Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 10:37
Static task
static1
Behavioral task
behavioral1
Sample
ls.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ls.exe
Resource
win10v2004-20240426-en
General
-
Target
ls.exe
-
Size
3.1MB
-
MD5
9fee5d57bbc9ad824a24680ea7e5b6ee
-
SHA1
79a94ee440c1dd97fb91b07d9c18d3e56c2d89a1
-
SHA256
0329e4b80be853302b4cb08a84d70b54de5cb86247e50e5cc6d4a8f568a9aa00
-
SHA512
4cf814c24341ff2a19be8f7a53a35440fa7dac351c676c1524eae7f76832e3ca73b2c2130df22e75e62b361feb6cd40709d957adeadcc8be673e1586cc2518cf
-
SSDEEP
49152:HFiLmDjg0HEUKlTuK6igRROMCTI93qkw6SPjVqr1oO7jFj8Jlne+htT+:kSDjTHEUKlTuKZgjsT63+60JqZZn58Jg
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
javaw.exepid process 2028 javaw.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
REG.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Security = "C:\\Users\\Admin\\AppData\\Roaming\\(s)AINT\\saint.jar" REG.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
javaw.exepid process 2028 javaw.exe 2028 javaw.exe 2028 javaw.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ls.exejavaw.exedescription pid process target process PID 452 wrote to memory of 2028 452 ls.exe javaw.exe PID 452 wrote to memory of 2028 452 ls.exe javaw.exe PID 2028 wrote to memory of 2572 2028 javaw.exe icacls.exe PID 2028 wrote to memory of 2572 2028 javaw.exe icacls.exe PID 2028 wrote to memory of 1896 2028 javaw.exe REG.exe PID 2028 wrote to memory of 1896 2028 javaw.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ls.exe"C:\Users\Admin\AppData\Local\Temp\ls.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\ls.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
PID:2572
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V "Security" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\(s)AINT\saint.jar"3⤵
- Adds Run key to start application
- Modifies registry key
PID:1896
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD53d96e21c70a5a5d76fd7df327a609a01
SHA17c75b30b79b8f6ebb75a877300e0924dd7f9f595
SHA256e4430d609b0315f77bbf217e3e3d035242533727fa6fdc5e0f20fd2bebaede94
SHA512185fe3b49da5455733cbc0da5ea72e7b732443696749c866668d721ee867876de20e6c72fbf44aa37db416753550633a0caf8e7712360803178e3b7def7130e3
-
Filesize
57KB
MD5d12501aaf90c14a87678c1199c332694
SHA147a09b3b92928d9076ad162d2f03f3426fe38095
SHA256fc23a64cc52f5b19e310a8d96b1fbfec981310359bda907f5931a53360485fbc
SHA512ee0cc22ba3c28fdf1cfd1721b466f8ccd0ac590ea37f7be77a8c7e8ed9aa7ee563921b2106e9ca05cd606706eaf17b4f835053104da4567b75f1f6ccb7e6ce94