Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 17:09
Static task
static1
Behavioral task
behavioral1
Sample
0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe
Resource
win10v2004-20241007-en
General
-
Target
0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe
-
Size
476KB
-
MD5
4cb6962aa45251d98a4cb9d2fdd43100
-
SHA1
de2a40aefc9fb5f70bea18bb4751704c4b39526c
-
SHA256
0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702
-
SHA512
77fd8e7722148d604bf31ad0ec1fda3d45dc2787ccb0e7327f6f8f1351bfe4651cc2acaad278be8bd8c734812a181f46f624fc736301f3bfe47bc1d6ad82d75a
-
SSDEEP
3072:Jin8r+coP2W0XgEU5IuY2R8FD8edLhb9x4CuSqhAp08FkGRnNrdf45AjqKnoem:23P0KPsvKhAp081nNVjqKoe
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe -
Executes dropped EXE 2 IoCs
pid Process 4728 JREUPD7.exe 2836 JREUPD7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JREsp7 = "C:\\Users\\Admin\\AppData\\Roaming\\SunJavaJREupdate7\\JREUPD7.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3836 set thread context of 1692 3836 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 91 PID 4728 set thread context of 2836 4728 JREUPD7.exe 98 PID 4728 set thread context of 4460 4728 JREUPD7.exe 99 -
resource yara_rule behavioral2/memory/1692-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1692-9-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1692-11-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1692-37-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1692-53-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2836-55-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 628 4460 WerFault.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JREUPD7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JREUPD7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe Token: SeDebugPrivilege 2836 JREUPD7.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3836 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 1692 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 4728 JREUPD7.exe 2836 JREUPD7.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3836 wrote to memory of 1692 3836 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 91 PID 3836 wrote to memory of 1692 3836 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 91 PID 3836 wrote to memory of 1692 3836 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 91 PID 3836 wrote to memory of 1692 3836 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 91 PID 3836 wrote to memory of 1692 3836 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 91 PID 3836 wrote to memory of 1692 3836 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 91 PID 3836 wrote to memory of 1692 3836 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 91 PID 3836 wrote to memory of 1692 3836 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 91 PID 1692 wrote to memory of 4432 1692 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 92 PID 1692 wrote to memory of 4432 1692 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 92 PID 1692 wrote to memory of 4432 1692 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 92 PID 4432 wrote to memory of 4688 4432 cmd.exe 96 PID 4432 wrote to memory of 4688 4432 cmd.exe 96 PID 4432 wrote to memory of 4688 4432 cmd.exe 96 PID 1692 wrote to memory of 4728 1692 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 97 PID 1692 wrote to memory of 4728 1692 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 97 PID 1692 wrote to memory of 4728 1692 0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe 97 PID 4728 wrote to memory of 2836 4728 JREUPD7.exe 98 PID 4728 wrote to memory of 2836 4728 JREUPD7.exe 98 PID 4728 wrote to memory of 2836 4728 JREUPD7.exe 98 PID 4728 wrote to memory of 2836 4728 JREUPD7.exe 98 PID 4728 wrote to memory of 2836 4728 JREUPD7.exe 98 PID 4728 wrote to memory of 2836 4728 JREUPD7.exe 98 PID 4728 wrote to memory of 2836 4728 JREUPD7.exe 98 PID 4728 wrote to memory of 2836 4728 JREUPD7.exe 98 PID 4728 wrote to memory of 4460 4728 JREUPD7.exe 99 PID 4728 wrote to memory of 4460 4728 JREUPD7.exe 99 PID 4728 wrote to memory of 4460 4728 JREUPD7.exe 99 PID 4728 wrote to memory of 4460 4728 JREUPD7.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe"C:\Users\Admin\AppData\Local\Temp\0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe"C:\Users\Admin\AppData\Local\Temp\0ae41af51d8c977a7f5e17b8af23371ee88446209fedde96217fe1c87f824702N.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUIUF.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JREsp7" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4688
-
-
-
C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe"C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe"C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2836
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵PID:4460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 845⤵
- Program crash
PID:628
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4460 -ip 44601⤵PID:3396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5a5ab6d6b7f03c59f02ebde6e2834fe42
SHA1567e8e08dcb41c365116e5806676d89e2b9f522a
SHA2562dfac769e0e863a3f534444566bbc908edb7fed1981feed55a8f402cc7a3e506
SHA512271f94ed4f69eb40012e26aae164a0332bc3695d08f119e82096a4a14e15631e8a6ee7c8095d047ba5e2ae03e364c010b873a5f3191ab88a835ae2227ddc30bd
-
Filesize
476KB
MD5dd55191c756177ce34420af6b53537bf
SHA1219c6c93a1ca8ac86953c3b652318cf6a9131274
SHA256825488352760b2578955273ca80c1219923132a7c9a4d8ec481af8555d29546d
SHA5123410982e707e9264e08862c37f3b9a96b9f54f910e2c3148c14c0aa86365eb096ec30d46439cf054286f58cf2e2dbd9cf4d92e8101890fed4224496155c7dcd7