Analysis

  • max time kernel
    102s
  • max time network
    98s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    28-06-2020 20:55

General

  • Target

    ups-label.jar.msi

  • Size

    382KB

  • MD5

    1eb30fec5a58dc7a6af2c17d7e8327d0

  • SHA1

    277fb1032edb935cb9bd3fbd33a17c83615cedfa

  • SHA256

    51eb64e8719bcd2caba807e8ffe09e9b016ab828f4352f9905a99fc3f3517e82

  • SHA512

    2670b7062f9918fd7b53200e26e25b56cfb8974c0e6a0e7e2720218cee018479ce6855cf57c4d6c89855439ecad9ff0ddce73fb2ac91e524bc2bd98e51f942aa

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies service 2 TTPs 147 IoCs
  • Drops file in Windows directory 8 IoCs
  • Modifies data under HKEY_USERS 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ups-label.jar.msi
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1108
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Modifies service
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:112
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:748
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005AC" "000000000000059C"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1872

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
  • memory/112-6-0x00000000010F0000-0x00000000010F2000-memory.dmp
    Filesize

    8KB

  • memory/112-7-0x00000000010F0000-0x00000000010F2000-memory.dmp
    Filesize

    8KB

  • memory/112-12-0x00000000012B0000-0x00000000012B4000-memory.dmp
    Filesize

    16KB

  • memory/112-13-0x0000000001190000-0x0000000001194000-memory.dmp
    Filesize

    16KB

  • memory/112-14-0x0000000001190000-0x0000000001194000-memory.dmp
    Filesize

    16KB

  • memory/112-15-0x0000000001190000-0x0000000001194000-memory.dmp
    Filesize

    16KB

  • memory/1108-0-0x0000000004200000-0x0000000004204000-memory.dmp
    Filesize

    16KB

  • memory/1108-1-0x00000000052B0000-0x00000000052B4000-memory.dmp
    Filesize

    16KB

  • memory/1108-2-0x0000000005430000-0x0000000005434000-memory.dmp
    Filesize

    16KB

  • memory/1108-3-0x0000000005430000-0x0000000005434000-memory.dmp
    Filesize

    16KB

  • memory/1108-4-0x0000000005430000-0x0000000005434000-memory.dmp
    Filesize

    16KB