Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2023, 02:04
Static task
static1
Behavioral task
behavioral1
Sample
JJSploit_7.1.3_x86_en-US.msi
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
JJSploit_7.1.3_x86_en-US.msi
Resource
win10v2004-20230220-en
General
-
Target
JJSploit_7.1.3_x86_en-US.msi
-
Size
5.8MB
-
MD5
89b39aafa577686ce2890ff00a22f7d6
-
SHA1
1259bb1962d23f242ebe340f359b3825a31989d4
-
SHA256
dfdb140d98307146cbdbc726cc1f4897acc14288c95fd8bfc5ab29f91c895fa3
-
SHA512
59d7ee87354f01c9bcaf438086a730f56c671f75815be696b07107d54f886b48a7217a7c4138e690a6c0670b7c39dd564650b63e6e12743d46b3bd65824ad70d
-
SSDEEP
98304:oni7F600rU+xmX0VumSuS2eaYbC8wSKyWatyiGoMNjbLmf19+I3NlNi3bywir:Gi7F6MiVVBS2e3bC8wS+QGZNYpi2
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 5088 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4124 msiexec.exe Token: SeIncreaseQuotaPrivilege 4124 msiexec.exe Token: SeSecurityPrivilege 1252 msiexec.exe Token: SeCreateTokenPrivilege 4124 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4124 msiexec.exe Token: SeLockMemoryPrivilege 4124 msiexec.exe Token: SeIncreaseQuotaPrivilege 4124 msiexec.exe Token: SeMachineAccountPrivilege 4124 msiexec.exe Token: SeTcbPrivilege 4124 msiexec.exe Token: SeSecurityPrivilege 4124 msiexec.exe Token: SeTakeOwnershipPrivilege 4124 msiexec.exe Token: SeLoadDriverPrivilege 4124 msiexec.exe Token: SeSystemProfilePrivilege 4124 msiexec.exe Token: SeSystemtimePrivilege 4124 msiexec.exe Token: SeProfSingleProcessPrivilege 4124 msiexec.exe Token: SeIncBasePriorityPrivilege 4124 msiexec.exe Token: SeCreatePagefilePrivilege 4124 msiexec.exe Token: SeCreatePermanentPrivilege 4124 msiexec.exe Token: SeBackupPrivilege 4124 msiexec.exe Token: SeRestorePrivilege 4124 msiexec.exe Token: SeShutdownPrivilege 4124 msiexec.exe Token: SeDebugPrivilege 4124 msiexec.exe Token: SeAuditPrivilege 4124 msiexec.exe Token: SeSystemEnvironmentPrivilege 4124 msiexec.exe Token: SeChangeNotifyPrivilege 4124 msiexec.exe Token: SeRemoteShutdownPrivilege 4124 msiexec.exe Token: SeUndockPrivilege 4124 msiexec.exe Token: SeSyncAgentPrivilege 4124 msiexec.exe Token: SeEnableDelegationPrivilege 4124 msiexec.exe Token: SeManageVolumePrivilege 4124 msiexec.exe Token: SeImpersonatePrivilege 4124 msiexec.exe Token: SeCreateGlobalPrivilege 4124 msiexec.exe Token: SeCreateTokenPrivilege 4124 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4124 msiexec.exe Token: SeLockMemoryPrivilege 4124 msiexec.exe Token: SeIncreaseQuotaPrivilege 4124 msiexec.exe Token: SeMachineAccountPrivilege 4124 msiexec.exe Token: SeTcbPrivilege 4124 msiexec.exe Token: SeSecurityPrivilege 4124 msiexec.exe Token: SeTakeOwnershipPrivilege 4124 msiexec.exe Token: SeLoadDriverPrivilege 4124 msiexec.exe Token: SeSystemProfilePrivilege 4124 msiexec.exe Token: SeSystemtimePrivilege 4124 msiexec.exe Token: SeProfSingleProcessPrivilege 4124 msiexec.exe Token: SeIncBasePriorityPrivilege 4124 msiexec.exe Token: SeCreatePagefilePrivilege 4124 msiexec.exe Token: SeCreatePermanentPrivilege 4124 msiexec.exe Token: SeBackupPrivilege 4124 msiexec.exe Token: SeRestorePrivilege 4124 msiexec.exe Token: SeShutdownPrivilege 4124 msiexec.exe Token: SeDebugPrivilege 4124 msiexec.exe Token: SeAuditPrivilege 4124 msiexec.exe Token: SeSystemEnvironmentPrivilege 4124 msiexec.exe Token: SeChangeNotifyPrivilege 4124 msiexec.exe Token: SeRemoteShutdownPrivilege 4124 msiexec.exe Token: SeUndockPrivilege 4124 msiexec.exe Token: SeSyncAgentPrivilege 4124 msiexec.exe Token: SeEnableDelegationPrivilege 4124 msiexec.exe Token: SeManageVolumePrivilege 4124 msiexec.exe Token: SeImpersonatePrivilege 4124 msiexec.exe Token: SeCreateGlobalPrivilege 4124 msiexec.exe Token: SeCreateTokenPrivilege 4124 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4124 msiexec.exe Token: SeLockMemoryPrivilege 4124 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4124 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1252 wrote to memory of 5088 1252 msiexec.exe 100 PID 1252 wrote to memory of 5088 1252 msiexec.exe 100 PID 1252 wrote to memory of 5088 1252 msiexec.exe 100
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\JJSploit_7.1.3_x86_en-US.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4124
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7FCB56FD10ABB4574F8D58BA5246C5A5 C2⤵
- Loads dropped DLL
PID:5088
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD54fdd16752561cf585fed1506914d73e0
SHA1f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA5123695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600
-
Filesize
113KB
MD54fdd16752561cf585fed1506914d73e0
SHA1f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA5123695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600