Overview

overview

7

Static

static

1

7b9380b2e7...e1.jar

windows7-x64

1

7b9380b2e7...e1.jar

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b9380b2e79992d1acc9e86a6bf39ff6c698f4420b64388c3cad307134248be1.jar

  • Size

    3KB

  • MD5

    69113160dab119ff429cb77edfacd6a8

  • SHA1

    875fc6a48528d155eab5875d0cb5e9a08391e52a

  • SHA256

    7b9380b2e79992d1acc9e86a6bf39ff6c698f4420b64388c3cad307134248be1

  • SHA512

    38ac1846de883ea7dacbf9da95417814f4ddbb433a2a9d6e71dce60de60d9f79e6c630c1d7148562be6f4874e9fa79956532b959a181df84a1916924ecdcb821

Score
7/10
defense_evasionprivilege_escalation

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Access Token Manipulation: Create Process with Token 1 TTPs 15 IoCs
    defense_evasionprivilege_escalation
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\7b9380b2e79992d1acc9e86a6bf39ff6c698f4420b64388c3cad307134248be1.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3228
    • C:\Windows\SYSTEM32\cscript.exe
      cscript //NoLogo C:\Users\Public\runas_admin.vbs
      2⤵
      • Checks computer location settings
      • Access Token Manipulation: Create Process with Token
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c javaw -jar C:\Users\Public\AdminTask.jar
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3732
        • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
          javaw -jar C:\Users\Public\AdminTask.jar
          4⤵
            PID:1200
      • C:\Windows\SYSTEM32\cscript.exe
        cscript //NoLogo C:\Users\Public\runas_admin.vbs
        2⤵
        • Checks computer location settings
        • Access Token Manipulation: Create Process with Token
        • Suspicious use of WriteProcessMemory
        PID:4656
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c javaw -jar C:\Users\Public\AdminTask.jar
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:740
          • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
            javaw -jar C:\Users\Public\AdminTask.jar
            4⤵
              PID:2456
        • C:\Windows\SYSTEM32\cscript.exe
          cscript //NoLogo C:\Users\Public\runas_admin.vbs
          2⤵
          • Checks computer location settings
          • Access Token Manipulation: Create Process with Token
          • Suspicious use of WriteProcessMemory
          PID:5012
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c javaw -jar C:\Users\Public\AdminTask.jar
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3644
            • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
              javaw -jar C:\Users\Public\AdminTask.jar
              4⤵
                PID:2072
          • C:\Windows\SYSTEM32\cscript.exe
            cscript //NoLogo C:\Users\Public\runas_admin.vbs
            2⤵
            • Checks computer location settings
            • Access Token Manipulation: Create Process with Token
            • Suspicious use of WriteProcessMemory
            PID:3028
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c javaw -jar C:\Users\Public\AdminTask.jar
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4832
              • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
                javaw -jar C:\Users\Public\AdminTask.jar
                4⤵
                  PID:3868
            • C:\Windows\SYSTEM32\cscript.exe
              cscript //NoLogo C:\Users\Public\runas_admin.vbs
              2⤵
              • Checks computer location settings
              • Access Token Manipulation: Create Process with Token
              • Suspicious use of WriteProcessMemory
              PID:4800
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c javaw -jar C:\Users\Public\AdminTask.jar
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4136
                • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
                  javaw -jar C:\Users\Public\AdminTask.jar
                  4⤵
                    PID:1512
              • C:\Windows\SYSTEM32\cscript.exe
                cscript //NoLogo C:\Users\Public\runas_admin.vbs
                2⤵
                • Checks computer location settings
                • Access Token Manipulation: Create Process with Token
                • Suspicious use of WriteProcessMemory
                PID:3680
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c javaw -jar C:\Users\Public\AdminTask.jar
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2524
                  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
                    javaw -jar C:\Users\Public\AdminTask.jar
                    4⤵
                      PID:2556
                • C:\Windows\SYSTEM32\cscript.exe
                  cscript //NoLogo C:\Users\Public\runas_admin.vbs
                  2⤵
                  • Checks computer location settings
                  • Access Token Manipulation: Create Process with Token
                  • Suspicious use of WriteProcessMemory
                  PID:3976
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c javaw -jar C:\Users\Public\AdminTask.jar
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4888
                    • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
                      javaw -jar C:\Users\Public\AdminTask.jar
                      4⤵
                        PID:216
                  • C:\Windows\SYSTEM32\cscript.exe
                    cscript //NoLogo C:\Users\Public\runas_admin.vbs
                    2⤵
                    • Checks computer location settings
                    • Access Token Manipulation: Create Process with Token
                    • Suspicious use of WriteProcessMemory
                    PID:2604
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c javaw -jar C:\Users\Public\AdminTask.jar
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1172
                      • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
                        javaw -jar C:\Users\Public\AdminTask.jar
                        4⤵
                          PID:4008
                    • C:\Windows\SYSTEM32\cscript.exe
                      cscript //NoLogo C:\Users\Public\runas_admin.vbs
                      2⤵
                      • Checks computer location settings
                      • Access Token Manipulation: Create Process with Token
                      • Suspicious use of WriteProcessMemory
                      PID:4996
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c javaw -jar C:\Users\Public\AdminTask.jar
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3928
                        • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
