Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/02/2024, 00:19
Behavioral task
behavioral1
Sample
2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar
Resource
win10v2004-20231215-en
General
-
Target
2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar
-
Size
761KB
-
MD5
22e4d501be6ca69e29bc2a21782bd9e1
-
SHA1
93bd6f32a6afec897679ec96feb72627ea79d6ef
-
SHA256
1b7560d64e9fc2a468cc3e251669dd05df851f6432b8f3c373f06bd6aaf82d31
-
SHA512
f4b836bc1aaaece82e2ef590bb214227c23578d57f8e4caf6778f269b85b4337dda99a8f43cb5d286b44528c8d7ac25e6d42a899a98dcdc6047aeb59fdea3c83
-
SSDEEP
12288:XClCM+jp72GYshJCa65jUXBosjWhMMJWX7AfoJLTpbyjkGZnCgAJt5JEXOG4Ir:XClCRMGhz6JOi4XMwXWoJHUYYnCgAJru
Malware Config
Signatures
-
Ratty Rat payload 1 IoCs
resource yara_rule behavioral2/files/0x000700000002311f-13.dat family_ratty -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar java.exe -
Loads dropped DLL 1 IoCs
pid Process 2976 java.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3668 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar = "C:\\Users\\Admin\\AppData\\Roaming\\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar" REG.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ java.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ java.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1140 REG.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2976 java.exe 2976 java.exe 2976 java.exe 2976 java.exe 2976 java.exe 2976 java.exe 2976 java.exe 2976 java.exe 2976 java.exe 2976 java.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2976 wrote to memory of 3668 2976 java.exe 85 PID 2976 wrote to memory of 3668 2976 java.exe 85 PID 2976 wrote to memory of 1140 2976 java.exe 87 PID 2976 wrote to memory of 1140 2976 java.exe 87 PID 2976 wrote to memory of 2804 2976 java.exe 88 PID 2976 wrote to memory of 2804 2976 java.exe 88 PID 2976 wrote to memory of 5028 2976 java.exe 89 PID 2976 wrote to memory of 5028 2976 java.exe 89 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2804 attrib.exe 5028 attrib.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar1⤵
- Drops startup file
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
PID:3668
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar" /d "C:\Users\Admin\AppData\Roaming\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:1140
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar2⤵
- Views/modifies file attributes
PID:2804
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar2⤵
- Views/modifies file attributes
PID:5028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD555f4de7f270663b3dc712b8c9eed422a
SHA17432773eb4d09dc286d43fcc77ddb0e1e3bce2b4
SHA25647c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25
SHA5129da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996
-
Filesize
761KB
MD522e4d501be6ca69e29bc2a21782bd9e1
SHA193bd6f32a6afec897679ec96feb72627ea79d6ef
SHA2561b7560d64e9fc2a468cc3e251669dd05df851f6432b8f3c373f06bd6aaf82d31
SHA512f4b836bc1aaaece82e2ef590bb214227c23578d57f8e4caf6778f269b85b4337dda99a8f43cb5d286b44528c8d7ac25e6d42a899a98dcdc6047aeb59fdea3c83