81a7ad1e5bcd

Download Submit
memory/3000-0-0x0000000000100000-0x00000000003E2000-memory.dmp

Filesize
2.9MB

Download
memory/3000-222-0x0000000073E50000-0x000000007453E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-1-0x0000000073E50000-0x000000007453E000-memory.dmp

Filesize
6.9MB

Download