Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2023 14:23
Static task
static1
Behavioral task
behavioral1
Sample
JJSploit_7.2.1_x86_en-US.msi
Resource
win7-20230220-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
JJSploit_7.2.1_x86_en-US.msi
Resource
win10v2004-20230220-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
JJSploit_7.2.1_x86_en-US.msi
-
Size
5.8MB
-
MD5
4b884c18f4682189708c771c13ad573e
-
SHA1
a74f992bc18c1936671cb38f1a94ce872ee4c687
-
SHA256
e0b2d388d35046a5ce669e753adb96b8d6de670d352ae34fc41eaf79303a3d45
-
SHA512
bc466b11352b4671caad01acb763d763e40a9e9d20eaf3e0f5b7e8d9b5ef939049570ee18e0e08301fc9cb65b9b83997cf9c884c3a0c47ac91fb1baabe980574
-
SSDEEP
98304:Gr5BsITy5d5aaJweCkT8JdpF9aDK1ZcWmZYDpNTENWYbZkON/t1ZolL6r:EOITEaaJv+Jd9aDKUWJinDZol
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 4948 msiexec.exe Token: SeIncreaseQuotaPrivilege 4948 msiexec.exe Token: SeSecurityPrivilege 4400 msiexec.exe Token: SeCreateTokenPrivilege 4948 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4948 msiexec.exe Token: SeLockMemoryPrivilege 4948 msiexec.exe Token: SeIncreaseQuotaPrivilege 4948 msiexec.exe Token: SeMachineAccountPrivilege 4948 msiexec.exe Token: SeTcbPrivilege 4948 msiexec.exe Token: SeSecurityPrivilege 4948 msiexec.exe Token: SeTakeOwnershipPrivilege 4948 msiexec.exe Token: SeLoadDriverPrivilege 4948 msiexec.exe Token: SeSystemProfilePrivilege 4948 msiexec.exe Token: SeSystemtimePrivilege 4948 msiexec.exe Token: SeProfSingleProcessPrivilege 4948 msiexec.exe Token: SeIncBasePriorityPrivilege 4948 msiexec.exe Token: SeCreatePagefilePrivilege 4948 msiexec.exe Token: SeCreatePermanentPrivilege 4948 msiexec.exe Token: SeBackupPrivilege 4948 msiexec.exe Token: SeRestorePrivilege 4948 msiexec.exe Token: SeShutdownPrivilege 4948 msiexec.exe Token: SeDebugPrivilege 4948 msiexec.exe Token: SeAuditPrivilege 4948 msiexec.exe Token: SeSystemEnvironmentPrivilege 4948 msiexec.exe Token: SeChangeNotifyPrivilege 4948 msiexec.exe Token: SeRemoteShutdownPrivilege 4948 msiexec.exe Token: SeUndockPrivilege 4948 msiexec.exe Token: SeSyncAgentPrivilege 4948 msiexec.exe Token: SeEnableDelegationPrivilege 4948 msiexec.exe Token: SeManageVolumePrivilege 4948 msiexec.exe Token: SeImpersonatePrivilege 4948 msiexec.exe Token: SeCreateGlobalPrivilege 4948 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4948 msiexec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\JJSploit_7.2.1_x86_en-US.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4948
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4400