d43d793529aa53d452cc85badf97e5aa04fe09f61d99046c655a51b31709b624

Analysis

max time kernel
142s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WireStack.exe
Size

417KB
MD5

ff1d3bc36ce06ad6c2c87e97f8b7123f
SHA1

9b820a32285153ef84f56782ff9739039faffc1b
SHA256

c859b1af12a296cb65e7c90c9e604509a436bae4c29c0f7f970ddddf3ae69af9
SHA512

8bcc49d6e0bd2e7ee04508799a73ac2e9eb0241d6280310baff75e57f75240b40c26c0b090e4a7944c5f06eab638285345bfb7e0ca18b435d03ccd78125d3bcf
SSDEEP

12288:wAqsftlPJjSZCXWEAQLQV+EVUL/kbEIKL1wTNUvpA:lqsftlPJjSEnAQLQV+EqL/GEIKL17vW

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2340 icacls.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

UpdateApp.exe

description pid process

Token: SeDebugPrivilege 2132 UpdateApp.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

javaw.exe

pid process

1964 javaw.exe
1964 javaw.exe
1964 javaw.exe
1964 javaw.exe

pid	process
2340	icacls.exe

description	pid	process
Token: SeDebugPrivilege	2132	UpdateApp.exe

pid	process
1964	javaw.exe
1964	javaw.exe
1964	javaw.exe
1964	javaw.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

WireStack.exejavaw.exejavaw.exe

description	pid	process	target process
PID 4708 wrote to memory of 5064	4708	WireStack.exe	javaw.exe
PID 4708 wrote to memory of 5064	4708	WireStack.exe	javaw.exe
PID 5064 wrote to memory of 2340	5064	javaw.exe	icacls.exe
PID 5064 wrote to memory of 2340	5064	javaw.exe	icacls.exe
PID 4708 wrote to memory of 1964	4708	WireStack.exe	javaw.exe
PID 4708 wrote to memory of 1964	4708	WireStack.exe	javaw.exe
PID 1964 wrote to memory of 2132	1964	javaw.exe	UpdateApp.exe
PID 1964 wrote to memory of 2132	1964	javaw.exe	UpdateApp.exe
PID 1964 wrote to memory of 2132	1964	javaw.exe	UpdateApp.exe

C:\Users\Admin\AppData\Local\Temp\WireStack.exe
"C:\Users\Admin\AppData\Local\Temp\WireStack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4708

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
javaw.exe -version
2⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
3⤵
- Modifies file permissions
PID:2340

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
javaw.exe -classpath ";C:\Users\Admin\AppData\Local\Temp\.\WireStack.jar;C:\Users\Admin\AppData\Local\Temp\.\clink.jar;C:\Users\Admin\AppData\Local\Temp\.\commons-httpclient.jar;C:\Users\Admin\AppData\Local\Temp\.\commons-logging.jar;C:\Users\Admin\AppData\Local\Temp\.\commons-net.jar;C:\Users\Admin\AppData\Local\Temp\.\daap.jar;C:\Users\Admin\AppData\Local\Temp\.\icu4j.jar;C:\Users\Admin\AppData\Local\Temp\.\id3v2.jar;C:\Users\Admin\AppData\Local\Temp\.\jcraft.jar;C:\Users\Admin\AppData\Local\Temp\.\jl011.jar;C:\Users\Admin\AppData\Local\Temp\.\jmdns.jar;C:\Users\Admin\AppData\Local\Temp\.\logicrypto.jar;C:\Users\Admin\AppData\Local\Temp\.\looks.jar;C:\Users\Admin\AppData\Local\Temp\.\xerces.jar;C:\Users\Admin\AppData\Local\Temp\.\themes.jar;C:\Users\Admin\AppData\Local\Temp\.\i18n.jar;C:\Users\Admin\AppData\Local\Temp\.\log4j.jar;C:\Users\Admin\AppData\Local\Temp\.\mp3sp14.jar;C:\Users\Admin\AppData\Local\Temp\.\ProgressTabs.jar;C:\Users\Admin\AppData\Local\Temp\.\tritonus.jar;C:\Users\Admin\AppData\Local\Temp\.\vorbis.jar;C:\Users\Admin\AppData\Local\Temp\.\xml-apis.jar;C:\Users\Admin\AppData\Local\Temp\.\plura.jar;" com.limegroup.gnutella.gui.Main
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\UpdateApp.exe
UpdateApp.exe "WireStack" "1" "3.9.0" "wirestack.com" "false"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
ed6f21453744c05246c7201d15b0374b

SHA1
7f91e4101500b9ec9bc5c53f69edee28b14d8221

SHA256
31a4f84b37f2989a3e13f078cf0d73ff123ab638ae87976d0f0acac6b32b5872

SHA512
d0a487e85d6831115b2f40d97f30bac4c846accb04a2be6fce3c79c5cf77d2e47dfbca1c037dd7a0c19d447278fb58f3461b8857a4f84e1649a45ce772ec61b8

Download Submit
C:\Users\Admin\AppData\Roaming\WireStack\themes\brown_and_pink_theme\lime.gif

Filesize
980B

MD5
9d8de89bca53fb98603ca0ec7a322fa1

SHA1
6cb467fdbca5e7d35ee6e676d69db1d0f8b446eb

SHA256
f6eae37303981c223d186cea6af741d0c43d3c2e31c5909910718771a3afb712

SHA512
13e2c3dd6e1ffbcde13bd246350829fffcbdd3f18328175fdf57d0baec3825636bde26ac225f63cd2d805f9852f09505c5182ccda4e4ca06f2d4fe3eee3f536a

Download Submit
C:\Users\Admin\AppData\Roaming\WireStack\themes\brown_and_pink_theme\splash.png

Filesize
268KB

MD5
f8c796a5d283b19b2db15417e66a2663

SHA1
ee2a4a5ef24353a8d97987f04706c3360e26ea3a

SHA256
6224d9375c9b25e9ea42f65c7b338e052c35c07ed8b5a27a23d361955248f9ef

SHA512
e8e511f9cc1de3939ce6c2b4a0a38d28eeb698ee43c6167d3cba1963d2aff7fcdbb6a534774636af386ae5d48c7e87e02340225e6c2d6a96ab2424961d9fe56b

Download Submit
C:\Users\Admin\AppData\Roaming\WireStack\themes\brown_theme\01_star.gif

Filesize
236B

MD5
a118f5dda29c66014e7dc712d25e30c8

SHA1
12dceeda0d3db8b7284ce11fc0511860f89ab77a

SHA256
fe9b1761b8d65d8d8334549102b9730c3fe259d6ffa89b21e16be9c8c0270114

SHA512
370f7d3b7cb9513f093beb0f0d2c4161b9de31445199a9db018b0742f27a8ea448a7751e15865e84d0733b1da77fd59de52537da0d84eb5fb9282296322954b9

Download Submit
C:\Users\Admin\AppData\Roaming\WireStack\themes\brown_theme\02_star.gif

Filesize
291B

MD5
cc8bb8ba95437055c3c1852ba21f8602

SHA1
fe3272dc468a741237a5976306bfb6d2d6b70765

SHA256
745632c254a27c8b3b57d5f31ae5d8363f5ca8caae2a8903590df5e14d257ce1

SHA512
b240bc1638fd515b3b0dac6ba4658ba99a169570ca29f221bc82cd9adb45174759ea34ec44ce3e3c2e303a252c3c4cb4a0caf6d99d9f10bc8b2d5ce528bbc2ac

Download Submit
C:\Users\Admin\AppData\Roaming\WireStack\themes\brown_theme\03_star.gif

Filesize
325B

MD5
9ee72a89901ee093cb0b9c5c4ec2d286

SHA1
b2828a1e7d3740d8e0e163fcb994fd8c14fd9f0b

SHA256
20441da9609d90c402516cb843d68621e0bc22b845c1dcacda48f165fc2116bb

SHA512
527fd1171293549fa61df9842295a2cef143cf6381b3d6ebb07cd112968b3802f2046ed40d5ba22c85a1c6fc9c6b65d2380297871c6e75c980547aa7df6ef7a9

Download Submit
C:\Users\Admin\AppData\Roaming\WireStack\themes\brown_theme\04_star.gif

Filesize
365B

MD5
845a64c95189ea234e9ef5fe8895d4e3

SHA1
4c173ad1f308aa9e24ba94eb828a81acce885259

SHA256
187eefe36a77e34eb94957ace6f4b3b4dd0430ec9a28ba75c86a2425372b93e3

SHA512
a30516ecd5e34d0b58478d0e8817381d5d3af15bcb1ebf804e884deea6abaa091c9b7d1e715a2e90c75043682e31e2d4fbcea04e6fef9624d133f4d22b054681

Download Submit
C:\Users\Admin\AppData\Roaming\WireStack\themes\classic_theme\05_star.gif

Filesize
374B

MD5
4486b2cb29e4e8b35c4f84e0ce0afb82

SHA1
f32b57cb1a515db2d93f6b658e1f1fd64531e347

SHA256
1fd8e13b97dda89d47b0f0c1a69e0dce9dba94503b16e4308ffb576c59c337f5

SHA512
4eb58dc2c1f9106ab58603e62efffa3d9b3527456bf9bf7b065e29be5def21ce383bf644f1c4c0ddea3c2bb2eb31e9871df04f7d566d7a18c0df2df2ebd58fe3

Download Submit
C:\Users\Admin\AppData\Roaming\WireStack\themes\classic_theme\dir_closed.gif

Filesize
86B

MD5
186875a8c4951b1038b5044bce1bd486

SHA1
61fe1bda80613d75debec8605bb2aa4d927ba887

SHA256
449b33b660e7dbdb008ac11b2a750163bf16686ba0601ab1d44b40748d16bdcd

SHA512
73d6fef6f13a8435bd18f7abe56cb471a511c60fb8f266f0c416d79425e375127b7c4ea437ef3990fe732de891fa22e541a6879cf9a6b8b22c3cc1432f80b15d

Download Submit
C:\Users\Admin\AppData\Roaming\WireStack\themes\classic_theme\dir_open.gif

Filesize
84B

MD5
7d734a59d7b65bc45b499063be36ae38

SHA1
1cf5aa198660eaeee5f9e7bba27eb12cb0af22cc

SHA256
c94ecf6be1d49588377d4061a32240ed50906091f556cb92b7c7000b2cd17aba

SHA512
042f96c8b87bf9defe285dc8b3a97d9d739577ab8c04d8b52fb268f2d15929c06ea3c41ff3603cd24470ee6a600f564cbb9abfa4b27e3342744add33c145cb0c

Download Submit
C:\Users\Admin\AppData\Roaming\WireStack\themes\green_theme\question.gif

Filesize
167B

MD5
122f265a4e20ae06ff608ca44226c09d

SHA1
df463e550bf576a257a46c071fda97ee03544a09

SHA256
c77364458961fa9d66f4d44de292664a644c49d92ef3c09b8c28d03327502596

SHA512
a0feda88a335e29ecd5ade5b405fa9c63c9d6f78a42837b835dea41274249e394f1005caa85f9c265280a483a820752f58db3007673fd826e88e625f772f43ad

Download Submit
C:\Users\Admin\AppData\Roaming\WireStack\themes\green_theme\warning.gif

Filesize
143B

MD5
5c6b308dbccefa9b8ff26af33bf7da2d

SHA1
673986d7c8734fc222b093ac6526d2869feaf091

SHA256
355a5bbd58eff84bd18b9a401b9e4aef7151fc1b02a66e9d9f5da29ce061696f

SHA512
ffda4c9b92385ca7459fcb078997c301d7b37ae64b8e7c05d7d2eb235bd0fb6203888b37073124fc89f5fee0a1585014bf24a483808e6d254cf3e6f3fcf57579

Download Submit
C:\Users\Admin\AppData\Roaming\WireStack\themes\ocean_theme\chat.gif

Filesize
520B

MD5
040334f0a885168f801515a41274b623

SHA1
f06dc8b1ad26f967989d77418f39c77dfa28f676

SHA256
50788d1b5fa1d25ac1c6079c3073f26c18e8b597bc8d2a2e089b542267875c47

SHA512
eb1acc91c9f66cc42450bdfc888a59b82365a6d76e1ea2bf86aadb1d09a2880bbd571ffbf043df9c912c15aad2d843ccfcc7b1cc4d309bfb6d66bcf95b7af760

Download Submit
C:\Users\Admin\AppData\Roaming\WireStack\themes\red_theme\05_star.gif

Filesize
374B

MD5
d85efb492c2ba36a7cdd25c570add21e

SHA1
307ab7f4b298d1740f55b511b3f633c7f01620e6

SHA256
56d7cce7ea4688f2676f2f1a4be0f0409981146ba16e6c47308274e0e42adfaf

SHA512
99c8820c5f1067ed6ebed72117e8c1b327547d3accd967a9056d51a678ef7a2609516004c371d3bc5612b31dbe4c862b8f5ea4f19ce9d1b2a3f6a49117bccf58

Download Submit
memory/1716-41-0x0000000000B80000-0x0000000000BA0000-memory.dmp

Filesize
128KB

Download
memory/1716-45-0x000000001A290000-0x000000001A664000-memory.dmp

Filesize
3.8MB

Download
memory/1716-46-0x000000001A970000-0x000000001AAA6000-memory.dmp

Filesize
1.2MB

Download
memory/1964-38-0x0000025B6AD90000-0x0000025B6AD91000-memory.dmp

Filesize
4KB

Download
memory/1964-679-0x0000025B6AD90000-0x0000025B6AD91000-memory.dmp

Filesize
4KB

Download
memory/1964-757-0x0000025B6ADB0000-0x0000025B6B020000-memory.dmp

Filesize
2.4MB

Download
memory/1964-748-0x0000025B6AD90000-0x0000025B6AD91000-memory.dmp

Filesize
4KB

Download
memory/1964-735-0x0000025B6AD90000-0x0000025B6AD91000-memory.dmp

Filesize
4KB

Download
memory/1964-22-0x0000025B6ADB0000-0x0000025B6B020000-memory.dmp

Filesize
2.4MB

Download
memory/1964-724-0x0000025B6AD90000-0x0000025B6AD91000-memory.dmp

Filesize
4KB

Download
memory/1964-387-0x0000025B6AD90000-0x0000025B6AD91000-memory.dmp

Filesize
4KB

Download
memory/1964-714-0x0000025B6AD90000-0x0000025B6AD91000-memory.dmp

Filesize
4KB

Download
memory/1964-704-0x0000025B6AD90000-0x0000025B6AD91000-memory.dmp

Filesize
4KB

Download
memory/2132-721-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/2132-29-0x0000000075162000-0x0000000075163000-memory.dmp

Filesize
4KB

Download
memory/2132-30-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/2132-31-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/4708-741-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5064-2-0x000001BDD5650000-0x000001BDD58C0000-memory.dmp

Filesize
2.4MB

Download
memory/5064-12-0x000001BDD3D60000-0x000001BDD3D61000-memory.dmp

Filesize
4KB

Download
memory/5064-13-0x000001BDD5650000-0x000001BDD58C0000-memory.dmp

Filesize
2.4MB

Download