Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/02/2024, 18:54

General

  • Target

    appliedenergistics2-forge-11.7.6.jar

  • Size

    4.9MB

  • MD5

    1e51e9e057aa002f1e745303092865f9

  • SHA1

    3ecde216c771ab08d14126f72ba5198985247ecb

  • SHA256

    86f06ffdd7b73848cbb82ff23cf6bba6b2949e0562ae8a5f68bf0eed86eba8d2

  • SHA512

    890fcff3ddf1ebba1b25d9345f8c537c8daf19bc3031791399e017123ac8cc9a85d4766682bdc634392755b75b781a8b83beb91fc7aa2adcc5f2b7af80b264ae

  • SSDEEP

    98304:04Xnu/12G+bLS9ls0a3LSwvxl5TsGj7cLGKXU7fqvvK17+YgGVn/J+z:04a+bLS93IpvaG//Iva7/VE

Malware Config

Signatures

  • Modifies file permissions 1 TTPs 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Registers COM server for autorun 1 TTPs 64 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\appliedenergistics2-forge-11.7.6.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:2104
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1220
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
      1⤵
      • Modifies system executable filetype association
      • Registers COM server for autorun
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4960

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

            Filesize

            46B

            MD5

            d96393f412ac013efa35530c756f23df

            SHA1

            1968e46786147e66433cbdfda4bb486570c614a0

            SHA256

            3143f0d0cc55e8ae4671c97c7e9e63181a24b5ed4029b1bd073f97dee65db68d

            SHA512

            7652515346aaa23eb402f25fe136adcb6ac1c43d6759e3b165b3510b3cadd75c6fb293ce578d1471b3b0104780eeaa5e988128f018a266fb7091a20fc0151748

          • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

            Filesize

            63KB

            MD5

            e516a60bc980095e8d156b1a99ab5eee

            SHA1

            238e243ffc12d4e012fd020c9822703109b987f6

            SHA256

            543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

            SHA512

            9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IPH91Q7J\update100[2].xml

            Filesize

            726B

            MD5

            53244e542ddf6d280a2b03e28f0646b7

            SHA1

            d9925f810a95880c92974549deead18d56f19c37

            SHA256

            36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

            SHA512

            4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

          • memory/2688-4-0x0000014CEC520000-0x0000014CED520000-memory.dmp

            Filesize

            16.0MB

          • memory/2688-12-0x0000014CEAD10000-0x0000014CEAD11000-memory.dmp

            Filesize

            4KB

          • memory/2688-14-0x0000014CEC520000-0x0000014CED520000-memory.dmp

            Filesize

            16.0MB