e85913facd7f49ef93b37109550786334c07fe465cf95fa61c1858467644421b

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bin/TestWrapper.bat
Size

8KB
MD5

a69213dd97d7d340b502f44f069b38ee
SHA1

4398e541fb830ba5fd3e37783295c9f71fa9831d
SHA256

93620c9b376ee75b708bb482ea998037df0384862b20ca9114f4e428ef322a54
SHA512

4d8315a85b7df57b49a5b9e6f24e6e2ce61b36be2f7170e98193ef600c0d6adad00b697aef22f22a6508d44c6bd2a117de217e3294c506f60b860d582a3e1722
SSDEEP

192:K093j3Fg9LEdESeReZ8Kl7/fAD1T1yBBjxDcDY6mjX:Jg9LEdj/Z8qDfAnSto6

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrapper.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2128	1548	cmd.exe	85
PID 1548 wrote to memory of 2128	1548	cmd.exe	85
PID 1548 wrote to memory of 2128	1548	cmd.exe	85
PID 2128 wrote to memory of 4920	2128	wrapper.exe	89
PID 2128 wrote to memory of 4920	2128	wrapper.exe	89
PID 2128 wrote to memory of 4272	2128	wrapper.exe	90
PID 2128 wrote to memory of 4272	2128	wrapper.exe	90
PID 2128 wrote to memory of 2964	2128	wrapper.exe	91
PID 2128 wrote to memory of 2964	2128	wrapper.exe	91

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\bin\TestWrapper.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\bin\wrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\wrapper.exe" -c "../conf/wrapper.conf" --
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version
    3⤵
    PID:4920
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -classpath "../lib/wrapper.jar;../lib/wrappertest.jar" -Dfile.encoding=Cp1252 org.tanukisoftware.wrapper.bootstrap.WrapperBootstrap 1 org.tanukisoftware.wrapper.test.Main 0
    3⤵
    PID:4272
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -Dfile.encoding=Cp1252 -Djava.library.path="../lib" -classpath "../lib/wrapper.jar;../lib/wrappertest.jar" -Dwrapper.key="V4TOy-n_MRd6ltrC" -Dwrapper.port=32000 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.pid=2128 -Dwrapper.version="3.5.58" -Dwrapper.native_library="wrapper" -Dwrapper.arch="x86" -Dwrapper.cpu.timeout="10" -Dwrapper.jvmid=1 org.tanukisoftware.wrapper.test.Main
    3⤵
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
bb7a855b5fb7b658bb56defed2c79a16

SHA1
c253ed2f6017a80f4b2752be102f058e6b423b9e

SHA256
698a3aeb4923cc4459b916fb5f851832ce0139a110a5acc78e55b269d0db4693

SHA512
5b651cd21a11d30ed6fcc2d0e3ea687569a8be34bb12c9a378e7c8f453c006d323f5684fcd7d254b5be7dbeee1fe26755355e1cf84fb5131dd16e70574d28497

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
e635a79adaa913c3c24c558fdb5a404c

SHA1
a4ebdccc76df9aeed829b700ac0e178e32ab9ba8

SHA256
80034dd36cea6e27f3c46938b4c8668ebbe92a6722b497b38ad30b7d66742ec2

SHA512
9c14e3e0ae9f9d3aed5b1b35c79cd1650c76dfcb4f514dba6e424425b0e3ffb3b8403623fdd2221211d851b1339c07d52f4ce026446d33389f69d3fb06e69ed1

Download Submit
memory/2964-48-0x0000024E36950000-0x0000024E36951000-memory.dmp

Filesize
4KB

Download
memory/2964-55-0x0000024E36950000-0x0000024E36951000-memory.dmp

Filesize
4KB

Download
memory/2964-58-0x0000024E36950000-0x0000024E36951000-memory.dmp

Filesize
4KB

Download
memory/4272-21-0x000001FCCFEB0000-0x000001FCD0120000-memory.dmp

Filesize
2.4MB

Download
memory/4272-31-0x000001FCCE6E0000-0x000001FCCE6E1000-memory.dmp

Filesize
4KB

Download
memory/4272-34-0x000001FCCE6E0000-0x000001FCCE6E1000-memory.dmp

Filesize
4KB

Download
memory/4272-35-0x000001FCCFEB0000-0x000001FCD0120000-memory.dmp

Filesize
2.4MB

Download
memory/4920-7-0x00000132CC820000-0x00000132CCA90000-memory.dmp

Filesize
2.4MB

Download
memory/4920-17-0x00000132CADF0000-0x00000132CADF1000-memory.dmp

Filesize
4KB

Download
memory/4920-18-0x00000132CC820000-0x00000132CCA90000-memory.dmp

Filesize
2.4MB

Download