Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 12:41
Static task
static1
Behavioral task
behavioral1
Sample
79e9dd35aef6558461c4b93cd0c55b76_Purchase Order.jar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
79e9dd35aef6558461c4b93cd0c55b76_Purchase Order.jar
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
B2856B11FF23D35DA2C9C906C61781BA_purchaseorder.jar
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
B2856B11FF23D35DA2C9C906C61781BA_purchaseorder.jar
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
DB46ADCFAE462E7C475C171FBE66DF82_paymentadvice.jar
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
DB46ADCFAE462E7C475C171FBE66DF82_paymentadvice.jar
Resource
win10v2004-20240508-en
General
-
Target
79e9dd35aef6558461c4b93cd0c55b76_Purchase Order.jar
-
Size
123KB
-
MD5
79e9dd35aef6558461c4b93cd0c55b76
-
SHA1
09c6b30b7ff918d54ee6db72bf1bc41b5d6f1ca1
-
SHA256
53ab4883cc1e84f1f1732bb2fdb97358490b9134156eedc516d6dde6b97018ba
-
SHA512
61b4121768900bd8a6a5c056f02b7d0f34d6fd2124742f80b9b80e028dbd679d961cf24a1d36c460d69b90034a107fee89fb8cf30b280265c96bd4bf38e838c0
-
SSDEEP
1536:XDBcxrH8YRt1mYuFGTU1Mep4fKz6stVwG/JLWOOpXILt4vhwJ+/aW6Ef2u3jx0OF:zCRjKFGTMpOKzJtVRRLWO/4OW1XdJPB
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 34 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\editcap.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\editcap.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\debugger = "svchost.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mergecap.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe\debugger = "svchost.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mergecap.exe\debugger = "svchost.exe" regedit.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3984 attrib.exe 4064 attrib.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2936 icacls.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yBoBG0m3Gt = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\jcwDpUEpCh\\LcuSMagrlF.txt\"" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yBoBG0m3Gt = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\jcwDpUEpCh\\LcuSMagrlF.txt\"" reg.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\jcwDpUEpCh\Desktop.ini attrib.exe File created C:\Users\Admin\AppData\Roaming\jcwDpUEpCh\Desktop.ini java.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\tem.txt java.exe File opened for modification C:\Windows\tem.txt java.exe File created C:\Windows\tem.txt javaw.exe File opened for modification C:\Windows\tem.txt javaw.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1644 reg.exe 2432 reg.exe 832 reg.exe 636 reg.exe -
Runs .reg file with regedit 1 IoCs
pid Process 1376 regedit.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4404 java.exe 2488 javaw.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4404 wrote to memory of 2936 4404 java.exe 84 PID 4404 wrote to memory of 2936 4404 java.exe 84 PID 4404 wrote to memory of 1644 4404 java.exe 92 PID 4404 wrote to memory of 1644 4404 java.exe 92 PID 4404 wrote to memory of 2432 4404 java.exe 93 PID 4404 wrote to memory of 2432 4404 java.exe 93 PID 4404 wrote to memory of 3984 4404 java.exe 94 PID 4404 wrote to memory of 3984 4404 java.exe 94 PID 4404 wrote to memory of 4064 4404 java.exe 97 PID 4404 wrote to memory of 4064 4404 java.exe 97 PID 4404 wrote to memory of 2488 4404 java.exe 100 PID 4404 wrote to memory of 2488 4404 java.exe 100 PID 2488 wrote to memory of 832 2488 javaw.exe 102 PID 2488 wrote to memory of 832 2488 javaw.exe 102 PID 2488 wrote to memory of 636 2488 javaw.exe 103 PID 2488 wrote to memory of 636 2488 javaw.exe 103 PID 2488 wrote to memory of 2324 2488 javaw.exe 108 PID 2488 wrote to memory of 2324 2488 javaw.exe 108 PID 2324 wrote to memory of 1376 2324 cmd.exe 110 PID 2324 wrote to memory of 1376 2324 cmd.exe 110 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3984 attrib.exe 4064 attrib.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\79e9dd35aef6558461c4b93cd0c55b76_Purchase Order.jar"1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
PID:2936
-
-
C:\Windows\SYSTEM32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v yBoBG0m3Gt /t REG_SZ /d "\"C:\Program Files\Java\jre-1.8\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\jcwDpUEpCh\LcuSMagrlF.txt\"" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:1644
-
-
C:\Windows\SYSTEM32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v yBoBG0m3Gt /f2⤵
- Modifies registry key
PID:2432
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\jcwDpUEpCh\*.*"2⤵
- Sets file to hidden
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:3984
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\jcwDpUEpCh"2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4064
-
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\jcwDpUEpCh\LcuSMagrlF.txt"2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SYSTEM32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v yBoBG0m3Gt /t REG_SZ /d "\"C:\Program Files\Java\jre-1.8\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\jcwDpUEpCh\LcuSMagrlF.txt\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:832
-
-
C:\Windows\SYSTEM32\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v yBoBG0m3Gt /f3⤵
- Modifies registry key
PID:636
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c regedit /s C:\Users\Admin\AppData\Local\Temp\TaskNetworkGathor8123578931222131026.reg3⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\regedit.exeregedit /s C:\Users\Admin\AppData\Local\Temp\TaskNetworkGathor8123578931222131026.reg4⤵
- UAC bypass
- Sets file execution options in registry
- Runs .reg file with regedit
PID:1376
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD52987498c8b278665cf86f31dc4134bb0
SHA15c148b80d0574ed61b27b850f28de2905bde0d60
SHA2565e694a1b27c2586776234b1cd9cd9bb595373ab94cc26a9e78d9b2e14d6cb3b1
SHA5126c0670795dc646ab51c87425b673488370cee7760525b00dc016b51749803a8745e4df35fa81c56297ea564cc9c07c2259ce2181ee7115103e8809d7fb015845
-
Filesize
2KB
MD56486acf0ca96ecdc981398855255b699
SHA166ec7eb84247848d0d80beec8790cd6788704cd3
SHA256f96b76b3db9739c7d7e0fcac48c19191895abb5b5d18eca35cfbb9c695fbfcfc
SHA5126677dff216eab25383539040b5d48e9fd9c6025e6276b973bd462349451616ad6bc59d07e7c760f40c326446cd5eb19417c14cb0e35f169cd702d2be1202c8fd
-
Filesize
63B
MD5e783bdd20a976eaeaae1ff4624487420
SHA1c2a44fab9df00b3e11582546b16612333c2f9286
SHA2562f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3
SHA5128c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80
-
Filesize
123KB
MD579e9dd35aef6558461c4b93cd0c55b76
SHA109c6b30b7ff918d54ee6db72bf1bc41b5d6f1ca1
SHA25653ab4883cc1e84f1f1732bb2fdb97358490b9134156eedc516d6dde6b97018ba
SHA51261b4121768900bd8a6a5c056f02b7d0f34d6fd2124742f80b9b80e028dbd679d961cf24a1d36c460d69b90034a107fee89fb8cf30b280265c96bd4bf38e838c0