Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 22:01
Behavioral task
behavioral1
Sample
a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe
Resource
win7-20240221-en
General
-
Target
a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe
-
Size
312KB
-
MD5
ae68f525110174d36fd0a78f728ec1ac
-
SHA1
a1e118f23dfc15269400bd059d5960caf01a6ebe
-
SHA256
a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d
-
SHA512
acdb4617b5c8aca3cab43d5af963f076d14bd9a55b4b0ad95f65490ee125022424453a1b0fd71776205027b1fc266e5918db44a7b81bb0d29befb34b1d8d741b
-
SSDEEP
6144:yMNCha6O+chMWnhE/deKaG6+9DzZzNIT9OsUp9kBbCSCH/:yMNCha6O+EMcKFJ6+93ZuokBWS
Malware Config
Extracted
arkei
Default
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3848 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation LocalrjJXIAUZat.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ee29faf3a82dae4ce355ef93c3d73702.exe Javaupdt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ee29faf3a82dae4ce355ef93c3d73702.exe Javaupdt.exe -
Executes dropped EXE 3 IoCs
pid Process 4588 LocalrjJXIAUZat.exe 1724 LocalXOdtfnFxis.exe 4676 Javaupdt.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ee29faf3a82dae4ce355ef93c3d73702 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Javaupdt.exe\" .." Javaupdt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ee29faf3a82dae4ce355ef93c3d73702 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Javaupdt.exe\" .." Javaupdt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2576 1724 WerFault.exe 85 -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeDebugPrivilege 4588 LocalrjJXIAUZat.exe Token: SeDebugPrivilege 4676 Javaupdt.exe Token: 33 4676 Javaupdt.exe Token: SeIncBasePriorityPrivilege 4676 Javaupdt.exe Token: 33 4676 Javaupdt.exe Token: SeIncBasePriorityPrivilege 4676 Javaupdt.exe Token: 33 4676 Javaupdt.exe Token: SeIncBasePriorityPrivilege 4676 Javaupdt.exe Token: 33 4676 Javaupdt.exe Token: SeIncBasePriorityPrivilege 4676 Javaupdt.exe Token: 33 4676 Javaupdt.exe Token: SeIncBasePriorityPrivilege 4676 Javaupdt.exe Token: 33 4676 Javaupdt.exe Token: SeIncBasePriorityPrivilege 4676 Javaupdt.exe Token: 33 4676 Javaupdt.exe Token: SeIncBasePriorityPrivilege 4676 Javaupdt.exe Token: 33 4676 Javaupdt.exe Token: SeIncBasePriorityPrivilege 4676 Javaupdt.exe Token: 33 4676 Javaupdt.exe Token: SeIncBasePriorityPrivilege 4676 Javaupdt.exe Token: 33 4676 Javaupdt.exe Token: SeIncBasePriorityPrivilege 4676 Javaupdt.exe Token: 33 4676 Javaupdt.exe Token: SeIncBasePriorityPrivilege 4676 Javaupdt.exe Token: 33 4676 Javaupdt.exe Token: SeIncBasePriorityPrivilege 4676 Javaupdt.exe Token: 33 4676 Javaupdt.exe Token: SeIncBasePriorityPrivilege 4676 Javaupdt.exe Token: 33 4676 Javaupdt.exe Token: SeIncBasePriorityPrivilege 4676 Javaupdt.exe Token: 33 4676 Javaupdt.exe Token: SeIncBasePriorityPrivilege 4676 Javaupdt.exe Token: 33 4676 Javaupdt.exe Token: SeIncBasePriorityPrivilege 4676 Javaupdt.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4196 wrote to memory of 4588 4196 a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe 84 PID 4196 wrote to memory of 4588 4196 a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe 84 PID 4196 wrote to memory of 4588 4196 a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe 84 PID 4196 wrote to memory of 1724 4196 a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe 85 PID 4196 wrote to memory of 1724 4196 a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe 85 PID 4196 wrote to memory of 1724 4196 a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe 85 PID 4588 wrote to memory of 4676 4588 LocalrjJXIAUZat.exe 91 PID 4588 wrote to memory of 4676 4588 LocalrjJXIAUZat.exe 91 PID 4588 wrote to memory of 4676 4588 LocalrjJXIAUZat.exe 91 PID 4676 wrote to memory of 3848 4676 Javaupdt.exe 94 PID 4676 wrote to memory of 3848 4676 Javaupdt.exe 94 PID 4676 wrote to memory of 3848 4676 Javaupdt.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe"C:\Users\Admin\AppData\Local\Temp\a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\LocalrjJXIAUZat.exe"C:\Users\Admin\AppData\LocalrjJXIAUZat.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\Javaupdt.exe"C:\Users\Admin\AppData\Local\Temp\Javaupdt.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Javaupdt.exe" "Javaupdt.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:3848
-
-
-
-
C:\Users\Admin\AppData\LocalXOdtfnFxis.exe"C:\Users\Admin\AppData\LocalXOdtfnFxis.exe"2⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 2523⤵
- Program crash
PID:2576
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1724 -ip 17241⤵PID:2420
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD541c1fb2f4bd3c65cb0030b1f47a46084
SHA1199420219f0096cfb156945a54933a03144da70d
SHA256f335705b83540e68ddd17c68232c2f5ca67b0479cdc3ad8ff11931db6c134764
SHA51293d4778a35b766b17824c62817421ac224027d6b699afde1281aaaedff7443d3d2c29d1ded98dc1dc318a67d51c2ad3f3b6df83b1c247da9e534f27ae7b0abfe
-
Filesize
104KB
MD54fe3cecb0627425f48b4832768beda71
SHA1956c71fa6ccc7c7d3dd7b79d624117d580a7c7fb
SHA2562c3cdb3cd330732b2dc485aee38d30b07ac006765b861adccc76b62aa29d2dff
SHA512a9067a9c418c276423e5c5b18e474a070c641d729b83a84a40a6df6df670bda0a42d3c59e1c1310f6bff289327f53948ba721f6326d254a66b78723b634f413c