                          javaw -jar C:\Users\Public\AdminTask.jar
                          4⤵
                            PID:3172
                      • C:\Windows\SYSTEM32\cscript.exe
                        cscript //NoLogo C:\Users\Public\runas_admin.vbs
                        2⤵
                        • Checks computer location settings
                        • Access Token Manipulation: Create Process with Token
                        • Suspicious use of WriteProcessMemory
                        PID:4880
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c javaw -jar C:\Users\Public\AdminTask.jar
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3676
                          • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
                            javaw -jar C:\Users\Public\AdminTask.jar
                            4⤵
                              PID:3328
                        • C:\Windows\SYSTEM32\cscript.exe
                          cscript //NoLogo C:\Users\Public\runas_admin.vbs
                          2⤵
                          • Checks computer location settings
                          • Access Token Manipulation: Create Process with Token
                          • Suspicious use of WriteProcessMemory
                          PID:2616
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c javaw -jar C:\Users\Public\AdminTask.jar
                            3⤵
                              PID:3280
                              • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
                                javaw -jar C:\Users\Public\AdminTask.jar
                                4⤵
                                  PID:3660
                            • C:\Windows\SYSTEM32\cscript.exe
                              cscript //NoLogo C:\Users\Public\runas_admin.vbs
                              2⤵
                              • Checks computer location settings
                              • Access Token Manipulation: Create Process with Token
                              PID:4508
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c javaw -jar C:\Users\Public\AdminTask.jar
                                3⤵
                                  PID:820
                                  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
                                    javaw -jar C:\Users\Public\AdminTask.jar
                                    4⤵
                                      PID:4832
                                • C:\Windows\SYSTEM32\cscript.exe
                                  cscript //NoLogo C:\Users\Public\runas_admin.vbs
                                  2⤵
                                  • Checks computer location settings
                                  • Access Token Manipulation: Create Process with Token
                                  PID:1588
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c javaw -jar C:\Users\Public\AdminTask.jar
                                    3⤵
                                      PID:1536
                                      • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
                                        javaw -jar C:\Users\Public\AdminTask.jar
                                        4⤵
                                          PID:1740
                                    • C:\Windows\SYSTEM32\cscript.exe
                                      cscript //NoLogo C:\Users\Public\runas_admin.vbs
                                      2⤵
                                      • Checks computer location settings
                                      • Access Token Manipulation: Create Process with Token
                                      PID:2668
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c javaw -jar C:\Users\Public\AdminTask.jar
                                        3⤵
                                          PID:1936
                                          • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
                                            javaw -jar C:\Users\Public\AdminTask.jar
                                            4⤵
                                              PID:4456
                                        • C:\Windows\SYSTEM32\cscript.exe
                                          cscript //NoLogo C:\Users\Public\runas_admin.vbs
                                          2⤵
                                          • Checks computer location settings
                                          • Access Token Manipulation: Create Process with Token
                                          PID:3988
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /c javaw -jar C:\Users\Public\AdminTask.jar
                                            3⤵
                                              PID:4268
                                              • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
                                                javaw -jar C:\Users\Public\AdminTask.jar
                                                4⤵
                                                  PID:5044

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Public\runas_admin.vbs
                                            Filesize

                                            204B

                                            MD5

                                            7e3458843f70af309fa153cc08fa1925

                                            SHA1

                                            fe18d0d8032e8b2a17bcf1c9cf76b6b06f069f57

                                            SHA256

                                            4c1f3b04802ece89cd3af4da68a38950a6359c014c170a91e30549a0947a628b

                                            SHA512

                                            9240b05da90fa3bb8dd89c5b0b1fa192005d72376272293d2e81eb6e03a672566bae4548d67644da31c622806ae407033e021d552c89bdd637060ab63005deab

                                            Download Submit

                                          • memory/3228-2-0x0000021E1B4C0000-0x0000021E1B730000-memory.dmp

                                            Filesize

                                            2.4MB

                                            Download

                                          • memory/3228-13-0x0000021E19BE0000-0x0000021E19BE1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3228-14-0x0000021E1B4C0000-0x0000021E1B730000-memory.dmp

                                            Filesize

                                            2.4MB

                                            Download