b9a5b32114808df18c54351d3ea8678c8d2a242d6d3d93eb138f44e204978302

Resubmissions

04-07-2024 07:49

240704-jn7blstcmh 7

04-07-2024 07:03

240704-hvqf1asbjh 7

Analysis

max time kernel
140s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nedbank-DOC-0935512.txt.jar
Size

141KB
MD5

9632c861dc335dbb603578d75078934a
SHA1

85ec491467d84c29aaa1cb6eb70045fb7c4fd1de
SHA256

b9a5b32114808df18c54351d3ea8678c8d2a242d6d3d93eb138f44e204978302
SHA512

7604aaaca0c44734c76ca21bec353edeec0ff3bec55004c3fddf66bb021dd9c014da8b6111b4f9e9a04643b5659c96ff6b13fb16ef47779066b939bdcdba26c5
SSDEEP

384:y3VJG66/4oWdbm7xNE05eabEoas2FYKxeUUfc1Eq+HPO:ylwylAPE04a4Js2FY2U03

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\001.jar	java.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3032	icacls.exe

Enumerates processes with tasklist 1 TTPs 21 IoCs

Process Discovery

T1057

pid	Process
2316	tasklist.exe
3088	tasklist.exe
4636	tasklist.exe
2640	tasklist.exe
5032	tasklist.exe
4920	tasklist.exe
116	tasklist.exe
524	tasklist.exe
4884	tasklist.exe
2924	tasklist.exe
4312	tasklist.exe
4948	tasklist.exe
1832	tasklist.exe
1348	tasklist.exe
3912	tasklist.exe
4888	tasklist.exe
2780	tasklist.exe
312	tasklist.exe
4140	tasklist.exe
1012	tasklist.exe
2264	tasklist.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	5032	tasklist.exe
Token: SeDebugPrivilege	4920	tasklist.exe
Token: SeDebugPrivilege	4140	tasklist.exe
Token: SeDebugPrivilege	4312	tasklist.exe
Token: SeDebugPrivilege	1012	tasklist.exe
Token: SeDebugPrivilege	4948	tasklist.exe
Token: SeDebugPrivilege	1832	tasklist.exe
Token: SeDebugPrivilege	4888	tasklist.exe
Token: SeDebugPrivilege	116	tasklist.exe
Token: SeDebugPrivilege	2264	tasklist.exe
Token: SeDebugPrivilege	524	tasklist.exe
Token: SeDebugPrivilege	2316	tasklist.exe
Token: SeDebugPrivilege	2780	tasklist.exe
Token: SeDebugPrivilege	4884	tasklist.exe
Token: SeDebugPrivilege	3088	tasklist.exe
Token: SeDebugPrivilege	4636	tasklist.exe
Token: SeDebugPrivilege	2640	tasklist.exe
Token: SeDebugPrivilege	312	tasklist.exe
Token: SeDebugPrivilege	2924	tasklist.exe
Token: SeDebugPrivilege	1348	tasklist.exe
Token: SeDebugPrivilege	3912	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2912	java.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 3032	3552	java.exe	81
PID 3552 wrote to memory of 3032	3552	java.exe	81
PID 3552 wrote to memory of 5032	3552	java.exe	83
PID 3552 wrote to memory of 5032	3552	java.exe	83
PID 3552 wrote to memory of 4920	3552	java.exe	86
PID 3552 wrote to memory of 4920	3552	java.exe	86
PID 3552 wrote to memory of 4140	3552	java.exe	88
PID 3552 wrote to memory of 4140	3552	java.exe	88
PID 3552 wrote to memory of 4312	3552	java.exe	90
PID 3552 wrote to memory of 4312	3552	java.exe	90
PID 3552 wrote to memory of 1012	3552	java.exe	92
PID 3552 wrote to memory of 1012	3552	java.exe	92
PID 3552 wrote to memory of 4948	3552	java.exe	94
PID 3552 wrote to memory of 4948	3552	java.exe	94
PID 3552 wrote to memory of 1832	3552	java.exe	97
PID 3552 wrote to memory of 1832	3552	java.exe	97
PID 3552 wrote to memory of 4888	3552	java.exe	99
PID 3552 wrote to memory of 4888	3552	java.exe	99
PID 3552 wrote to memory of 116	3552	java.exe	101
PID 3552 wrote to memory of 116	3552	java.exe	101
PID 3552 wrote to memory of 2264	3552	java.exe	103
PID 3552 wrote to memory of 2264	3552	java.exe	103
PID 3552 wrote to memory of 524	3552	java.exe	105
PID 3552 wrote to memory of 524	3552	java.exe	105
PID 3552 wrote to memory of 2316	3552	java.exe	107
PID 3552 wrote to memory of 2316	3552	java.exe	107
PID 3552 wrote to memory of 2780	3552	java.exe	109
PID 3552 wrote to memory of 2780	3552	java.exe	109
PID 3552 wrote to memory of 4884	3552	java.exe	111
PID 3552 wrote to memory of 4884	3552	java.exe	111
PID 3552 wrote to memory of 3088	3552	java.exe	113
PID 3552 wrote to memory of 3088	3552	java.exe	113
PID 3552 wrote to memory of 4636	3552	java.exe	115
PID 3552 wrote to memory of 4636	3552	java.exe	115
PID 3552 wrote to memory of 2640	3552	java.exe	117
PID 3552 wrote to memory of 2640	3552	java.exe	117
PID 3552 wrote to memory of 312	3552	java.exe	119
PID 3552 wrote to memory of 312	3552	java.exe	119
PID 3552 wrote to memory of 2924	3552	java.exe	121
PID 3552 wrote to memory of 2924	3552	java.exe	121
PID 3552 wrote to memory of 1348	3552	java.exe	123
PID 3552 wrote to memory of 1348	3552	java.exe	123
PID 3552 wrote to memory of 3912	3552	java.exe	125
PID 3552 wrote to memory of 3912	3552	java.exe	125
PID 3552 wrote to memory of 2912	3552	java.exe	127
PID 3552 wrote to memory of 2912	3552	java.exe	127

