669a95f4fb366c02950b52b86f5d906dc150bca3fa710453a49eddef3471a333

General

Target

669a95f4fb366c02950b52b86f5d906dc150bca3fa710453a49eddef3471a333.jar
Size

622KB
MD5

efd645a5c1c5a8ebfee8f1cb2a139920
SHA1

58e80fdbabec6c26ba09d7c34ee075b0be6017c2
SHA256

669a95f4fb366c02950b52b86f5d906dc150bca3fa710453a49eddef3471a333
SHA512

c886dd8b5a8de9ea791c62e3caaf439387f051214b58085e5037e3eec59a17ee0225f31c12c0737a1b721c98d314dcbfc935ef683e89391f1cbc3d4770d9e709
SSDEEP

12288:y2/TdQOo5CKAGqMJIBKGUuR8PALJj28/VSVjMkbdMY02C+HLzqE:yo5MJ/GhRrLJj28NSVjjbA2hf

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	wscript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4744	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3180	javaw.exe
2576	java.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 4744	2344	java.exe	90
PID 2344 wrote to memory of 4744	2344	java.exe	90
PID 2344 wrote to memory of 1876	2344	java.exe	92
PID 2344 wrote to memory of 1876	2344	java.exe	92
PID 1876 wrote to memory of 3180	1876	wscript.exe	94
PID 1876 wrote to memory of 3180	1876	wscript.exe	94
PID 3180 wrote to memory of 2576	3180	javaw.exe	95
PID 3180 wrote to memory of 2576	3180	javaw.exe	95

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\669a95f4fb366c02950b52b86f5d906dc150bca3fa710453a49eddef3471a333.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:4744
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\ekmvqyemaq.js
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\glkcsom.txt"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.90356092180691731417431511135822109.class
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
9d7ce1abea4727705c23664e19d8f5f0

SHA1
797221ec7a92e83412fabab524e915bef68e92f5

SHA256
13a53d84c478325436598e7cc00f40634bdc3d8cc37243f9393171ac15cfdcbf

SHA512
03a4c2655cf96077cf3706b75dbdabf3ca3a329d20d3781204001ce395dd091632923047c7f77fcdf590ff78a9a1204469cf1af974a7aced2b88599bdcb20b5b

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
7892b59faf5bd5c62cb3ec6899ee63c0

SHA1
c3c511fe69c2c8f28d7345f61c7bf4ade301fe3e

SHA256
8f5db753ce7d54b6ee492d3565a01589079dd78f301e134ca4ee80164a541de4

SHA512
a402148fede4894094f47f41050dccb0d231f74148871299009878a91ef0d5696d989569d33a6d60854f200c83f99ac60d14ee5074f612ed1cf7d78209b35bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.90356092180691731417431511135822109.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-557049126-2506969350-2798870634-1000\83aa4cc77f591dfc2374580bbd95f6ba_571594ad-b717-4cea-93ae-747ab327a92a

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\glkcsom.txt

Filesize
473KB

MD5
219a01e09cd1edb7141255ab597b3b5a

SHA1
d4bb90ac587bbe9e1f9d4e73823575d94d6785a5

SHA256
01c654ad8189e58c33075ca7b995720f1f5b2c8d49b0ce2ac82d323ff40340b1

SHA512
290d72bcfec99ce958d66830ca08a1a41eec0a378249fa421ecd2dc7af073ae85dd7554816f6152b58f6854dcba8f92875bf51d346a0906fdd1b742773c4cb89

Download Submit
C:\Users\Admin\ekmvqyemaq.js

Filesize
941KB

MD5
da53c75c1c309bb790049f22ca7e6115

SHA1
49695a4b21037c34843b6b3c8dea763bac57450a

SHA256
105b9aa94fc7e20214f0423342d860452bf912b51b3b6ed43804affe0c8e23b7

SHA512
4ce6a408490127773f46b89633b474d612065063511f8f07b411ede5ba8b40e19518033e083fc919b708a24c4224581fe37db4e17dcc5fb862a2f7b98c2a82e8

Download Submit
memory/2344-14-0x0000024375EF0000-0x0000024375EF1000-memory.dmp

Filesize
4KB

Download
memory/2344-4-0x0000024300000000-0x0000024301000000-memory.dmp

Filesize
16.0MB

Download
memory/2576-43-0x0000026C00000000-0x0000026C01000000-memory.dmp

Filesize
16.0MB

Download
memory/2576-49-0x0000026C74EB0000-0x0000026C74EB1000-memory.dmp

Filesize
4KB

Download
memory/2576-75-0x0000026C74EB0000-0x0000026C74EB1000-memory.dmp

Filesize
4KB

Download
memory/2576-84-0x0000026C74EB0000-0x0000026C74EB1000-memory.dmp

Filesize
4KB

Download
memory/3180-41-0x0000023DDBFE0000-0x0000023DDBFE1000-memory.dmp

Filesize
4KB

Download
memory/3180-22-0x0000023DDC000000-0x0000023DDD000000-memory.dmp

Filesize
16.0MB

Download
memory/3180-58-0x0000023DDC000000-0x0000023DDD000000-memory.dmp

Filesize
16.0MB

Download
memory/3180-83-0x0000023DDBFE0000-0x0000023DDBFE1000-memory.dmp

Filesize
4KB

Download
memory/3180-85-0x0000023DDC000000-0x0000023DDD000000-memory.dmp

Filesize
16.0MB

Download
memory/3180-86-0x0000023DDC000000-0x0000023DDD000000-memory.dmp

Filesize
16.0MB

Download
memory/3180-102-0x0000023DDBFE0000-0x0000023DDBFE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing