Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10_x64 -
resource
win10 -
submitted
15-10-2020 14:18
Behavioral task
behavioral1
Sample
1234.jar.msi
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1234.jar.msi
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
1234.jar.msi
-
Size
866KB
-
MD5
015a56efa90ae951ba69d13363db7ab6
-
SHA1
263251f166239184902b547befff8d16abc8395d
-
SHA256
8b7a503e5dc6a286341fe42a7be2a913c3c5628326461363279759b885fa6182
-
SHA512
82d0565f04d42d865f3cb56329e4b33d9c01c006ab7d25685ed5620694cbffe21057a1779ce06b5e57ec2a4f8c21b95fa8b0b886516111519d774570452a3c2c
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 2344 MsiExec.exe 2344 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 90 IoCs
description pid Process Token: SeShutdownPrivilege 3544 msiexec.exe Token: SeIncreaseQuotaPrivilege 3544 msiexec.exe Token: SeSecurityPrivilege 408 msiexec.exe Token: SeCreateTokenPrivilege 3544 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3544 msiexec.exe Token: SeLockMemoryPrivilege 3544 msiexec.exe Token: SeIncreaseQuotaPrivilege 3544 msiexec.exe Token: SeMachineAccountPrivilege 3544 msiexec.exe Token: SeTcbPrivilege 3544 msiexec.exe Token: SeSecurityPrivilege 3544 msiexec.exe Token: SeTakeOwnershipPrivilege 3544 msiexec.exe Token: SeLoadDriverPrivilege 3544 msiexec.exe Token: SeSystemProfilePrivilege 3544 msiexec.exe Token: SeSystemtimePrivilege 3544 msiexec.exe Token: SeProfSingleProcessPrivilege 3544 msiexec.exe Token: SeIncBasePriorityPrivilege 3544 msiexec.exe Token: SeCreatePagefilePrivilege 3544 msiexec.exe Token: SeCreatePermanentPrivilege 3544 msiexec.exe Token: SeBackupPrivilege 3544 msiexec.exe Token: SeRestorePrivilege 3544 msiexec.exe Token: SeShutdownPrivilege 3544 msiexec.exe Token: SeDebugPrivilege 3544 msiexec.exe Token: SeAuditPrivilege 3544 msiexec.exe Token: SeSystemEnvironmentPrivilege 3544 msiexec.exe Token: SeChangeNotifyPrivilege 3544 msiexec.exe Token: SeRemoteShutdownPrivilege 3544 msiexec.exe Token: SeUndockPrivilege 3544 msiexec.exe Token: SeSyncAgentPrivilege 3544 msiexec.exe Token: SeEnableDelegationPrivilege 3544 msiexec.exe Token: SeManageVolumePrivilege 3544 msiexec.exe Token: SeImpersonatePrivilege 3544 msiexec.exe Token: SeCreateGlobalPrivilege 3544 msiexec.exe Token: SeCreateTokenPrivilege 3544 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3544 msiexec.exe Token: SeLockMemoryPrivilege 3544 msiexec.exe Token: SeIncreaseQuotaPrivilege 3544 msiexec.exe Token: SeMachineAccountPrivilege 3544 msiexec.exe Token: SeTcbPrivilege 3544 msiexec.exe Token: SeSecurityPrivilege 3544 msiexec.exe Token: SeTakeOwnershipPrivilege 3544 msiexec.exe Token: SeLoadDriverPrivilege 3544 msiexec.exe Token: SeSystemProfilePrivilege 3544 msiexec.exe Token: SeSystemtimePrivilege 3544 msiexec.exe Token: SeProfSingleProcessPrivilege 3544 msiexec.exe Token: SeIncBasePriorityPrivilege 3544 msiexec.exe Token: SeCreatePagefilePrivilege 3544 msiexec.exe Token: SeCreatePermanentPrivilege 3544 msiexec.exe Token: SeBackupPrivilege 3544 msiexec.exe Token: SeRestorePrivilege 3544 msiexec.exe Token: SeShutdownPrivilege 3544 msiexec.exe Token: SeDebugPrivilege 3544 msiexec.exe Token: SeAuditPrivilege 3544 msiexec.exe Token: SeSystemEnvironmentPrivilege 3544 msiexec.exe Token: SeChangeNotifyPrivilege 3544 msiexec.exe Token: SeRemoteShutdownPrivilege 3544 msiexec.exe Token: SeUndockPrivilege 3544 msiexec.exe Token: SeSyncAgentPrivilege 3544 msiexec.exe Token: SeEnableDelegationPrivilege 3544 msiexec.exe Token: SeManageVolumePrivilege 3544 msiexec.exe Token: SeImpersonatePrivilege 3544 msiexec.exe Token: SeCreateGlobalPrivilege 3544 msiexec.exe Token: SeCreateTokenPrivilege 3544 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3544 msiexec.exe Token: SeLockMemoryPrivilege 3544 msiexec.exe Token: SeIncreaseQuotaPrivilege 3544 msiexec.exe Token: SeMachineAccountPrivilege 3544 msiexec.exe Token: SeTcbPrivilege 3544 msiexec.exe Token: SeSecurityPrivilege 3544 msiexec.exe Token: SeTakeOwnershipPrivilege 3544 msiexec.exe Token: SeLoadDriverPrivilege 3544 msiexec.exe Token: SeSystemProfilePrivilege 3544 msiexec.exe Token: SeSystemtimePrivilege 3544 msiexec.exe Token: SeProfSingleProcessPrivilege 3544 msiexec.exe Token: SeIncBasePriorityPrivilege 3544 msiexec.exe Token: SeCreatePagefilePrivilege 3544 msiexec.exe Token: SeCreatePermanentPrivilege 3544 msiexec.exe Token: SeBackupPrivilege 3544 msiexec.exe Token: SeRestorePrivilege 3544 msiexec.exe Token: SeShutdownPrivilege 3544 msiexec.exe Token: SeDebugPrivilege 3544 msiexec.exe Token: SeAuditPrivilege 3544 msiexec.exe Token: SeSystemEnvironmentPrivilege 3544 msiexec.exe Token: SeChangeNotifyPrivilege 3544 msiexec.exe Token: SeRemoteShutdownPrivilege 3544 msiexec.exe Token: SeUndockPrivilege 3544 msiexec.exe Token: SeSyncAgentPrivilege 3544 msiexec.exe Token: SeEnableDelegationPrivilege 3544 msiexec.exe Token: SeManageVolumePrivilege 3544 msiexec.exe Token: SeImpersonatePrivilege 3544 msiexec.exe Token: SeCreateGlobalPrivilege 3544 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3544 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 408 wrote to memory of 2344 408 msiexec.exe 73 PID 408 wrote to memory of 2344 408 msiexec.exe 73 PID 408 wrote to memory of 2344 408 msiexec.exe 73
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1234.jar.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3544
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 11C047C0BB0810E7DB7BED3E1718E55C C2⤵
- Loads dropped DLL
PID:2344
-