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Nedbank-DOC-0935512.txt.jar
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:3032
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4920
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4312
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4948
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:116
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3088
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:312
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\SYSTEM32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3912
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java -jar "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\001.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
b592c21b10ea8c5857446a76658cdf54

SHA1
75e2b2657c2dc155983813e77c50dedb00028913

SHA256
5d1528376d0d1f9f1a2b98a04b21e65580edc1ef16c5c0d23a515d1410e11789

SHA512
ecff6afca6aefb67352386d818df03cd27beeb6e078c63ff986a229cc395d182939a21222fa4012a7080d19d9c137a8ebb53e5815c46401faf2ae015bd84f583

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio3890905832345651405.tmp

Filesize
119KB

MD5
faf19da96b1e3f7693b3e2a5490a664e

SHA1
2c082f93c2b12fa37dba201844993ceacc3a81b3

SHA256
a0af1fa3d30c281dcf674f73910a14af49b03abc87a299eace15350e3c510bdb

SHA512
91cd353cdfa6e72d5d18d83ae42d7195ac8c848a78d0a0cb899630718f46b53f78d7e37cd24bdbb444339840c29c6419c09bbf8e283a32e413204cda5b0a6570

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio4347231525205722680.tmp

Filesize
223KB

MD5
e8d6c502d189454a648ca8961ee8eca1

SHA1
d86870a958a9f9fc69a90b04f11ed4bf5afac1ab

SHA256
153bf5f9fce555666adc9235ab4f90889be93f52e761ad7cb4185e0ac6681cdc

SHA512
aa85a27743d86a916c839374712d6aec9a81696787bbefb774825c9aaf4f53642910c9427ef474eb8630e4daca1a187c7afd13a25e017e7b211dea6a0380ac90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4124900551-4068476067-3491212533-1000\83aa4cc77f591dfc2374580bbd95f6ba_310807ab-751f-4d81-ae09-b202eaf21e19

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\001.jar

Filesize
199KB

MD5
1500ec1f9c72b694d461f3d860c06974

SHA1
b245d9a5f628f34cc74872f1a23d33b31d6c41fa

SHA256
8ba3d0506abaca3702a369fc50c2c15c8389860dc8de8746f416f550a28c5e35

SHA512
a233e6ade6ffe7c511a865a8aba46969568cac82a62f65ee286eae87ffaab2b54484add028710423b5623f7188094bf6b2f265d579e57f1381111952708d63b8

Download Submit
memory/2912-109-0x000002E0139B0000-0x000002E0139B1000-memory.dmp

Filesize
4KB

Download
memory/2912-79-0x000002E0139B0000-0x000002E0139B1000-memory.dmp

Filesize
4KB

Download
memory/2912-91-0x000002E0139B0000-0x000002E0139B1000-memory.dmp

Filesize
4KB

Download
memory/2912-96-0x000002E0139B0000-0x000002E0139B1000-memory.dmp

Filesize
4KB

Download
memory/2912-143-0x000002E0139B0000-0x000002E0139B1000-memory.dmp

Filesize
4KB

Download
memory/2912-152-0x000002E0139B0000-0x000002E0139B1000-memory.dmp

Filesize
4KB

Download
memory/3552-64-0x00000218CB350000-0x00000218CB5C0000-memory.dmp

Filesize
2.4MB

Download
memory/3552-61-0x00000218C9A30000-0x00000218C9A31000-memory.dmp

Filesize
4KB

Download
memory/3552-58-0x00000218C9A30000-0x00000218C9A31000-memory.dmp

Filesize
4KB

Download
memory/3552-2-0x00000218CB350000-0x00000218CB5C0000-memory.dmp

Filesize
2.4MB

Download
memory/3552-57-0x00000218C9A30000-0x00000218C9A31000-memory.dmp

Filesize
4KB

Download
memory/3552-12-0x00000218C9A30000-0x00000218C9A31000-memory.dmp

Filesize
4KB

Download