Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-05-2024 05:27
Static task
static1
Behavioral task
behavioral1
Sample
LEAK.zip
Resource
win11-20240426-en
General
-
Target
LEAK.zip
-
Size
2.4MB
-
MD5
1b03fb2fff99a30c3117f154b38977e2
-
SHA1
584be67f611ad99e0f9e64e7ea2de5853afd983a
-
SHA256
99fbae6c058b88942180276547978801158197e3fc7b044b87482c628e63a85f
-
SHA512
79db186076d06150956d7a549e05116da739b0556ad64cc921c4f53580d4f578bc45f66b0a5b89454ae5012f70e97e528c4e2a6e28a19e76da99fcc3ae580f8a
-
SSDEEP
49152:hd7P7P81OkcmASUhp0/zwvcNjqd/nWFJ0m5YtROINyTO:hdjb81OkxGFcNvFJXeO/y
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 900 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exejava.exedescription pid process target process PID 3260 wrote to memory of 2616 3260 cmd.exe java.exe PID 3260 wrote to memory of 2616 3260 cmd.exe java.exe PID 2616 wrote to memory of 2420 2616 java.exe icacls.exe PID 2616 wrote to memory of 2420 2616 java.exe icacls.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\LEAK.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\start.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar Discord-Token-Checker.jar2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\tokens.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD5bdca4eb1096a34cb03b73b91606d628b
SHA133262e4b246ed9133551136e6ec2ff43398e3501
SHA256a2da6b2602f26102ff33d49402bb74e048c63bf292bd672a296c7f97c6bd24ac
SHA5126714a52684f21bf216f3a17a3ea77fd1e2134a9c6a32e497a8cbd32558bd1c5aff612f2914568ace310693ca7dbcf2e83929fbcfb7ed87377af2809c8a7f6d00
-
memory/2616-2-0x000002954D8A0000-0x000002954DB10000-memory.dmpFilesize
2.4MB
-
memory/2616-13-0x000002954D880000-0x000002954D881000-memory.dmpFilesize
4KB
-
memory/2616-14-0x000002954D8A0000-0x000002954DB10000-memory.dmpFilesize
2.4MB