Analysis

  • max time kernel
    83s
  • max time network
    98s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22/02/2024, 15:25

General

  • Target

    RunWeka.bat

  • Size

    1KB

  • MD5

    3bf83e0b05c9f8fcc7e232a2d0b38b39

  • SHA1

    afd59a6008266cbdc2396aab44c5826014fbcc2c

  • SHA256

    14262f56ade4c745fa7f10a71f3432d1ed5d9ca9ee71b95ef9a0f676666d420c

  • SHA512

    c141d4cc6706390e742b1680e81138085f944307cdef9f2361f02a57c322551c2dce2a7b7171b0e081f6561cdd2783cb032423a82b0e0e50e7399a47da51fdbc

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 6 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RunWeka.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c where.exe /R . javaw.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1144
      • C:\Windows\system32\where.exe
        where.exe /R . javaw.exe
        3⤵
          PID:1820
      • C:\Users\Admin\AppData\Local\Temp\jre\zulu17.32.13-ca-fx-jre17.0.2-win_x64\bin\javaw.exe
        "C:\Users\Admin\AppData\Local\Temp\jre\zulu17.32.13-ca-fx-jre17.0.2-win_x64\bin\javaw.exe" -classpath . RunWeka -c default -jre-path .\jre\* --
        2⤵
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:3572
        • C:\Users\Admin\AppData\Local\Temp\jre\zulu17.32.13-ca-fx-jre17.0.2-win_x64\bin\javaw.exe
          "jre\zulu17.32.13-ca-fx-jre17.0.2-win_x64\bin\javaw" -Dfile.encoding=Cp1252 --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.annotation=ALL-UNNAMED --add-opens=java.base/java.lang.constant=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.lang.module=ALL-UNNAMED --add-opens=java.base/java.lang.ref=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.lang.runtime=ALL-UNNAMED --add-opens=java.base/java.math=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.net.spi=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.nio.channels=ALL-UNNAMED --add-opens=java.base/java.nio.channels.spi=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.nio.charset.spi=ALL-UNNAMED --add-opens=java.base/java.nio.file=ALL-UNNAMED --add-opens=java.base/java.nio.file.attribute=ALL-UNNAMED --add-opens=java.base/java.nio.file.spi=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.security.cert=ALL-UNNAMED --add-opens=java.base/java.security.interfaces=ALL-UNNAMED --add-opens=java.base/java.security.spec=ALL-UNNAMED --add-opens=java.base/java.text=ALL-UNNAMED --add-opens=java.base/java.text.spi=ALL-UNNAMED --add-opens=java.base/java.time=ALL-UNNAMED --add-opens=java.base/java.time.chrono=ALL-UNNAMED --add-opens=java.base/java.time.format=ALL-UNNAMED --add-opens=java.base/java.time.temporal=ALL-UNNAMED --add-opens=java.base/java.time.zone=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.locks=ALL-UNNAMED --add-opens=java.base/java.util.function=ALL-UNNAMED --add-opens=java.base/java.util.jar=ALL-UNNAMED --add-opens=java.base/java.util.random=ALL-UNNAMED --add-opens=java.base/java.util.regex=ALL-UNNAMED --add-opens=java.base/java.util.spi=ALL-UNNAMED --add-opens=java.base/java.util.stream=ALL-UNNAMED --add-opens=java.base/java.util.zip=ALL-UNNAMED --add-opens=java.base/javax.crypto=ALL-UNNAMED --add-opens=java.base/javax.crypto.interfaces=ALL-UNNAMED --add-opens=java.base/javax.crypto.spec=ALL-UNNAMED --add-opens=java.base/javax.net=ALL-UNNAMED --add-opens=java.base/javax.net.ssl=ALL-UNNAMED --add-opens=java.base/javax.security.auth=ALL-UNNAMED --add-opens=java.base/javax.security.auth.callback=ALL-UNNAMED --add-opens=java.base/javax.security.auth.login=ALL-UNNAMED --add-opens=java.base/javax.security.auth.spi=ALL-UNNAMED --add-opens=java.base/javax.security.auth.x500=ALL-UNNAMED --add-opens=java.base/javax.security.cert=ALL-UNNAMED --add-opens=java.compiler/javax.annotation.processing=ALL-UNNAMED --add-opens=java.compiler/javax.lang.model=ALL-UNNAMED --add-opens=java.compiler/javax.lang.model.element=ALL-UNNAMED --add-opens=java.compiler/javax.lang.model.type=ALL-UNNAMED --add-opens=java.compiler/javax.lang.model.util=ALL-UNNAMED --add-opens=java.compiler/javax.tools=ALL-UNNAMED --add-opens=java.datatransfer/java.awt.datatransfer=ALL-UNNAMED --add-opens=java.desktop/java.applet=ALL-UNNAMED --add-opens=java.desktop/java.awt=ALL-UNNAMED --add-opens=java.desktop/java.awt.color=ALL-UNNAMED --add-opens=java.desktop/java.awt.desktop=ALL-UNNAMED --add-opens=java.desktop/java.awt.dnd=ALL-UNNAMED --add-opens=java.desktop/java.awt.event=ALL-UNNAMED --add-opens=java.desktop/java.awt.font=ALL-UNNAMED --add-opens=java.desktop/java.awt.geom=ALL-UNNAMED --add-opens=java.desktop/java.awt.im=ALL-UNNAMED --add-opens=java.desktop/java.awt.im.spi=ALL-UNNAMED --add-opens=java.desktop/java.awt.image=ALL-UNNAMED --add-opens=java.desktop/java.awt.image.renderable=ALL-UNNAMED --add-opens=java.desktop/java.awt.print=ALL-UNNAMED --add-opens=java.desktop/java.beans=ALL-UNNAMED --add-opens=java.desktop/java.beans.beancontext=ALL-UNNAMED --add-opens=java.desktop/javax.accessibility=ALL-UNNAMED --add-opens=java.desktop/javax.imageio=ALL-UNNAMED --add-opens=java.desktop/javax.imageio.event=ALL-UNNAMED --add-opens=java.desktop/javax.imageio.metadata=ALL-UNNAMED --add-opens=java.desktop/javax.imageio.plugins.bmp=ALL-UNNAMED --add-opens=java.desktop/javax.imageio.plugins.jpeg=ALL-UNNAMED --add-opens=java.desktop/javax.imageio.plugins.tiff=ALL-UNNAMED --add-opens=java.desktop/javax.imageio.spi=ALL-UNNAMED --add-opens=java.desktop/javax.imageio.stream=ALL-UNNAMED --add-opens=java.desktop/javax.print=ALL-UNNAMED --add-opens=java.desktop/javax.print.attribute=ALL-UNNAMED --add-opens=java.desktop/javax.print.attribute.standard=ALL-UNNAMED --add-opens=java.desktop/javax.print.event=ALL-UNNAMED --add-opens=java.desktop/javax.sound.midi=ALL-UNNAMED --add-opens=java.desktop/javax.sound.midi.spi=ALL-UNNAMED --add-opens=java.desktop/javax.sound.sampled=ALL-UNNAMED --add-opens=java.desktop/javax.sound.sampled.spi=ALL-UNNAMED --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.desktop/javax.swing.border=ALL-UNNAMED --add-opens=java.desktop/javax.swing.colorchooser=ALL-UNNAMED --add-opens=java.desktop/javax.swing.event=ALL-UNNAMED --add-opens=java.desktop/javax.swing.filechooser=ALL-UNNAMED --add-opens=java.desktop/javax.swing.plaf=ALL-UNNAMED --add-opens=java.desktop/javax.swing.plaf.basic=ALL-UNNAMED --add-opens=java.desktop/javax.swing.plaf.metal=ALL-UNNAMED --add-opens=java.desktop/javax.swing.plaf.multi=ALL-UNNAMED --add-opens=java.desktop/javax.swing.plaf.nimbus=ALL-UNNAMED --add-opens=java.desktop/javax.swing.plaf.synth=ALL-UNNAMED --add-opens=java.desktop/javax.swing.table=ALL-UNNAMED --add-opens=java.desktop/javax.swing.text=ALL-UNNAMED --add-opens=java.desktop/javax.swing.text.html=ALL-UNNAMED --add-opens=java.desktop/javax.swing.text.html.parser=ALL-UNNAMED --add-opens=java.desktop/javax.swing.text.rtf=ALL-UNNAMED --add-opens=java.desktop/javax.swing.tree=ALL-UNNAMED --add-opens=java.desktop/javax.swing.undo=ALL-UNNAMED --add-opens=java.instrument/java.lang.instrument=ALL-UNNAMED --add-opens=java.logging/java.util.logging=ALL-UNNAMED --add-opens=java.management/java.lang.management=ALL-UNNAMED --add-opens=java.management/javax.management=ALL-UNNAMED --add-opens=java.management/javax.management.loading=ALL-UNNAMED --add-opens=java.management/javax.management.modelmbean=ALL-UNNAMED --add-opens=java.management/javax.management.monitor=ALL-UNNAMED --add-opens=java.management/javax.management.openmbean=ALL-UNNAMED --add-opens=java.management/javax.management.relation=ALL-UNNAMED --add-opens=java.management/javax.management.remote=ALL-UNNAMED --add-opens=java.management/javax.management.timer=ALL-UNNAMED --add-opens=java.management.rmi/javax.management.remote.rmi=ALL-UNNAMED --add-opens=java.naming/javax.naming=ALL-UNNAMED --add-opens=java.naming/javax.naming.directory=ALL-UNNAMED --add-opens=java.naming/javax.naming.event=ALL-UNNAMED --add-opens=java.naming/javax.naming.ldap=ALL-UNNAMED --add-opens=java.naming/javax.naming.ldap.spi=ALL-UNNAMED --add-opens=java.naming/javax.naming.spi=ALL-UNNAMED --add-opens=java.net.http/java.net.http=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.rmi/java.rmi=ALL-UNNAMED --add-opens=java.rmi/java.rmi.dgc=ALL-UNNAMED --add-opens=java.rmi/java.rmi.registry=ALL-UNNAMED --add-opens=java.rmi/java.rmi.server=ALL-UNNAMED --add-opens=java.rmi/javax.rmi.ssl=ALL-UNNAMED --add-opens=java.scripting/javax.script=ALL-UNNAMED --add-opens=java.security.jgss/javax.security.auth.kerberos=ALL-UNNAMED --add-opens=java.security.jgss/org.ietf.jgss=ALL-UNNAMED --add-opens=java.security.sasl/javax.security.sasl=ALL-UNNAMED --add-opens=java.smartcardio/javax.smartcardio=ALL-UNNAMED --add-opens=java.sql/java.sql=ALL-UNNAMED --add-opens=java.sql/javax.sql=ALL-UNNAMED --add-opens=java.sql.rowset/javax.sql.rowset=ALL-UNNAMED --add-opens=java.sql.rowset/javax.sql.rowset.serial=ALL-UNNAMED --add-opens=java.sql.rowset/javax.sql.rowset.spi=ALL-UNNAMED --add-opens=java.transaction.xa/javax.transaction.xa=ALL-UNNAMED --add-opens=java.xml/javax.xml=ALL-UNNAMED --add-opens=java.xml/javax.xml.catalog=ALL-UNNAMED --add-opens=java.xml/javax.xml.datatype=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED --add-opens=java.xml/javax.xml.parsers=ALL-UNNAMED --add-opens=java.xml/javax.xml.stream=ALL-UNNAMED --add-opens=java.xml/javax.xml.stream.events=ALL-UNNAMED --add-opens=java.xml/javax.xml.stream.util=ALL-UNNAMED --add-opens=java.xml/javax.xml.transform=ALL-UNNAMED --add-opens=java.xml/javax.xml.transform.dom=ALL-UNNAMED --add-opens=java.xml/javax.xml.transform.sax=ALL-UNNAMED --add-opens=java.xml/javax.xml.transform.stax=ALL-UNNAMED --add-opens=java.xml/javax.xml.transform.stream=ALL-UNNAMED --add-opens=java.xml/javax.xml.validation=ALL-UNNAMED --add-opens=java.xml/javax.xml.xpath=ALL-UNNAMED --add-opens=java.xml/org.w3c.dom=ALL-UNNAMED --add-opens=java.xml/org.w3c.dom.bootstrap=ALL-UNNAMED --add-opens=java.xml/org.w3c.dom.events=ALL-UNNAMED --add-opens=java.xml/org.w3c.dom.ls=ALL-UNNAMED --add-opens=java.xml/org.w3c.dom.ranges=ALL-UNNAMED --add-opens=java.xml/org.w3c.dom.traversal=ALL-UNNAMED --add-opens=java.xml/org.w3c.dom.views=ALL-UNNAMED --add-opens=java.xml/org.xml.sax=ALL-UNNAMED --add-opens=java.xml/org.xml.sax.ext=ALL-UNNAMED --add-opens=java.xml/org.xml.sax.helpers=ALL-UNNAMED --add-opens=java.xml.crypto/javax.xml.crypto=ALL-UNNAMED --add-opens=java.xml.crypto/javax.xml.crypto.dom=ALL-UNNAMED --add-opens=java.xml.crypto/javax.xml.crypto.dsig=ALL-UNNAMED --add-opens=java.xml.crypto/javax.xml.crypto.dsig.dom=ALL-UNNAMED --add-opens=java.xml.crypto/javax.xml.crypto.dsig.keyinfo=ALL-UNNAMED --add-opens=java.xml.crypto/javax.xml.crypto.dsig.spec=ALL-UNNAMED --add-opens=javafx.base/javafx.beans=ALL-UNNAMED --add-opens=javafx.base/javafx.beans.binding=ALL-UNNAMED --add-opens=javafx.base/javafx.beans.property=ALL-UNNAMED --add-opens=javafx.base/javafx.beans.property.adapter=ALL-UNNAMED --add-opens=javafx.base/javafx.beans.value=ALL-UNNAMED --add-opens=javafx.base/javafx.collections=ALL-UNNAMED --add-opens=javafx.base/javafx.collections.transformation=ALL-UNNAMED --add-opens=javafx.base/javafx.event=ALL-UNNAMED --add-opens=javafx.base/javafx.util=ALL-UNNAMED --add-opens=javafx.base/javafx.util.converter=ALL-UNNAMED --add-opens=javafx.controls/javafx.scene.chart=ALL-UNNAMED --add-opens=javafx.controls/javafx.scene.control=ALL-UNNAMED --add-opens=javafx.controls/javafx.scene.control.cell=ALL-UNNAMED --add-opens=javafx.controls/javafx.scene.control.skin=ALL-UNNAMED --add-opens=javafx.fxml/javafx.fxml=ALL-UNNAMED --add-opens=javafx.graphics/javafx.animation=ALL-UNNAMED --add-opens=javafx.graphics/javafx.application=ALL-UNNAMED --add-opens=javafx.graphics/javafx.concurrent=ALL-UNNAMED --add-opens=javafx.graphics/javafx.css=ALL-UNNAMED --add-opens=javafx.graphics/javafx.css.converter=ALL-UNNAMED --add-opens=javafx.graphics/javafx.geometry=ALL-UNNAMED --add-opens=javafx.graphics/javafx.print=ALL-UNNAMED --add-opens=javafx.graphics/javafx.scene=ALL-UNNAMED --add-opens=javafx.graphics/javafx.scene.canvas=ALL-UNNAMED --add-opens=javafx.graphics/javafx.scene.effect=ALL-UNNAMED --add-opens=javafx.graphics/javafx.scene.image=ALL-UNNAMED --add-opens=javafx.graphics/javafx.scene.input=ALL-UNNAMED --add-opens=javafx.graphics/javafx.scene.layout=ALL-UNNAMED --add-opens=javafx.graphics/javafx.scene.paint=ALL-UNNAMED --add-opens=javafx.graphics/javafx.scene.robot=ALL-UNNAMED --add-opens=javafx.graphics/javafx.scene.shape=ALL-UNNAMED --add-opens=javafx.graphics/javafx.scene.text=ALL-UNNAMED --add-opens=javafx.graphics/javafx.scene.transform=ALL-UNNAMED --add-opens=javafx.graphics/javafx.stage=ALL-UNNAMED --add-opens=javafx.media/javafx.scene.media=ALL-UNNAMED --add-opens=javafx.swing/javafx.embed.swing=ALL-UNNAMED --add-opens=javafx.web/javafx.scene.web=ALL-UNNAMED --add-opens=java.base/sun.net.www.protocol.jar=ALL-UNNAMED --add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.desktop/sun.awt=ALL-UNNAMED --add-opens=java.desktop/sun.java2d=ALL-UNNAMED --add-opens=javafx.graphics/com.sun.javafx.tk=ALL-UNNAMED --add-opens=javafx.graphics/com.sun.javafx.tk.quantum=ALL-UNNAMED --add-opens=javafx.graphics/com.sun.glass.ui=ALL-UNNAMED -Xss20m -Djava.net.useSystemProxies=true -classpath "weka.jar;" weka.gui.GUIChooser
          3⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Checks processor information in registry
          • Suspicious use of SetWindowsHookEx
          PID:4580

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3572-8-0x0000023FD0950000-0x0000023FD1950000-memory.dmp

      Filesize

      16.0MB

    • memory/3572-22-0x0000023FD0950000-0x0000023FD1950000-memory.dmp

      Filesize

      16.0MB

    • memory/3572-40-0x0000023FD0950000-0x0000023FD1950000-memory.dmp

      Filesize

      16.0MB

    • memory/4580-34-0x000001DF1AF90000-0x000001DF1BF90000-memory.dmp

      Filesize

      16.0MB

    • memory/4580-37-0x000001DF1AF90000-0x000001DF1BF90000-memory.dmp

      Filesize

      16.0MB

    • memory/4580-43-0x000001DF1AF90000-0x000001DF1BF90000-memory.dmp

      Filesize

      16.0MB

    • memory/4580-50-0x000001DF1B7B0000-0x000001DF1B7C0000-memory.dmp

      Filesize

      64KB

    • memory/4580-51-0x000001DF1AF90000-0x000001DF1BF90000-memory.dmp

      Filesize

      16.0MB

    • memory/4580-53-0x000001DF1AF90000-0x000001DF1BF90000-memory.dmp

      Filesize

      16.0MB