Malware Analysis Report

2024-11-15 05:36

Sample ID 240603-mnzhjsbe8w
Target ls.exe
SHA256 0329e4b80be853302b4cb08a84d70b54de5cb86247e50e5cc6d4a8f568a9aa00
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0329e4b80be853302b4cb08a84d70b54de5cb86247e50e5cc6d4a8f568a9aa00

Threat Level: Shows suspicious behavior

The file ls.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Loads dropped DLL

Modifies file permissions

Adds Run key to start application

Unsigned PE

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 10:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 10:37

Reported

2024-06-03 10:39

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ls.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Security = "C:\\Users\\Admin\\AppData\\Roaming\\(s)AINT\\saint.jar" C:\Windows\SYSTEM32\REG.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\REG.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ls.exe

"C:\Users\Admin\AppData\Local\Temp\ls.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\ls.exe"

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\SYSTEM32\REG.exe

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V "Security" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\(s)AINT\saint.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/452-0-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2028-3-0x0000026F01410000-0x0000026F01680000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 3d96e21c70a5a5d76fd7df327a609a01
SHA1 7c75b30b79b8f6ebb75a877300e0924dd7f9f595
SHA256 e4430d609b0315f77bbf217e3e3d035242533727fa6fdc5e0f20fd2bebaede94
SHA512 185fe3b49da5455733cbc0da5ea72e7b732443696749c866668d721ee867876de20e6c72fbf44aa37db416753550633a0caf8e7712360803178e3b7def7130e3

C:\Users\Admin\AppData\Local\Temp\JNativeHook_7236323743287549532.dll

MD5 d12501aaf90c14a87678c1199c332694
SHA1 47a09b3b92928d9076ad162d2f03f3426fe38095
SHA256 fc23a64cc52f5b19e310a8d96b1fbfec981310359bda907f5931a53360485fbc
SHA512 ee0cc22ba3c28fdf1cfd1721b466f8ccd0ac590ea37f7be77a8c7e8ed9aa7ee563921b2106e9ca05cd606706eaf17b4f835053104da4567b75f1f6ccb7e6ce94

memory/2028-23-0x0000026F7FB20000-0x0000026F7FB21000-memory.dmp

memory/2028-24-0x0000026F7FB20000-0x0000026F7FB21000-memory.dmp

memory/2028-25-0x000000006FF40000-0x000000006FF50000-memory.dmp

memory/2028-29-0x0000026F01410000-0x0000026F01680000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 10:37

Reported

2024-06-03 10:40

Platform

win7-20240221-en

Max time kernel

118s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ls.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\ls.exe

"C:\Users\Admin\AppData\Local\Temp\ls.exe"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\ls.exe"

Network

N/A

Files

memory/2700-0-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2292-3-0x00000000021A0000-0x0000000002410000-memory.dmp

memory/2292-12-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2292-13-0x00000000021A0000-0x0000000002410000-memory.dmp