8bb1061cc69d553f1511168b242e5b49e086f5c216403d44eba9f4d98d472e0f

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install_check/check_jdk.exe
Size

88KB
MD5

2cc7e692ecd242bbed9ed3b58b877794
SHA1

471b9d4f4c1fc9272102bacb25f94a63941d8bed
SHA256

48415e6f7410d56e3b85115bbf9ccaa6be6918d5be7ca433cf38ec4e457f93a3
SHA512

db212b4eb94bb2386cfd0f9fef54ebc4d23db84751d5f5ee991a19e39fcdc99089ebcea074a05f19fae79546cecb8c77ea8d104027bfa766748132a822a6a044
SSDEEP

1536:rL7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIf5w2OO:rHFfHgTWmCRkGbKGLeNTBf5N

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	check_jdk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 732	4968	check_jdk.exe	85
PID 4968 wrote to memory of 732	4968	check_jdk.exe	85
PID 732 wrote to memory of 1492	732	cmd.exe	86
PID 732 wrote to memory of 1492	732	cmd.exe	86
PID 1492 wrote to memory of 3808	1492	cmd.exe	87
PID 1492 wrote to memory of 3808	1492	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\install_check\check_jdk.exe
"C:\Users\Admin\AppData\Local\Temp\install_check\check_jdk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9B27.tmp\9B28.tmp\9B29.bat C:\Users\Admin\AppData\Local\Temp\install_check\check_jdk.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c java -fullversion 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
      java -fullversion
      4⤵
      PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9B27.tmp\9B28.tmp\9B29.bat

Filesize
222B

MD5
6111d96c145373275c1ac7c351edc55d

SHA1
499b3fff55060bca6398d61a84b61080883583d6

SHA256
281483647a94ceab185e8503ab9b235695ae45cdc02042fa14d8abca7d8a97a2

SHA512
9fb15ed64a3ae71f222d1f2d2c49d6ff6ac0d24f9244ff8ef53898c6ba36d949d9133616e70e0705467c65d3da6dfc5bf9e99abadb2f2e823bd665acfff5ee17

Download Submit