216a6f9344e6a2dd54b2f29a3458af92d769c8d0d474d0456861be0fd2d7b396

Analysis

max time kernel
1473s
max time network
1496s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09-03-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EXP Soundboard_05.exe
Size

8.7MB
MD5

2e2732e259e69e95a64903f54b2a11d3
SHA1

5b2be4efc98015387e6d65573df32cda64f1adeb
SHA256

216a6f9344e6a2dd54b2f29a3458af92d769c8d0d474d0456861be0fd2d7b396
SHA512

f5a83c19c180b9b772e58c34f514c59e323172281c050ad8154b5d2af364ba00b3c5dfa01e91eaf407f98467b93ee1ff042bcbebb604937a51d91a6ff4232b79
SSDEEP

196608:38+UuEJJls3EMUhdkzkgUvnzVr92NQ6C5HUHGGp+9C:s+h3EJPkbUvZr92GGGGMc

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3948	javaw.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2684	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	javaw.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3948	javaw.exe
3948	javaw.exe
3948	javaw.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 3948	5108	EXP Soundboard_05.exe	79
PID 5108 wrote to memory of 3948	5108	EXP Soundboard_05.exe	79
PID 3948 wrote to memory of 2684	3948	javaw.exe	80
PID 3948 wrote to memory of 2684	3948	javaw.exe	80

C:\Users\Admin\AppData\Local\Temp\EXP Soundboard_05.exe
"C:\Users\Admin\AppData\Local\Temp\EXP Soundboard_05.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\EXP Soundboard_05.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:2684

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D0
1⤵
PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
1eb8f739e574f1ab2a80535c7ca024d6

SHA1
c71504135cdb9eb306259fc8dea6c492b8c0223d

SHA256
7e0e13c5ccde7fde93ac974974857d86b5342295434deac44ef69d7468255562

SHA512
8baf815b7bbdf00b92e3791f65b557c01786be52977bdac877d0a49d92741be9943bb697edde2cde315937640e7af52df2dee2db65d1f0000da17cf031cfd157

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNativeHook_7045312813850772575.dll

Filesize
57KB

MD5
d12501aaf90c14a87678c1199c332694

SHA1
47a09b3b92928d9076ad162d2f03f3426fe38095

SHA256
fc23a64cc52f5b19e310a8d96b1fbfec981310359bda907f5931a53360485fbc

SHA512
ee0cc22ba3c28fdf1cfd1721b466f8ccd0ac590ea37f7be77a8c7e8ed9aa7ee563921b2106e9ca05cd606706eaf17b4f835053104da4567b75f1f6ccb7e6ce94

Download Submit
C:\Users\Admin\AppData\Local\Temp\jar_cache1956594310026963318.tmp

Filesize
103KB

MD5
63cf87afa65daf82ed9473834742bc48

SHA1
4731c1fc18554318ce1f649ad58909489a89b076

SHA256
97fcd1666e476217b21f3efbb76555ed3a9fd0607041b67858265d438ddc8b3c

SHA512
8a0a25723a8232b55083b09c5b329772f731de573d1b6310d26c3a3f4e1b26dcea146f07e1064315901af16ed49cc98819514436c3ec8579d0be848942c79d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\jar_cache2248919611311713786.tmp

Filesize
102KB

MD5
7b672b4badc89286055adcc810f47df8

SHA1
33c346fe3c5f75dfbfb477e1f3d8446427633890

SHA256
eabaa070e57a204d441cd9b20200f74c165c4dd9cfb9dbf37eeabb3b713c6fac

SHA512
68b8c7aa6093ab706447ea334e47e7bceae06c05b787eaeb9f29f53c906d6dacf53d4ae17b330c6d0eaf6d54ad9eaf5b1e79ef3ddd54b9ccaa7c093b78dd214c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jar_cache2437364579078973661.tmp

Filesize
24KB

MD5
9f14fe1da1285d33871df0f2c3b3af4c

SHA1
edb87390ac0d37d693f997a3056137145b5ea828

SHA256
ce19a131c541e127cbaeaf972b1cbafc13f0b7f20ecb8af814ae95047fae550f

SHA512
1c245cf709f4e7c2460cecabb9459413f00971e41d797e0aa88fe93487d96ec4946a04513e2794a40f92ca05225e63d32c9bceba9f7d563b185f7d4b9ca3879a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jar_cache2847694857855382979.tmp

Filesize
3.1MB

MD5
499582315d1c4f47e227e2c6de8955b5

SHA1
6922fe254f915f0f66a890e7596bab29803d1801

SHA256
8a0330c87fc38856e584cda4cfdfd13ec1576d918574bcd8c16b5df13c8723eb

SHA512
97aaf941c42fc46df9bf66d8d41fda162739c9538d7beced3658d314dee596f3570d27af5335c2c463a78ef78fb6d51227f2848a090e1f744440a1ae66f2ad85

Download Submit
C:\Users\Admin\AppData\Local\Temp\jar_cache6796326237791867423.tmp

Filesize
185KB

MD5
232ea9ab7ec43b8b2ef36181ee7d693b

SHA1
973e832af433b44c3ed11c426f2f390b29f3f3f8

SHA256
08a99b852eafa908f76b1f4c8723c47c3399cbdc682ba9106a7556f1c06bf167

SHA512
8932db86275324498eb9194d6a80eae26c587e56d03339df42d04b20055c6774c6bd2ffe5c0e4c2716472bdf5fda6bf30d63b36733f094ea7bc8170fa97db671

Download Submit
C:\Users\Admin\AppData\Local\Temp\jar_cache802740028642090705.tmp

Filesize
1.4MB

MD5
09549e18af95514ab2c71702571a61c5

SHA1
2b7911f39b95cd3d9168f9b9c4c2b44549d3035c

SHA256
a58bdd9b7e3eb56663e7697c77c59f4ec6c97558f15942a1e5b7bd7e3f785585

SHA512
b413aa7dfd95e61bcd44c23fac09b93b1b9eef41f3d9a21d5072b2249930a6dbd01e9e5b3ef68050e5e1ade085c3db58ff115bb7a6b8747663964bcbd6190f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\jar_cache8180312929770050801.tmp

Filesize
151KB

MD5
04797cbf86fcb3afc961a09924b96a47

SHA1
ec6d337eaad0264d1201860b6b23100324518cab

SHA256
dc04c3aa7b4e490159bc3ff046edc4892ff5821d92aada51a76d7422df7d2c03

SHA512
1ec70b55bc51aea0ceb54b807d70d7e7c0f74d6b40f86934ce77dac773340097cf515e8ac424fd998539e3e153df0690c7aced7e0e8f7a309b60a5d7d36e21c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jar_cache8264772857801447452.tmp

Filesize
24KB

MD5
9eed1b730a02019472ba4ada691f26e6

SHA1
fe1aea114c3e924c86b5742ebbb402878b5db945

SHA256
080c4920197498dd7484606ce7a09e74ebf81993841152648e7dcaea8307891a

SHA512
02191bfe9ffed5afae0ccac68cfd72af5b939ec606b75476bf140341d03b7c72ceb957d2db624e726aa1c3882256e3c926af5bd6be6efc21907843be4f1a6f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\jar_cache8437065020265598915.tmp

Filesize
80KB

MD5
c32a115a9fc0b19e18678e1508f7af4f

SHA1
e319592ea386410d809d10ebc156d5138bc11264

SHA256
9411e0c69a76d1e416bc194c64eedf52f2c8e3d19f5818309ee0cd997a20a34a

SHA512
2342a774e965ed0d23ef94b5a4ff7a690780cc6f21c8c05c128a9c5266001891bde52e0682193afc818725d2861f1bbe326cf46f84dff278e1c5921102cd7487

Download Submit
memory/3948-97-0x000002B6747B0000-0x000002B6747B1000-memory.dmp

Filesize
4KB

Download
memory/3948-123-0x000002B6747B0000-0x000002B6747B1000-memory.dmp

Filesize
4KB

Download
memory/3948-93-0x000002B600000000-0x000002B601000000-memory.dmp

Filesize
16.0MB

Download
memory/3948-233-0x000000006FF40000-0x000000006FF50000-memory.dmp

Filesize
64KB

Download
memory/3948-104-0x000002B6747B0000-0x000002B6747B1000-memory.dmp

Filesize
4KB

Download
memory/3948-107-0x000002B600000000-0x000002B601000000-memory.dmp

Filesize
16.0MB

Download
memory/3948-113-0x000002B600000000-0x000002B601000000-memory.dmp

Filesize
16.0MB

Download
memory/3948-13-0x000002B6747B0000-0x000002B6747B1000-memory.dmp

Filesize
4KB

Download
memory/3948-119-0x000002B6747B0000-0x000002B6747B1000-memory.dmp

Filesize
4KB

Download
memory/3948-40-0x000002B6747B0000-0x000002B6747B1000-memory.dmp

Filesize
4KB

Download
memory/3948-124-0x000002B600000000-0x000002B601000000-memory.dmp

Filesize
16.0MB

Download
memory/3948-125-0x000002B600000000-0x000002B601000000-memory.dmp

Filesize
16.0MB

Download
memory/3948-132-0x000002B600000000-0x000002B601000000-memory.dmp

Filesize
16.0MB

Download
memory/3948-133-0x000002B6747B0000-0x000002B6747B1000-memory.dmp

Filesize
4KB

Download
memory/3948-134-0x000000006FF40000-0x000000006FF50000-memory.dmp

Filesize
64KB

Download
memory/3948-3-0x000002B600000000-0x000002B601000000-memory.dmp

Filesize
16.0MB

Download
memory/5108-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download