Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 21:33
Static task
static1
Behavioral task
behavioral1
Sample
f163c9b31e90b14925b205b9277a436e2b55b222ef1bdbc8ad5c33c75a300f90.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f163c9b31e90b14925b205b9277a436e2b55b222ef1bdbc8ad5c33c75a300f90.exe
Resource
win10v2004-20241007-en
General
-
Target
f163c9b31e90b14925b205b9277a436e2b55b222ef1bdbc8ad5c33c75a300f90.exe
-
Size
1.7MB
-
MD5
b671fcc99642e113fd3f6628df41b217
-
SHA1
701dd3d79daab9285b1d8695fe464d1974fc700e
-
SHA256
f163c9b31e90b14925b205b9277a436e2b55b222ef1bdbc8ad5c33c75a300f90
-
SHA512
5ae170e7d76c19b70f004c25a82378b2ef386833507458a1b611131eb79fdd919dfb54810095a51891794c20329acf56c775d86c04a86167811809983a0a04b4
-
SSDEEP
49152:3KxNuLkTcKb4rSUfkVFjeErvL73RLSo+2fhl:afuLkT5NUQBrvvRe12fD
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f163c9b31e90b14925b205b9277a436e2b55b222ef1bdbc8ad5c33c75a300f90.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4840 javaws.exe 4840 javaws.exe 4424 jp2launcher.exe 4424 jp2launcher.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4004 f163c9b31e90b14925b205b9277a436e2b55b222ef1bdbc8ad5c33c75a300f90.exe 4004 f163c9b31e90b14925b205b9277a436e2b55b222ef1bdbc8ad5c33c75a300f90.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 4004 f163c9b31e90b14925b205b9277a436e2b55b222ef1bdbc8ad5c33c75a300f90.exe 4004 f163c9b31e90b14925b205b9277a436e2b55b222ef1bdbc8ad5c33c75a300f90.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4424 jp2launcher.exe 4004 f163c9b31e90b14925b205b9277a436e2b55b222ef1bdbc8ad5c33c75a300f90.exe 4004 f163c9b31e90b14925b205b9277a436e2b55b222ef1bdbc8ad5c33c75a300f90.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4004 wrote to memory of 4840 4004 f163c9b31e90b14925b205b9277a436e2b55b222ef1bdbc8ad5c33c75a300f90.exe 85 PID 4004 wrote to memory of 4840 4004 f163c9b31e90b14925b205b9277a436e2b55b222ef1bdbc8ad5c33c75a300f90.exe 85 PID 4840 wrote to memory of 4424 4840 javaws.exe 86 PID 4840 wrote to memory of 4424 4840 javaws.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\f163c9b31e90b14925b205b9277a436e2b55b222ef1bdbc8ad5c33c75a300f90.exe"C:\Users\Admin\AppData\Local\Temp\f163c9b31e90b14925b205b9277a436e2b55b222ef1bdbc8ad5c33c75a300f90.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Program Files\Java\jre-1.8\bin\javaws.exe"C:\Program Files\Java\jre-1.8\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe"C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4424
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
896B
MD5ef7d394415593830a1e7d1aba87209ca
SHA1b3d0344d821b9ad1cc07862dd23799392ad85e40
SHA2562038354310ddb3cfdbaeb09b6a11622a79a96340eefb98a73607a50f926887c4
SHA512bb548642f56319dfc23d0d21716d6b446f619effa09d7f3795b5d10f83a4b200a948388c9324d6b961ba56333d3d0b029a37ca1dc1c3d2fa8f1424cd4e36ac99
-
Filesize
12KB
MD5a66e19c05f3e0b24ac077a37c2b7589e
SHA18b9ad1517985c48c0bd11670fabd3648bac9d1ff
SHA2569771364d53fa9b1bd14cef7e48be1f5df23b11aac9f5cb6763a4934b3190e126
SHA5120876a0072ac19f03818a2e5d77cec638470a09e40cd3794d901f1625c3f701f7b37a5cc6e23057a53e62d6e936f5c90bdd4a2c811c64dcfaa20dca5fdf63565f
-
Filesize
164KB
MD5d4d60c947ba87bb545fb1ecc09dc9445
SHA1bd8034b6b95308ced945f065601649743a88c75a
SHA25622eac71926a3e61c26676358ded9c8deb1fc50357c15f3b9138d00d0dd8c0bdb
SHA512b8ad7fc055edf87532271ac6ead12a08956bcd233180a6f4b10f2231d9aedc719d4a5d21bc7b641085f2b5e7df0c086d4d0d9fcee6477273a5150f2bc148ae52