5cd03f588d47cf564be795d1a114c9812b702e7858704094d959ad97df7f7ca8

Analysis

max time kernel
158s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

380c08c3471775e3eccdcd3c755074457e7cdafc02e92e7b9ceaad8b500ea8a6.jar
Size

643KB
MD5

df2d12625998b7c51a4eab26d3a42e7e
SHA1

3d0403ab389c056beae99b7e71cca51ad521c870
SHA256

380c08c3471775e3eccdcd3c755074457e7cdafc02e92e7b9ceaad8b500ea8a6
SHA512

af1ead62e893127323e6b86abad37ad804928bd96e9dbaac618cc737490efa0e61329d8dfb636fa9fd215596721ad04f3e63a2c04a909e895af8c08d02f1e75d
SSDEEP

12288:R/eAo7rK7tfAKc6Mr+DpxFGs/HfTeg1jPZc+AR6AptwyoFGVKBzG1KpUfsRxrq40:no7rKJcPr+wIHfzxcbTLwyoFuKBAURx4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

java.exewscript.exejavaw.exe

description	pid	process	target process
PID 2340 wrote to memory of 2832	2340	java.exe	wscript.exe
PID 2340 wrote to memory of 2832	2340	java.exe	wscript.exe
PID 2340 wrote to memory of 2832	2340	java.exe	wscript.exe
PID 2832 wrote to memory of 2428	2832	wscript.exe	javaw.exe
PID 2832 wrote to memory of 2428	2832	wscript.exe	javaw.exe
PID 2832 wrote to memory of 2428	2832	wscript.exe	javaw.exe
PID 2428 wrote to memory of 2620	2428	javaw.exe	java.exe
PID 2428 wrote to memory of 2620	2428	javaw.exe	java.exe
PID 2428 wrote to memory of 2620	2428	javaw.exe	java.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\380c08c3471775e3eccdcd3c755074457e7cdafc02e92e7b9ceaad8b500ea8a6.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\system32\wscript.exe
wscript C:\Users\Admin\gcahfpmhcn.js
2⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\uzyrot.txt"
3⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.06509658398445861343223690797938612.class
4⤵
PID:2620

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_0.06509658398445861343223690797938612.class
Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-778096762-2241304387-192235952-1000\83aa4cc77f591dfc2374580bbd95f6ba_e942923e-bba7-4713-9a9e-94ded71626f5
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\uzyrot.txt
Filesize
479KB

MD5
d7d1131452a0427e78a2710d280537b5

SHA1
279b601cb79c5d1790910c839125a45b2f43101d

SHA256
4c81c42509988b29c4d77288ed55849de919676fbca4a938bf773f893f2e547e

SHA512
483d03f5dcf0011679463a68f233cb50796c056d1045cc6eeaccae41ffbe51e562a186f6cd6196b0c3b63631553a7d780d6d77648117903e4d58238b2ef8d198

Download Submit
C:\Users\Admin\gcahfpmhcn.js
Filesize
1006KB

MD5
5bca887380e1881f351c22574d257e41

SHA1
987634d53966aa6e84c72ad366bb78e619cb674a

SHA256
5f4b5467cccbbc2f2c5771d9547e7fca350df341d154f4d83a4442b7a44cdf06

SHA512
26c9da1464668a4d084095c4425f3e51c9c875e57315b8356081ab2ef032e5bfb28cbbef99d915dc626267c3abc9f8c134cae6778b5679e828fd55558946b92d

Download Submit
memory/2340-15-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2340-10-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2340-9-0x00000000021F0000-0x00000000051F0000-memory.dmp

Filesize
48.0MB

Download
memory/2428-28-0x0000000002180000-0x0000000005180000-memory.dmp

Filesize
48.0MB

Download
memory/2428-37-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2428-57-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2428-61-0x0000000002180000-0x0000000005180000-memory.dmp

Filesize
48.0MB

Download
memory/2620-43-0x0000000002050000-0x0000000005050000-memory.dmp

Filesize
48.0MB

Download
memory/2620-47-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download