b9a5b32114808df18c54351d3ea8678c8d2a242d6d3d93eb138f44e204978302

Resubmissions

04-07-2024 07:49

240704-jn7blstcmh 7

04-07-2024 07:03

240704-hvqf1asbjh 7

Analysis

max time kernel
93s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nedbank-DOC-0935512.txt.jar
Size

141KB
MD5

9632c861dc335dbb603578d75078934a
SHA1

85ec491467d84c29aaa1cb6eb70045fb7c4fd1de
SHA256

b9a5b32114808df18c54351d3ea8678c8d2a242d6d3d93eb138f44e204978302
SHA512

7604aaaca0c44734c76ca21bec353edeec0ff3bec55004c3fddf66bb021dd9c014da8b6111b4f9e9a04643b5659c96ff6b13fb16ef47779066b939bdcdba26c5
SSDEEP

384:y3VJG66/4oWdbm7xNE05eabEoas2FYKxeUUfc1Eq+HPO:ylwylAPE04a4Js2FY2U03

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\001.jar	java.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
448	icacls.exe

Enumerates processes with tasklist 1 TTPs 21 IoCs

Process Discovery

T1057

pid	Process
4616	tasklist.exe
4724	tasklist.exe
1148	tasklist.exe
4904	tasklist.exe
1608	tasklist.exe
2428	tasklist.exe
2724	tasklist.exe
2960	tasklist.exe
1436	tasklist.exe
996	tasklist.exe
2608	tasklist.exe
2292	tasklist.exe
1500	tasklist.exe
4368	tasklist.exe
992	tasklist.exe
1232	tasklist.exe
2572	tasklist.exe
632	tasklist.exe
1420	tasklist.exe
2220	tasklist.exe
4016	tasklist.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	4616	tasklist.exe
Token: SeDebugPrivilege	992	tasklist.exe
Token: SeDebugPrivilege	1232	tasklist.exe
Token: SeDebugPrivilege	2572	tasklist.exe
Token: SeDebugPrivilege	4724	tasklist.exe
Token: SeDebugPrivilege	1436	tasklist.exe
Token: SeDebugPrivilege	1148	tasklist.exe
Token: SeDebugPrivilege	4904	tasklist.exe
Token: SeDebugPrivilege	996	tasklist.exe
Token: SeDebugPrivilege	632	tasklist.exe
Token: SeDebugPrivilege	1608	tasklist.exe
Token: SeDebugPrivilege	1420	tasklist.exe
Token: SeDebugPrivilege	2428	tasklist.exe
Token: SeDebugPrivilege	2608	tasklist.exe
Token: SeDebugPrivilege	2292	tasklist.exe
Token: SeDebugPrivilege	2220	tasklist.exe
Token: SeDebugPrivilege	2724	tasklist.exe
Token: SeDebugPrivilege	1500	tasklist.exe
Token: SeDebugPrivilege	4368	tasklist.exe
Token: SeDebugPrivilege	2960	tasklist.exe
Token: SeDebugPrivilege	4016	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4680	java.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 448	2944	java.exe	82
PID 2944 wrote to memory of 448	2944	java.exe	82
PID 2944 wrote to memory of 4616	2944	java.exe	84
PID 2944 wrote to memory of 4616	2944	java.exe	84
PID 2944 wrote to memory of 992	2944	java.exe	87
PID 2944 wrote to memory of 992	2944	java.exe	87
PID 2944 wrote to memory of 1232	2944	java.exe	89
PID 2944 wrote to memory of 1232	2944	java.exe	89
PID 2944 wrote to memory of 2572	2944	java.exe	91
PID 2944 wrote to memory of 2572	2944	java.exe	91
PID 2944 wrote to memory of 4724	2944	java.exe	93
PID 2944 wrote to memory of 4724	2944	java.exe	93
PID 2944 wrote to memory of 1436	2944	java.exe	95
PID 2944 wrote to memory of 1436	2944	java.exe	95
PID 2944 wrote to memory of 1148	2944	java.exe	97
PID 2944 wrote to memory of 1148	2944	java.exe	97
PID 2944 wrote to memory of 4904	2944	java.exe	99
PID 2944 wrote to memory of 4904	2944	java.exe	99
PID 2944 wrote to memory of 996	2944	java.exe	101
PID 2944 wrote to memory of 996	2944	java.exe	101
PID 2944 wrote to memory of 632	2944	java.exe	103
PID 2944 wrote to memory of 632	2944	java.exe	103
PID 2944 wrote to memory of 1608	2944	java.exe	105
PID 2944 wrote to memory of 1608	2944	java.exe	105
PID 2944 wrote to memory of 1420	2944	java.exe	107
PID 2944 wrote to memory of 1420	2944	java.exe	107
PID 2944 wrote to memory of 2428	2944	java.exe	109
PID 2944 wrote to memory of 2428	2944	java.exe	109
PID 2944 wrote to memory of 2608	2944	java.exe	111
PID 2944 wrote to memory of 2608	2944	java.exe	111
PID 2944 wrote to memory of 2292	2944	java.exe	113
PID 2944 wrote to memory of 2292	2944	java.exe	113
PID 2944 wrote to memory of 2220	2944	java.exe	115
PID 2944 wrote to memory of 2220	2944	java.exe	115
PID 2944 wrote to memory of 2724	2944	java.exe	117
PID 2944 wrote to memory of 2724	2944	java.exe	117
PID 2944 wrote to memory of 1500	2944	java.exe	119
PID 2944 wrote to memory of 1500	2944	java.exe	119
PID 2944 wrote to memory of 4368	2944	java.exe	121
PID 2944 wrote to memory of 4368	2944	java.exe	121
PID 2944 wrote to memory of 2960	2944	java.exe	123
PID 2944 wrote to memory of 2960	2944	java.exe	123
PID 2944 wrote to memory of 4016	2944	java.exe	125
PID 2944 wrote to memory of 4016	2944	java.exe	125
PID 2944 wrote to memory of 4680	2944	java.exe	129
PID 2944 wrote to memory of 4680	2944	java.exe	129

