a73a05a4b6ec6ae1c1ba6d3d12b68cc52b899e2a6dbbaaa1f48f2c260a733123

Resubmissions

18-10-2024 17:25

241018-vzl1la1cqq 10

18-10-2024 16:26

241018-txhdyswgqh 10

18-10-2024 16:25

241018-tw78zsydrp 3

18-10-2024 16:22

241018-tvh8gawfqa 3

Analysis

max time kernel
44s
max time network
46s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
18-10-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6812964531.exe
Size

67KB
MD5

7de65122a13ab9d81368ee3dff3cc80a
SHA1

ecbb4db641431d4d672e4b88e8d309419fd32f04
SHA256

a73a05a4b6ec6ae1c1ba6d3d12b68cc52b899e2a6dbbaaa1f48f2c260a733123
SHA512

b156d77a665c3256ddfd016e46105b6e87db6a4c1ca77e9bb25b221c368f3cc53dddc7159602cfb926ef0cc9bacac57b6bd41e7e28998883c996727d58d29401
SSDEEP

1536:pr3rob4nqB6veqHnq+Pgm5NN9vbDTc+1vIQ/EXyBej:h7PEg3qcv5PvB/EVj

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6812964531.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6812964531.exe

Modifies registry class 1 IoCs

Processes:

java.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	java.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
1036	schtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid	Process
4380	java.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

6812964531.exejavaw.exejava.execmd.execmd.exe

description	pid	Process	procid_target
PID 1436 wrote to memory of 4660	1436	6812964531.exe	78
PID 1436 wrote to memory of 4660	1436	6812964531.exe	78
PID 4660 wrote to memory of 4380	4660	javaw.exe	79
PID 4660 wrote to memory of 4380	4660	javaw.exe	79
PID 4380 wrote to memory of 2012	4380	java.exe	81
PID 4380 wrote to memory of 2012	4380	java.exe	81
PID 2012 wrote to memory of 1696	2012	cmd.exe	83
PID 2012 wrote to memory of 1696	2012	cmd.exe	83
PID 4380 wrote to memory of 4116	4380	java.exe	84
PID 4380 wrote to memory of 4116	4380	java.exe	84
PID 4116 wrote to memory of 1036	4116	cmd.exe	86
PID 4116 wrote to memory of 1036	4116	cmd.exe	86
PID 4380 wrote to memory of 4208	4380	java.exe	87
PID 4380 wrote to memory of 4208	4380	java.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6812964531.exe
"C:\Users\Admin\AppData\Local\Temp\6812964531.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\6812964531.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    java -jar C:\Users\Admin\download_libra.jar
    3⤵
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        5⤵
        
        PID:1696
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c SCHTASKS /CREATE /F /SC MINUTE /TN OneDrive\OneDriveUpdateTask /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /CREATE /F /SC MINUTE /TN OneDrive\OneDriveUpdateTask /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1036
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"
      4⤵
      PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
3cd0fbbe5debd9c5ec5725a06eefdcb7

SHA1
69a5ee599113fd7b86170864deae54af6f3ba515

SHA256
fd3e583599065bddb1ce42ce0ddc72d5aad716d987446ecd6995dca0593c4549

SHA512
a89a95e0b9195f2d14cccafc5784819bbe66823e98b4f590df1116248900eb01eba0eb2259b28ad344aca78a42363f25a99edd662614f9a0b46cefd4ec8af122

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
a822120a2d781c6d24b2ca6bfe5d0d53

SHA1
2a8106150eb96d076dfaf094d06f6136e3d51542

SHA256
87d9cccf0604cf09f8e71c526a7bb15a20a4b7e4ed7e71b3f06375c88fe34358

SHA512
633738f5dcf4f24aec49e414b2a0e0e54a795cdee35dc0a9671d88cde65cef1a3a37715c5672dea74e932c346dba183bcac568f307c1ee6f4efaa812d01b880e

Download Submit
C:\Users\Admin\download_libra.jar

Filesize
25.9MB

MD5
985b88f00a71cca64b06496800ea0b6f

SHA1
b7f8cc23a514ddb16611a7606b60d07aabe6ee30

SHA256
700460f2cd5fe2f126396e25f594cce96cb22322231bc28d728e3699ce5663a9

SHA512
ef72748f431ca9dd0124ad1e01eb0e4afb69dbf778144ef21b37eb2d6dc0466d11152e0a9e66e502bc26ea44ba6b5467e0db51196fd642bf162a5675c30d46fc

Download Submit
memory/1436-0-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/4208-216-0x0000029F0E8B0000-0x0000029F0E8B1000-memory.dmp

Filesize
4KB

Download
memory/4380-182-0x000002D76A970000-0x000002D76ABE0000-memory.dmp

Filesize
2.4MB

Download
memory/4380-193-0x000002D769120000-0x000002D769121000-memory.dmp

Filesize
4KB

Download
memory/4380-203-0x000002D769120000-0x000002D769121000-memory.dmp

Filesize
4KB

Download
memory/4380-221-0x000002D76A970000-0x000002D76ABE0000-memory.dmp

Filesize
2.4MB

Download
memory/4660-93-0x0000021383450000-0x0000021383460000-memory.dmp

Filesize
64KB

Download
memory/4660-34-0x00000213833A0000-0x00000213833B0000-memory.dmp

Filesize
64KB

Download
memory/4660-20-0x0000021383340000-0x0000021383350000-memory.dmp

Filesize
64KB

Download
memory/4660-22-0x0000021383350000-0x0000021383360000-memory.dmp

Filesize
64KB

Download
memory/4660-24-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/4660-26-0x0000021383370000-0x0000021383380000-memory.dmp

Filesize
64KB

Download
memory/4660-29-0x0000021383380000-0x0000021383390000-memory.dmp

Filesize
64KB

Download
memory/4660-31-0x0000021383390000-0x00000213833A0000-memory.dmp

Filesize
64KB

Download
memory/4660-33-0x00000213830A0000-0x0000021383310000-memory.dmp

Filesize
2.4MB

Download
memory/4660-36-0x0000021383310000-0x0000021383320000-memory.dmp

Filesize
64KB

Download
memory/4660-35-0x00000213833B0000-0x00000213833C0000-memory.dmp

Filesize
64KB

Download
memory/4660-103-0x0000021383470000-0x0000021383480000-memory.dmp

Filesize
64KB

Download
memory/4660-40-0x00000213833C0000-0x00000213833D0000-memory.dmp

Filesize
64KB

Download
memory/4660-39-0x0000021383320000-0x0000021383330000-memory.dmp

Filesize
64KB

Download
memory/4660-43-0x0000021383330000-0x0000021383340000-memory.dmp

Filesize
64KB

Download
memory/4660-44-0x00000213833D0000-0x00000213833E0000-memory.dmp

Filesize
64KB

Download
memory/4660-49-0x00000213833E0000-0x00000213833F0000-memory.dmp

Filesize
64KB

Download
memory/4660-48-0x0000021383340000-0x0000021383350000-memory.dmp

Filesize
64KB

Download
memory/4660-53-0x0000021383350000-0x0000021383360000-memory.dmp

Filesize
64KB

Download
memory/4660-54-0x00000213833F0000-0x0000021383400000-memory.dmp

Filesize
64KB

Download
memory/4660-56-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/4660-57-0x0000021383400000-0x0000021383410000-memory.dmp

Filesize
64KB

Download
memory/4660-58-0x0000021383370000-0x0000021383380000-memory.dmp

Filesize
64KB

Download
memory/4660-59-0x0000021383410000-0x0000021383420000-memory.dmp

Filesize
64KB

Download
memory/4660-62-0x0000021383420000-0x0000021383430000-memory.dmp

Filesize
64KB

Download
memory/4660-61-0x0000021383380000-0x0000021383390000-memory.dmp

Filesize
64KB

Download
memory/4660-66-0x0000021383430000-0x0000021383440000-memory.dmp

Filesize
64KB

Download
memory/4660-68-0x0000021383440000-0x0000021383450000-memory.dmp

Filesize
64KB

Download
memory/4660-67-0x00000213833A0000-0x00000213833B0000-memory.dmp

Filesize
64KB

Download
memory/4660-65-0x0000021383390000-0x00000213833A0000-memory.dmp

Filesize
64KB

Download
memory/4660-70-0x00000213833B0000-0x00000213833C0000-memory.dmp

Filesize
64KB

Download
memory/4660-71-0x0000021383450000-0x0000021383460000-memory.dmp

Filesize
64KB

Download
memory/4660-74-0x00000213833C0000-0x00000213833D0000-memory.dmp

Filesize
64KB

Download
memory/4660-75-0x0000021383460000-0x0000021383470000-memory.dmp

Filesize
64KB

Download
memory/4660-76-0x0000021383080000-0x0000021383081000-memory.dmp

Filesize
4KB

Download
memory/4660-104-0x00000213834B0000-0x00000213834C0000-memory.dmp

Filesize
64KB

Download
memory/4660-78-0x00000213833E0000-0x00000213833F0000-memory.dmp

Filesize
64KB

Download
memory/4660-80-0x00000213833F0000-0x0000021383400000-memory.dmp

Filesize
64KB

Download
memory/4660-81-0x0000021383400000-0x0000021383410000-memory.dmp

Filesize
64KB

Download
memory/4660-83-0x0000021383410000-0x0000021383420000-memory.dmp

Filesize
64KB

Download
memory/4660-84-0x0000021383470000-0x0000021383480000-memory.dmp

Filesize
64KB

Download
memory/4660-86-0x0000021383420000-0x0000021383430000-memory.dmp

Filesize
64KB

Download
memory/4660-87-0x0000021383430000-0x0000021383440000-memory.dmp

Filesize
64KB

Download
memory/4660-91-0x0000021383480000-0x0000021383490000-memory.dmp

Filesize
64KB

Download
memory/4660-90-0x0000021383440000-0x0000021383450000-memory.dmp

Filesize
64KB

Download
memory/4660-16-0x0000021383320000-0x0000021383330000-memory.dmp

Filesize
64KB

Download
memory/4660-94-0x0000021383460000-0x0000021383470000-memory.dmp

Filesize
64KB

Download
memory/4660-96-0x0000021383490000-0x00000213834A0000-memory.dmp

Filesize
64KB

Download
memory/4660-99-0x00000213834A0000-0x00000213834B0000-memory.dmp

Filesize
64KB

Download
memory/4660-102-0x0000021383080000-0x0000021383081000-memory.dmp

Filesize
4KB

Download
memory/4660-77-0x00000213833D0000-0x00000213833E0000-memory.dmp

Filesize
64KB

Download
memory/4660-18-0x0000021383330000-0x0000021383340000-memory.dmp

Filesize
64KB

Download
memory/4660-227-0x0000021383340000-0x0000021383350000-memory.dmp

Filesize
64KB

Download
memory/4660-108-0x0000021383480000-0x0000021383490000-memory.dmp

Filesize
64KB

Download
memory/4660-110-0x00000213834D0000-0x00000213834E0000-memory.dmp

Filesize
64KB

Download
memory/4660-112-0x0000021383490000-0x00000213834A0000-memory.dmp

Filesize
64KB

Download
memory/4660-114-0x00000213834E0000-0x00000213834F0000-memory.dmp

Filesize
64KB

Download
memory/4660-116-0x00000213834A0000-0x00000213834B0000-memory.dmp

Filesize
64KB

Download
memory/4660-117-0x00000213834B0000-0x00000213834C0000-memory.dmp

Filesize
64KB

Download
memory/4660-119-0x00000213834C0000-0x00000213834D0000-memory.dmp

Filesize
64KB

Download
memory/4660-122-0x00000213834F0000-0x0000021383500000-memory.dmp

Filesize
64KB

Download
memory/4660-125-0x00000213834D0000-0x00000213834E0000-memory.dmp

Filesize
64KB

Download
memory/4660-127-0x00000213834E0000-0x00000213834F0000-memory.dmp

Filesize
64KB

Download
memory/4660-129-0x0000021383080000-0x0000021383081000-memory.dmp

Filesize
4KB

Download
memory/4660-136-0x00000213834F0000-0x0000021383500000-memory.dmp

Filesize
64KB

Download
memory/4660-139-0x0000021383520000-0x0000021383530000-memory.dmp

Filesize
64KB

Download
memory/4660-138-0x0000021383510000-0x0000021383520000-memory.dmp

Filesize
64KB

Download
memory/4660-137-0x0000021383500000-0x0000021383510000-memory.dmp

Filesize
64KB

Download
memory/4660-141-0x0000021383530000-0x0000021383540000-memory.dmp

Filesize
64KB

Download
memory/4660-143-0x0000021383540000-0x0000021383550000-memory.dmp

Filesize
64KB

Download
memory/4660-145-0x0000021383550000-0x0000021383560000-memory.dmp

Filesize
64KB

Download
memory/4660-147-0x0000021383560000-0x0000021383570000-memory.dmp

Filesize
64KB

Download
memory/4660-149-0x0000021383570000-0x0000021383580000-memory.dmp

Filesize
64KB

Download
memory/4660-155-0x0000021383580000-0x0000021383590000-memory.dmp

Filesize
64KB

Download
memory/4660-156-0x0000021383080000-0x0000021383081000-memory.dmp

Filesize
4KB

Download
memory/4660-161-0x0000021383590000-0x00000213835A0000-memory.dmp

Filesize
64KB

Download
memory/4660-160-0x0000021383520000-0x0000021383530000-memory.dmp

Filesize
64KB

Download
memory/4660-159-0x0000021383510000-0x0000021383520000-memory.dmp

Filesize
64KB

Download
memory/4660-158-0x0000021383500000-0x0000021383510000-memory.dmp

Filesize
64KB

Download
memory/4660-167-0x00000213835A0000-0x00000213835B0000-memory.dmp

Filesize
64KB

Download
memory/4660-166-0x0000021383530000-0x0000021383540000-memory.dmp

Filesize
64KB

Download
memory/4660-169-0x0000021383540000-0x0000021383550000-memory.dmp

Filesize
64KB

Download
memory/4660-181-0x0000021383550000-0x0000021383560000-memory.dmp

Filesize
64KB

Download
memory/4660-194-0x0000021383560000-0x0000021383570000-memory.dmp

Filesize
64KB

Download
memory/4660-14-0x0000021383310000-0x0000021383320000-memory.dmp

Filesize
64KB

Download
memory/4660-196-0x0000021383570000-0x0000021383580000-memory.dmp

Filesize
64KB

Download
memory/4660-218-0x0000021383580000-0x0000021383590000-memory.dmp

Filesize
64KB

Download
memory/4660-219-0x0000021383080000-0x0000021383081000-memory.dmp

Filesize
4KB

Download
memory/4660-12-0x0000021383080000-0x0000021383081000-memory.dmp

Filesize
4KB

Download
memory/4660-3-0x00000213830A0000-0x0000021383310000-memory.dmp

Filesize
2.4MB

Download
memory/4660-222-0x0000021383080000-0x0000021383081000-memory.dmp

Filesize
4KB

Download
memory/4660-225-0x0000021383320000-0x0000021383330000-memory.dmp

Filesize
64KB

Download
memory/4660-232-0x0000021383390000-0x00000213833A0000-memory.dmp

Filesize
64KB

Download
memory/4660-231-0x0000021383380000-0x0000021383390000-memory.dmp

Filesize
64KB

Download
memory/4660-230-0x0000021383370000-0x0000021383380000-memory.dmp

Filesize
64KB

Download
memory/4660-229-0x0000021383360000-0x0000021383370000-memory.dmp

Filesize
64KB

Download
memory/4660-228-0x0000021383350000-0x0000021383360000-memory.dmp

Filesize
64KB

Download
memory/4660-106-0x00000213834C0000-0x00000213834D0000-memory.dmp

Filesize
64KB

Download
memory/4660-226-0x0000021383330000-0x0000021383340000-memory.dmp

Filesize
64KB

Download
memory/4660-223-0x00000213833B0000-0x00000213833C0000-memory.dmp

Filesize
64KB

Download
memory/4660-224-0x0000021383310000-0x0000021383320000-memory.dmp

Filesize
64KB

Download