Analysis Overview
SHA256
5daa38a2692827ae02e4cf058cb9d0dded63fb774437916045827652bf1c3b5e
Threat Level: Shows suspicious behavior
The file 5daa38a2692827ae02e4cf058cb9d0dded63fb774437916045827652bf1c3b5e was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Modifies file permissions
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 11:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 11:17
Reported
2024-06-03 11:19
Platform
win7-20240221-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2528 wrote to memory of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\5daa38a2692827ae02e4cf058cb9d0dded63fb774437916045827652bf1c3b5e.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
| PID 2528 wrote to memory of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\5daa38a2692827ae02e4cf058cb9d0dded63fb774437916045827652bf1c3b5e.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
| PID 2528 wrote to memory of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\5daa38a2692827ae02e4cf058cb9d0dded63fb774437916045827652bf1c3b5e.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
| PID 2528 wrote to memory of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\5daa38a2692827ae02e4cf058cb9d0dded63fb774437916045827652bf1c3b5e.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5daa38a2692827ae02e4cf058cb9d0dded63fb774437916045827652bf1c3b5e.exe
"C:\Users\Admin\AppData\Local\Temp\5daa38a2692827ae02e4cf058cb9d0dded63fb774437916045827652bf1c3b5e.exe"
C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\5daa38a2692827ae02e4cf058cb9d0dded63fb774437916045827652bf1c3b5e.exe"
Network
Files
memory/2528-0-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1716-3-0x0000000002610000-0x0000000002880000-memory.dmp
memory/1716-11-0x0000000000340000-0x0000000000341000-memory.dmp
memory/1716-14-0x0000000002610000-0x0000000002880000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 11:17
Reported
2024-06-03 11:19
Platform
win10v2004-20240426-en
Max time kernel
108s
Max time network
93s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4500 wrote to memory of 2020 | N/A | C:\Users\Admin\AppData\Local\Temp\5daa38a2692827ae02e4cf058cb9d0dded63fb774437916045827652bf1c3b5e.exe | C:\Program Files\Java\jre-1.8\bin\javaw.exe |
| PID 4500 wrote to memory of 2020 | N/A | C:\Users\Admin\AppData\Local\Temp\5daa38a2692827ae02e4cf058cb9d0dded63fb774437916045827652bf1c3b5e.exe | C:\Program Files\Java\jre-1.8\bin\javaw.exe |
| PID 2020 wrote to memory of 1976 | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Windows\system32\icacls.exe |
| PID 2020 wrote to memory of 1976 | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5daa38a2692827ae02e4cf058cb9d0dded63fb774437916045827652bf1c3b5e.exe
"C:\Users\Admin\AppData\Local\Temp\5daa38a2692827ae02e4cf058cb9d0dded63fb774437916045827652bf1c3b5e.exe"
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\5daa38a2692827ae02e4cf058cb9d0dded63fb774437916045827652bf1c3b5e.exe"
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/4500-0-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2020-3-0x0000025D097C0000-0x0000025D09A30000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | ec9ea093e569ec00b532592f8276b7f6 |
| SHA1 | 9baacd2e801490a0fd274689909d8058deb8dba8 |
| SHA256 | 444d0befc856c536443dc3629e2dac5d386bbcf0993bf531e468f7e166f4279b |
| SHA512 | ee6eaa00922461fe17fdf2dc178db2aca8aaa45ace658e8e0da31825cf0fd34648e43b1c1cc579c44e34a848e2fe39982ab1c2a6292ca3689fc8c034f501699c |
C:\Users\Admin\AppData\Local\Temp\+~JF5812642813926863402.tmp
| MD5 | 7f690e503a254e0b8349aec0177e07aa |
| SHA1 | 127f241871a9fe42cd8d073a0835410f3824d57c |
| SHA256 | 7ae714b63c2c8b940bdd211a0cc678f01168a34eea8aa13c0df25364f29238a7 |
| SHA512 | 329b4fcd0cbb804324a2a0e41542b64949208cffb18d38af50a7ccbaa007c0baf2b241a8077b4db0f6e97385e65ada7d73f6d06a5e55411d549b5a3bf29cd641 |
memory/2020-57-0x0000025D07FE0000-0x0000025D07FE1000-memory.dmp
memory/2020-63-0x0000025D09A50000-0x0000025D09A60000-memory.dmp
memory/2020-62-0x0000025D09A40000-0x0000025D09A50000-memory.dmp
memory/2020-61-0x0000025D09A30000-0x0000025D09A40000-memory.dmp
memory/2020-64-0x0000025D09A60000-0x0000025D09A70000-memory.dmp
memory/2020-67-0x0000025D09A70000-0x0000025D09A80000-memory.dmp
memory/2020-68-0x0000025D07FE0000-0x0000025D07FE1000-memory.dmp
memory/2020-71-0x0000025D09A80000-0x0000025D09A90000-memory.dmp
memory/2020-73-0x0000025D09A90000-0x0000025D09AA0000-memory.dmp
memory/2020-78-0x0000025D09AA0000-0x0000025D09AB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll
| MD5 | 55f4de7f270663b3dc712b8c9eed422a |
| SHA1 | 7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4 |
| SHA256 | 47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25 |
| SHA512 | 9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996 |
memory/2020-87-0x0000025D09AB0000-0x0000025D09AC0000-memory.dmp
memory/2020-88-0x0000025D09AC0000-0x0000025D09AD0000-memory.dmp
memory/2020-85-0x0000025D07FE0000-0x0000025D07FE1000-memory.dmp
memory/2020-90-0x0000025D097C0000-0x0000025D09A30000-memory.dmp
memory/2020-91-0x0000025D09A30000-0x0000025D09A40000-memory.dmp
memory/2020-93-0x0000025D09A50000-0x0000025D09A60000-memory.dmp
memory/2020-92-0x0000025D09A40000-0x0000025D09A50000-memory.dmp
memory/2020-94-0x0000025D09A60000-0x0000025D09A70000-memory.dmp
memory/2020-95-0x0000025D09A70000-0x0000025D09A80000-memory.dmp
memory/2020-96-0x0000025D09A80000-0x0000025D09A90000-memory.dmp
memory/2020-97-0x0000025D09A90000-0x0000025D09AA0000-memory.dmp
memory/2020-98-0x0000025D09AA0000-0x0000025D09AB0000-memory.dmp
memory/2020-100-0x0000025D09AC0000-0x0000025D09AD0000-memory.dmp
memory/2020-99-0x0000025D09AB0000-0x0000025D09AC0000-memory.dmp