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Nedbank-DOC-0935512.txt.jar
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:448
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4616
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java -jar "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\001.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
dce91775649d1785bafbe088ea46dc30

SHA1
5192ec4e8b5d4e4fd9a60f59a82757f9762406d4

SHA256
a1cd4a7897a812c28e3a155593647f40218d136f71d2f3087dac4e906a5cf3be

SHA512
ff2db530a823aa20c60401fbb4d1576c5e73f957f9cd944b2ef94031777dfb248fd69f33082e934f26a484dde0706915e0fe5a3a3fd49a516afd3d0fabbb829d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\001.jar

Filesize
199KB

MD5
1500ec1f9c72b694d461f3d860c06974

SHA1
b245d9a5f628f34cc74872f1a23d33b31d6c41fa

SHA256
8ba3d0506abaca3702a369fc50c2c15c8389860dc8de8746f416f550a28c5e35

SHA512
a233e6ade6ffe7c511a865a8aba46969568cac82a62f65ee286eae87ffaab2b54484add028710423b5623f7188094bf6b2f265d579e57f1381111952708d63b8

Download Submit
memory/2944-2-0x0000022D43760000-0x0000022D439D0000-memory.dmp

Filesize
2.4MB

Download
memory/2944-12-0x0000022D41EC0000-0x0000022D41EC1000-memory.dmp

Filesize
4KB

Download
memory/2944-54-0x0000022D41EC0000-0x0000022D41EC1000-memory.dmp

Filesize
4KB

Download
memory/2944-57-0x0000022D41EC0000-0x0000022D41EC1000-memory.dmp

Filesize
4KB

Download
memory/2944-59-0x0000022D41EC0000-0x0000022D41EC1000-memory.dmp

Filesize
4KB

Download
memory/2944-60-0x0000022D43760000-0x0000022D439D0000-memory.dmp

Filesize
2.4MB

Download
memory/4680-75-0x0000023A49650000-0x0000023A49651000-memory.dmp

Filesize
4KB

Download
memory/4680-89-0x0000023A49650000-0x0000023A49651000-memory.dmp

Filesize
4KB

Download