Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
15/02/2024, 03:55
Static task
static1
Behavioral task
behavioral1
Sample
Order550232.jar
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Order550232.jar
Resource
win10v2004-20231215-en
General
-
Target
Order550232.jar
-
Size
129KB
-
MD5
c91d4750382881ff7da852e22a6f2419
-
SHA1
b916255dfadf02871d0a84083e989df52396e75b
-
SHA256
12eac35e31b525e6257a42f809868ad6203e9ed8c8b07b487a46cfa0ba5ed4d3
-
SHA512
e897cd5a0b05e557d83aa3c3678dcd565cd53737b8d05fe46515e56b7ff229d218c1cc908c57d1dcbf4b5fdd7295d2a44deaff81c76c91c4f7ff1db201266244
-
SSDEEP
3072:jo1lDnmPMoEu8S5IL47n3RervM8+gjkztlabpOex5ruXIbCuo:wKPMoCS5gm3UryusGOexWuo
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqTlpEOTrV.js WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqTlpEOTrV.js WScript.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2580 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\dqTlpEOTrV.js\"" WScript.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings wscript.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1300 wrote to memory of 2580 1300 java.exe 88 PID 1300 wrote to memory of 2580 1300 java.exe 88 PID 1300 wrote to memory of 1976 1300 java.exe 90 PID 1300 wrote to memory of 1976 1300 java.exe 90 PID 1976 wrote to memory of 1032 1976 wscript.exe 91 PID 1976 wrote to memory of 1032 1976 wscript.exe 91 PID 1976 wrote to memory of 1476 1976 wscript.exe 92 PID 1976 wrote to memory of 1476 1976 wscript.exe 92
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\Order550232.jar1⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
PID:2580
-
-
C:\Windows\SYSTEM32\wscript.exewscript C:\Users\Admin\euvrrnhkej.js2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\dqTlpEOTrV.js"3⤵
- Drops startup file
- Adds Run key to start application
PID:1032
-
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\dcjlcvvvxq.txt"3⤵
- Drops file in Program Files directory
PID:1476
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD5bb7ef98b65a676c0fe98e05ba7c9b989
SHA17987ce7fa4062e3d62268dbbe14134785f5bceb5
SHA2564a36b275992c18b424ae38f461fb008ffbfae3c85f44c76eeac4c2cb2b034705
SHA512186b0b65fac68fecf5860f86a394b219069215c9891517fd20f1339252c1b98e053ec69c618d6beff2d9e45b73b82837855f67d2512e80f26964e492fdac5e6c
-
Filesize
92KB
MD52ed25df72bd13cca5979c53b8fe7e529
SHA182b9c61b60f966e1ff77374b7aea67334ae98ef1
SHA25681473eced4690bb6172d677771924cd4a0542c74f00dae2b3493cbebc6b1549c
SHA5123086609e10bb6504ac26fb573874ade44ec446e19ac7d1e059f108dbaf31271617a10addabed41997e400bc885d07ef713054ef2d2246748809740a64c7e90f6
-
Filesize
11KB
MD53a463dc3f1ccbb255564f73dccca622e
SHA1ab4a88d983c371128c73699cac7e308ca7870f7b
SHA25618c2e58bfb5e035d4c1e4d2ba4e506c8041c739ec32ec9ce80ba00adc4dbd550
SHA512d7a4fdb65d1b5ff1616489e7b893ebab3f1e160c99007a43fc73ada3ec53cc9ddae4c3a6acb6e2852b239de336253064fd838d3f843c09e2ab952dce8e8e2cbe
-
Filesize
205KB
MD5d5fe40e5e35ebbc1a60c54672f775325
SHA19b01278c620351932e98e95db9881f18652f7e67
SHA256a40e1a0e0a1e68051cefc29955d92d99efa3d24a8d70052de8aa9e4ab08da32b
SHA5122ade53d5a1d303328af40acf3f1d231fc54a8b3eb0d1e934094a7b7c63e5035c679e7ce89465e0ea4ea796e7f5f991c1da760cb64ad4b15b8d9130272e6d617c