e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b

Analysis

max time kernel
310s
max time network
386s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Size

749KB
MD5

0fa0bc909e6d9e0bb7e698218d120876
SHA1

497f99755892941b0633f1d8832a148829181903
SHA256

e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b
SHA512

1b16a3b25265c58adf10791058dff9d70170dcf87e6a442d565c152f18546273551b26b961d02214223be8629f36094c41b6f1d6353c62b93dce71d6fa6d460b
SSDEEP

12288:l9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hZ56hyF:vZ1xuVVjfFoynPaVBUR8f+kN10EB0s

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\java32\\java.exe"	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\system32\\java32\\java.exe"	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\java32\java.exe	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
File opened for modification	C:\Windows\SysWOW64\java32\java.exe	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
File opened for modification	C:\Windows\SysWOW64\java32\	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeSecurityPrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeTakeOwnershipPrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeLoadDriverPrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeSystemProfilePrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeSystemtimePrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeProfSingleProcessPrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeIncBasePriorityPrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeCreatePagefilePrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeBackupPrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeRestorePrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeShutdownPrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeDebugPrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeSystemEnvironmentPrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeChangeNotifyPrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeRemoteShutdownPrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeUndockPrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeManageVolumePrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeImpersonatePrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeCreateGlobalPrivilege	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: 33	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: 34	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: 35	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: 36	2424	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe

C:\Users\Admin\AppData\Local\Temp\e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
"C:\Users\Admin\AppData\Local\Temp\e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads