c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5

General

Target

c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
Size

1.7MB
MD5

6f36e6da03eb62a52c3e68883b482921
SHA1

5c34272697226dc1eac33254017aacb3424db963
SHA256

c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5
SHA512

f7a600c3a8993b0ad8e82f164f12ab8fc32d7545fe86bd609fe5b4388e579e47a7877d71b4ff2bb047750c5ced0ef9d8334c4be9d388cc582ff1a6370f206a8b
SSDEEP

24576:5Wd7S8NK3oYLkTcDvebZI7LrS/85RkVt7jKsqjnhMgeiCl7G0nehbGZpbD:5KxNuLkTcKb4rSUfkVFjeDmg27RnWGj

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5004	javaws.exe
5004	javaws.exe
3436	jp2launcher.exe
3436	jp2launcher.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2680	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
2680	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2680	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
2680	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3436	jp2launcher.exe
2680	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
2680	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 5004	2680	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe	85
PID 2680 wrote to memory of 5004	2680	c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe	85
PID 5004 wrote to memory of 3436	5004	javaws.exe	86
PID 5004 wrote to memory of 3436	5004	javaws.exe	86

C:\Users\Admin\AppData\Local\Temp\c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe
"C:\Users\Admin\AppData\Local\Temp\c60bef05d9a97a5519f1419a3d0f63f399c347a83d7e4b4a9d5a8020460907f5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
    "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
896B

MD5
07f8f6b55dca98492ea28424e1134432

SHA1
d8e8dffb28f1c4760bdf18f5132da4b180a0481e

SHA256
0fd03f0ded3643aa6b1b786736d030bb36e10e661b12f4a8c91c9eab33ae3623

SHA512
2117c407850a8ef84352f7db454d910fcebcca673f2e49376555bcee15f596b61be69c0aebf496cf1d8ec07b5e6b96120f6c7698bdf70cd3efbd796e7f2a544c

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\securitypack.jar

Filesize
12KB

MD5
f47403fc5f6534d1eb5e6a4088c86d84

SHA1
ed2116d28be10439a9f35145a21535ecfba196f5

SHA256
ec77ef8b1cbf32edf02950406ca4fcb7edcef00bf498b1a714d734363881b97a

SHA512
937af202eedc100d0cd146554cbd2a98c580210ece2f0e92a1f7d6d1dfc49cd9f0e47867e707fb6e57725ae62210d38af2df25062ac838e3ac42b3b4c37ec90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
b2848714f67c9ee9ef6e9f80d8d87944

SHA1
cb6856f899e38fddaac3583ea01a484404d72d45

SHA256
fdf5cff7d5fbc06d15e3b3f88a87c2b9294b303fac147a700764d8acbb0f36ac

SHA512
65e3561a79f336bc60f60ce719d89aec74bea6e5024a723491d638b30ee7732892c51a524672ef7001e80e7c6b9f6f0bd4ba9d474554d4882b73914fa3f2a21e

Download Submit
memory/2680-0-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2680-373-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/3436-20-0x00000138B7AF0000-0x00000138B7D60000-memory.dmp

Filesize
2.4MB

Download
memory/3436-199-0x00000138B7AD0000-0x00000138B7AD1000-memory.dmp

Filesize
4KB

Download
memory/3436-281-0x00000138B7AD0000-0x00000138B7AD1000-memory.dmp

Filesize
4KB

Download
memory/3436-326-0x00000138B7AD0000-0x00000138B7AD1000-memory.dmp

Filesize
4KB

Download
memory/3436-350-0x00000138B7AD0000-0x00000138B7AD1000-memory.dmp

Filesize
4KB

Download
memory/3436-371-0x00000138B7AD0000-0x00000138B7AD1000-memory.dmp

Filesize
4KB

Download
memory/3436-372-0x00000138B7AF0000-0x00000138B7D60000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing