26c76cf5ce5f7b1968d31782afe50a56275eee121497a798a39e18910864b07b

General

Target

jre-10.0.2_windows-x64_bin.exe
Size

100.6MB
MD5

604dbc1ab825d6d1814852a9a09aa8f7
SHA1

ca95256dbce87518fb74c282f75e1a6666f42492
SHA256

26c76cf5ce5f7b1968d31782afe50a56275eee121497a798a39e18910864b07b
SHA512

ddb4fb500dd4f626610cd234cfaad24cdac80b83eafe02dd2b0cd81aa9c7362bfeaf3ec6a810083085edca4d15e365cf84967776531901c470cdb62c6a84744e
SSDEEP

3145728:r7zVG8SIzSLIk/IsUCwP6BrU5em6x7VrEe2pwgMY/C:88SmSL3v26Beem6NmeR4/C

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

jre-10.0.2_windows-x64_bin.exejre-10.0.2_windows-x64_bin.exe

pid process

1192 jre-10.0.2_windows-x64_bin.exe
2920 jre-10.0.2_windows-x64_bin.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 1 IoCs

Processes:

taskmgr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings taskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	3464	taskmgr.exe
Token: SeSystemProfilePrivilege	3464	taskmgr.exe
Token: SeCreateGlobalPrivilege	3464	taskmgr.exe
Token: 33	3464	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3464	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

jre-10.0.2_windows-x64_bin.exejre-10.0.2_windows-x64_bin.exe

pid	process
1192	jre-10.0.2_windows-x64_bin.exe
1192	jre-10.0.2_windows-x64_bin.exe
2920	jre-10.0.2_windows-x64_bin.exe
2920	jre-10.0.2_windows-x64_bin.exe
2920	jre-10.0.2_windows-x64_bin.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

jre-10.0.2_windows-x64_bin.exe

description	pid	process	target process
PID 1128 wrote to memory of 1192	1128	jre-10.0.2_windows-x64_bin.exe	jre-10.0.2_windows-x64_bin.exe
PID 1128 wrote to memory of 1192	1128	jre-10.0.2_windows-x64_bin.exe	jre-10.0.2_windows-x64_bin.exe

C:\Users\Admin\AppData\Local\Temp\jre-10.0.2_windows-x64_bin.exe
"C:\Users\Admin\AppData\Local\Temp\jre-10.0.2_windows-x64_bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\AppData\Local\Temp\jds240598265.tmp\jre-10.0.2_windows-x64_bin.exe
"C:\Users\Admin\AppData\Local\Temp\jds240598265.tmp\jre-10.0.2_windows-x64_bin.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\bf6916c70a3b45fb95bad2f2d5d94713 /t 2628 /p 1192
1⤵
PID:2244

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\jds240598265.tmp\jre-10.0.2_windows-x64_bin.exe
"C:\Users\Admin\AppData\Local\Temp\jds240598265.tmp\jre-10.0.2_windows-x64_bin.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2920

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\7204e2539db344a880ca38997005ba12 /t 1784 /p 2920
1⤵
PID:620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
297KB

MD5
5ea1908b717a7a1fb2795cc8f8b29c16

SHA1
6bbea93bb424924b24ed03f3350649528bf69feb

SHA256
4ba793ee2f6f1bc285b84e62a6138ec00308946450be9b3bbb4731a1fe5da845

SHA512
226b8071c8b5c006e4e49d36bbf0b47f99021f2208f439dad68653bb335aa22182574d87bb9a78ed5c0d0e490489b4c16ee1a5eb502467040b242e4dc5c7c550

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
311KB

MD5
b33e0cf6aa0646e4c90d2c46e7195f80

SHA1
916e46ee4edb7273c17529cadd2f243928df7774

SHA256
9d4de6c5a76963782e0e607ada0d7ac781d118782f075e293d6582397fe89816

SHA512
5c4c749b360d1a637ad393b47ea4c2064e6e2850e587e2d89eeb1be7ef48dedb25f4dffa0f96658d656e8822d348bb005d6b05a70224b868649d1dc925b808d0

Download Submit
memory/3464-82-0x0000029BEC340000-0x0000029BEC341000-memory.dmp

Filesize
4KB

Download
memory/3464-83-0x0000029BEC340000-0x0000029BEC341000-memory.dmp

Filesize
4KB

Download
memory/3464-84-0x0000029BEC340000-0x0000029BEC341000-memory.dmp

Filesize
4KB

Download
memory/3464-94-0x0000029BEC340000-0x0000029BEC341000-memory.dmp

Filesize
4KB

Download
memory/3464-93-0x0000029BEC340000-0x0000029BEC341000-memory.dmp

Filesize
4KB

Download
memory/3464-92-0x0000029BEC340000-0x0000029BEC341000-memory.dmp

Filesize
4KB

Download
memory/3464-91-0x0000029BEC340000-0x0000029BEC341000-memory.dmp

Filesize
4KB

Download
memory/3464-90-0x0000029BEC340000-0x0000029BEC341000-memory.dmp

Filesize
4KB

Download
memory/3464-88-0x0000029BEC340000-0x0000029BEC341000-memory.dmp

Filesize
4KB

Download
memory/3464-89-0x0000029BEC340000-0x0000029BEC341000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads