7e8d5730213643eaba3ac42ab8eedba04d382d7a030c19a1f27d383514519f51

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/12/2024, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c-users-vince-appdata-roaming-microsoft-windows-start-menu-programs-startup-jre-8u231-windows-x64-jar.jar
Size

23.4MB
MD5

9ffc1ded1643d2f1c0127f23ac3bd00f
SHA1

1e97894773bcf63adeba8d282d3921fe1224587d
SHA256

bb59ec29778a45324d437c67a0d18165b59823a01e78261a1c41c6a8069993fd
SHA512

9ad49f22d0f90a1e4604ca2fa09fd330b63c9f5035274f103875cdb153e914551d271bb31cadaaf719209492421f19a7695947b2bc54e542d49459f74d164462
SSDEEP

393216:FDq5bsW3WNInfzPbLu/xK0SghqfKvX95oELYirysSibdRD/Y/RsmeVeQXWl+FJ:hUwPNIrW5KpCqyXpLAsSixK/iRmUz

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jre-8u231-windows-x64.jar	javaw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jre-8u231-windows-x64.jar	javaw.exe

Loads dropped DLL 4 IoCs

pid	Process
1072	java.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2372	javaw.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1072	java.exe
1072	java.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe
2372	javaw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2372	1072	java.exe	83
PID 1072 wrote to memory of 2372	1072	java.exe	83
PID 2372 wrote to memory of 1888	2372	javaw.exe	84
PID 2372 wrote to memory of 1888	2372	javaw.exe	84
PID 2372 wrote to memory of 628	2372	javaw.exe	86
PID 2372 wrote to memory of 628	2372	javaw.exe	86

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\c-users-vince-appdata-roaming-microsoft-windows-start-menu-programs-startup-jre-8u231-windows-x64-jar.jar
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw" -jar "C:\Users\Admin\AppData\Local\Temp\c-users-vince-appdata-roaming-microsoft-windows-start-menu-programs-startup-jre-8u231-windows-x64-jar.jar" DELAY:3
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SYSTEM32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1888
- - C:\Windows\SYSTEM32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
c961ba3d317b0b9d1ac05c6b7c0841a7

SHA1
c2a8318103946e75e7b183df33031624b2c5e2ba

SHA256
84dc5c4c5dd9c7d7bab4d81e2ed24056194766e48cbcc04a4914876c58d480af

SHA512
d33fa8238122f0f070275dd9d7f06e6a7e649a47bc6399f7b6498b134ec0d67cc05be0c0cbcbcddd172aa6cec2f00dbd162d92e013b062c367759ad04fa9cd9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FB285C6BE.sql

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNativeHook-385777659FA84E94A3812EB9A8AFAD27AE3CEED4.x86_64.dll

Filesize
80KB

MD5
e9a449971b9efb0a2e12b9cfdd95c076

SHA1
385777659fa84e94a3812eb9a8afad27ae3ceed4

SHA256
b8c331c9f915960201da9af9c9dc8309e95e7d533741e71f4a5d13ca007d3e18

SHA512
bbcaf66b316cb60c63bb190099bee36a0059f13fa35fdf3a9a3e7e9a5304abe57acd71d644cde554427825249b460d58f0aba79f599f0c6fa40d23ea21aa941d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna8711614280082242429.dll

Filesize
248KB

MD5
4de85f9679c3a75f6d7d3e56094aa106

SHA1
052f62fb2ebec89fbe412db480865910eab693ad

SHA256
3d1b2427b45ff5178bbb4db395758bedd3a1e91121ebb3e3640b5c4e20eb22cc

SHA512
e8357eabd548ffeba42715d891b9e1ed22b7bf720f48b1888407b9ebe7a796719c60a38f4fb8bb1cf32d3c9bed210a07cc227424ef991d356ec3acef9e6223ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite-3.36.0.3-2ec81444-988d-4448-88ef-9c3342c7eeb6-sqlitejdbc.dll

Filesize
847KB

MD5
71eb6b5dbae2f9266a876be1af8dc00c

SHA1
364b79fe0a21c9f9827b298d187b493f5f14ce71

SHA256
b0c53ebfcddc4031daad36aac9a2967921703431deba5e51234da5008ae45b2a

SHA512
0a27205fcc33f482f59aea22de02ba3a9a1981bd28adee97ba3702026f27c760350f5df34e5982f763b608867892d5d4cebb1e13efb159fc3eef431772e37b12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3442511616-637977696-3186306149-1000\83aa4cc77f591dfc2374580bbd95f6ba_5ab270f5-f3a9-47d1-97d7-bbd50acf9955

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
memory/1072-25-0x000001A10B950000-0x000001A10B960000-memory.dmp

Filesize
64KB

Download
memory/1072-63-0x000001A10B930000-0x000001A10B940000-memory.dmp

Filesize
64KB

Download
memory/1072-31-0x000001A10B980000-0x000001A10B990000-memory.dmp

Filesize
64KB

Download
memory/1072-27-0x000001A10B960000-0x000001A10B970000-memory.dmp

Filesize
64KB

Download
memory/1072-71-0x000001A10B960000-0x000001A10B970000-memory.dmp

Filesize
64KB

Download
memory/1072-23-0x000001A10B940000-0x000001A10B950000-memory.dmp

Filesize
64KB

Download
memory/1072-21-0x000001A10B930000-0x000001A10B940000-memory.dmp

Filesize
64KB

Download
memory/1072-2-0x000001A10B6C0000-0x000001A10B930000-memory.dmp

Filesize
2.4MB

Download
memory/1072-11-0x000001A109EB0000-0x000001A109EB1000-memory.dmp

Filesize
4KB

Download
memory/1072-29-0x000001A10B970000-0x000001A10B980000-memory.dmp

Filesize
64KB

Download
memory/1072-76-0x000001A10B6C0000-0x000001A10B930000-memory.dmp

Filesize
2.4MB

Download
memory/1072-75-0x000001A10B980000-0x000001A10B990000-memory.dmp

Filesize
64KB

Download
memory/1072-74-0x000001A10B970000-0x000001A10B980000-memory.dmp

Filesize
64KB

Download
memory/1072-65-0x000001A10B940000-0x000001A10B950000-memory.dmp

Filesize
64KB

Download
memory/1072-60-0x000001A10B6C0000-0x000001A10B930000-memory.dmp

Filesize
2.4MB

Download
memory/1072-73-0x000001A109EB0000-0x000001A109EB1000-memory.dmp

Filesize
4KB

Download
memory/1072-68-0x000001A10B950000-0x000001A10B960000-memory.dmp

Filesize
64KB

Download
memory/2372-103-0x0000018ED8DE0000-0x0000018ED8DF0000-memory.dmp

Filesize
64KB

Download
memory/2372-120-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-69-0x0000018ED8D70000-0x0000018ED8D80000-memory.dmp

Filesize
64KB

Download
memory/2372-66-0x0000018ED8D60000-0x0000018ED8D70000-memory.dmp

Filesize
64KB

Download
memory/2372-61-0x0000018ED8D40000-0x0000018ED8D50000-memory.dmp

Filesize
64KB

Download
memory/2372-62-0x0000018ED8D50000-0x0000018ED8D60000-memory.dmp

Filesize
64KB

Download
memory/2372-79-0x0000018ED8D80000-0x0000018ED8D90000-memory.dmp

Filesize
64KB

Download
memory/2372-78-0x0000018ED8AB0000-0x0000018ED8D20000-memory.dmp

Filesize
2.4MB

Download
memory/2372-57-0x0000018ED8D30000-0x0000018ED8D40000-memory.dmp

Filesize
64KB

Download
memory/2372-88-0x0000018ED8D90000-0x0000018ED8DA0000-memory.dmp

Filesize
64KB

Download
memory/2372-87-0x0000018ED8D20000-0x0000018ED8D30000-memory.dmp

Filesize
64KB

Download
memory/2372-91-0x0000018ED8D30000-0x0000018ED8D40000-memory.dmp

Filesize
64KB

Download
memory/2372-92-0x0000018ED8DA0000-0x0000018ED8DB0000-memory.dmp

Filesize
64KB

Download
memory/2372-95-0x0000018ED8DB0000-0x0000018ED8DC0000-memory.dmp

Filesize
64KB

Download
memory/2372-94-0x0000018ED8D40000-0x0000018ED8D50000-memory.dmp

Filesize
64KB

Download
memory/2372-100-0x0000018ED8DD0000-0x0000018ED8DE0000-memory.dmp

Filesize
64KB

Download
memory/2372-99-0x0000018ED8D60000-0x0000018ED8D70000-memory.dmp

Filesize
64KB

Download
memory/2372-98-0x0000018ED8DC0000-0x0000018ED8DD0000-memory.dmp

Filesize
64KB

Download
memory/2372-97-0x0000018ED8D50000-0x0000018ED8D60000-memory.dmp

Filesize
64KB

Download
memory/2372-55-0x0000018ED8D20000-0x0000018ED8D30000-memory.dmp

Filesize
64KB

Download
memory/2372-102-0x0000018ED8D70000-0x0000018ED8D80000-memory.dmp

Filesize
64KB

Download
memory/2372-107-0x0000018ED8DF0000-0x0000018ED8E00000-memory.dmp

Filesize
64KB

Download
memory/2372-112-0x0000018ED8E00000-0x0000018ED8E10000-memory.dmp

Filesize
64KB

Download
memory/2372-115-0x0000018ED8E10000-0x0000018ED8E20000-memory.dmp

Filesize
64KB

Download
memory/2372-117-0x0000018ED8D80000-0x0000018ED8D90000-memory.dmp

Filesize
64KB

Download
memory/2372-116-0x0000018ED8E20000-0x0000018ED8E30000-memory.dmp

Filesize
64KB

Download
memory/2372-122-0x0000018ED8D90000-0x0000018ED8DA0000-memory.dmp

Filesize
64KB

Download
memory/2372-126-0x0000018ED8DA0000-0x0000018ED8DB0000-memory.dmp

Filesize
64KB

Download
memory/2372-125-0x0000018ED8E50000-0x0000018ED8E60000-memory.dmp

Filesize
64KB

Download
memory/2372-124-0x0000018ED8E40000-0x0000018ED8E50000-memory.dmp

Filesize
64KB

Download
memory/2372-123-0x0000018ED8E30000-0x0000018ED8E40000-memory.dmp

Filesize
64KB

Download
memory/2372-70-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-132-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-133-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-147-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-151-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-155-0x0000018ED8DB0000-0x0000018ED8DC0000-memory.dmp

Filesize
64KB

Download
memory/2372-156-0x0000018ED8DC0000-0x0000018ED8DD0000-memory.dmp

Filesize
64KB

Download
memory/2372-162-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-166-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-165-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-164-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-163-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-177-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-182-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-183-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-189-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-187-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-195-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-208-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-45-0x0000018ED7220000-0x0000018ED7221000-memory.dmp

Filesize
4KB

Download
memory/2372-35-0x0000018ED8AB0000-0x0000018ED8D20000-memory.dmp

Filesize
2.4MB

Download
memory/2372-264-0x0000018ED8DD0000-0x0000018ED8DE0000-memory.dmp

Filesize
64KB

Download
memory/2372-267-0x0000018ED8DE0000-0x0000018ED8DF0000-memory.dmp

Filesize
64KB

Download
memory/2372-270-0x0000018ED8DF0000-0x0000018ED8E00000-memory.dmp

Filesize
64KB

Download
memory/2372-273-0x0000018ED8E00000-0x0000018ED8E10000-memory.dmp

Filesize
64KB

Download
memory/2372-276-0x0000018ED8E10000-0x0000018ED8E20000-memory.dmp

Filesize
64KB

Download
memory/2372-277-0x0000018ED8E20000-0x0000018ED8E30000-memory.dmp

Filesize
64KB

Download
memory/2372-282-0x0000018ED8E30000-0x0000018ED8E40000-memory.dmp

Filesize
64KB

Download
memory/2372-283-0x0000018ED8E40000-0x0000018ED8E50000-memory.dmp

Filesize
64KB

Download
memory/2372-284-0x0000018ED8E50000-0x0000018ED8E60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads