Analysis

  • max time kernel
    129s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    28-06-2020 20:55

General

  • Target

    ups-label.jar.msi

  • Size

    382KB

  • MD5

    1eb30fec5a58dc7a6af2c17d7e8327d0

  • SHA1

    277fb1032edb935cb9bd3fbd33a17c83615cedfa

  • SHA256

    51eb64e8719bcd2caba807e8ffe09e9b016ab828f4352f9905a99fc3f3517e82

  • SHA512

    2670b7062f9918fd7b53200e26e25b56cfb8974c0e6a0e7e2720218cee018479ce6855cf57c4d6c89855439ecad9ff0ddce73fb2ac91e524bc2bd98e51f942aa

Score
8/10

Malware Config

Signatures

  • Blacklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies service 2 TTPs 165 IoCs
  • Drops file in Windows directory 7 IoCs
  • Checks SCSI registry key(s) 3 TTPs 96 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ups-label.jar.msi
    1⤵
    • Blacklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1500
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Modifies service
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Modifies service
      • Suspicious use of AdjustPrivilegeToken
      PID:1488
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:2536
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
    1⤵
    • Checks SCSI registry key(s)
    • Modifies data under HKEY_USERS
    PID:3500

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1500-0-0x000002A7843B0000-0x000002A7843B4000-memory.dmp

    Filesize

    16KB