Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2023 11:46
Static task
static1
Behavioral task
behavioral1
Sample
jre-6u25-windows-x64.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
jre-6u25-windows-x64.exe
Resource
win10v2004-20230703-en
General
-
Target
jre-6u25-windows-x64.exe
-
Size
16.1MB
-
MD5
44632e1d79bec1790fe72f76dbab1e75
-
SHA1
fe7248273ff57960fc151bf96d814bc8a297063b
-
SHA256
5b623c9877ad3c91fbf0b98b109f09f4d251856eeab637a46af29e946af4ef91
-
SHA512
5fe963bc83370abf35414f42e02b6fbd70d29d84c95b4292f81b040c8d33cdcdd9c0a81a8f3fc3ca3e8b8bfdb02d0ef6761729f88cf8eee44002092327b41fe9
-
SSDEEP
393216:e0iHkoRtJOLRYLmfjZC9Pyqbmvuu34VJ5LRK:Wko4eLgk97acJFM
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2832 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4352 msiexec.exe Token: SeIncreaseQuotaPrivilege 4352 msiexec.exe Token: SeSecurityPrivilege 4608 msiexec.exe Token: SeCreateTokenPrivilege 4352 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4352 msiexec.exe Token: SeLockMemoryPrivilege 4352 msiexec.exe Token: SeIncreaseQuotaPrivilege 4352 msiexec.exe Token: SeMachineAccountPrivilege 4352 msiexec.exe Token: SeTcbPrivilege 4352 msiexec.exe Token: SeSecurityPrivilege 4352 msiexec.exe Token: SeTakeOwnershipPrivilege 4352 msiexec.exe Token: SeLoadDriverPrivilege 4352 msiexec.exe Token: SeSystemProfilePrivilege 4352 msiexec.exe Token: SeSystemtimePrivilege 4352 msiexec.exe Token: SeProfSingleProcessPrivilege 4352 msiexec.exe Token: SeIncBasePriorityPrivilege 4352 msiexec.exe Token: SeCreatePagefilePrivilege 4352 msiexec.exe Token: SeCreatePermanentPrivilege 4352 msiexec.exe Token: SeBackupPrivilege 4352 msiexec.exe Token: SeRestorePrivilege 4352 msiexec.exe Token: SeShutdownPrivilege 4352 msiexec.exe Token: SeDebugPrivilege 4352 msiexec.exe Token: SeAuditPrivilege 4352 msiexec.exe Token: SeSystemEnvironmentPrivilege 4352 msiexec.exe Token: SeChangeNotifyPrivilege 4352 msiexec.exe Token: SeRemoteShutdownPrivilege 4352 msiexec.exe Token: SeUndockPrivilege 4352 msiexec.exe Token: SeSyncAgentPrivilege 4352 msiexec.exe Token: SeEnableDelegationPrivilege 4352 msiexec.exe Token: SeManageVolumePrivilege 4352 msiexec.exe Token: SeImpersonatePrivilege 4352 msiexec.exe Token: SeCreateGlobalPrivilege 4352 msiexec.exe Token: SeCreateTokenPrivilege 4352 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4352 msiexec.exe Token: SeLockMemoryPrivilege 4352 msiexec.exe Token: SeIncreaseQuotaPrivilege 4352 msiexec.exe Token: SeMachineAccountPrivilege 4352 msiexec.exe Token: SeTcbPrivilege 4352 msiexec.exe Token: SeSecurityPrivilege 4352 msiexec.exe Token: SeTakeOwnershipPrivilege 4352 msiexec.exe Token: SeLoadDriverPrivilege 4352 msiexec.exe Token: SeSystemProfilePrivilege 4352 msiexec.exe Token: SeSystemtimePrivilege 4352 msiexec.exe Token: SeProfSingleProcessPrivilege 4352 msiexec.exe Token: SeIncBasePriorityPrivilege 4352 msiexec.exe Token: SeCreatePagefilePrivilege 4352 msiexec.exe Token: SeCreatePermanentPrivilege 4352 msiexec.exe Token: SeBackupPrivilege 4352 msiexec.exe Token: SeRestorePrivilege 4352 msiexec.exe Token: SeShutdownPrivilege 4352 msiexec.exe Token: SeDebugPrivilege 4352 msiexec.exe Token: SeAuditPrivilege 4352 msiexec.exe Token: SeSystemEnvironmentPrivilege 4352 msiexec.exe Token: SeChangeNotifyPrivilege 4352 msiexec.exe Token: SeRemoteShutdownPrivilege 4352 msiexec.exe Token: SeUndockPrivilege 4352 msiexec.exe Token: SeSyncAgentPrivilege 4352 msiexec.exe Token: SeEnableDelegationPrivilege 4352 msiexec.exe Token: SeManageVolumePrivilege 4352 msiexec.exe Token: SeImpersonatePrivilege 4352 msiexec.exe Token: SeCreateGlobalPrivilege 4352 msiexec.exe Token: SeCreateTokenPrivilege 4352 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4352 msiexec.exe Token: SeLockMemoryPrivilege 4352 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4352 msiexec.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4104 wrote to memory of 4352 4104 jre-6u25-windows-x64.exe 84 PID 4104 wrote to memory of 4352 4104 jre-6u25-windows-x64.exe 84 PID 4608 wrote to memory of 2832 4608 msiexec.exe 88 PID 4608 wrote to memory of 2832 4608 msiexec.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\jre-6u25-windows-x64.exe"C:\Users\Admin\AppData\Local\Temp\jre-6u25-windows-x64.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\System32\msiexec.exe"C:\Windows\System32\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.6.0_25_x64\jre1.6.0_25.msi" METHOD=joff2⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4352
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 1310A8B33A6CBE38054ED19E45461818 C2⤵
- Loads dropped DLL
PID:2832
-
Network
-
Remote address:8.8.8.8:53Requestjavadl-esd.sun.comIN AResponsejavadl-esd.sun.comIN CNAMEjavadl-esd-sino.sun.com.edgesuite.netjavadl-esd-sino.sun.com.edgesuite.netIN CNAMEa1799.d.akamai.neta1799.d.akamai.netIN A23.63.101.155a1799.d.akamai.netIN A23.63.101.154
-
Remote address:23.63.101.155:80RequestGET /update/1.6.0/1.6.0_25-b06.xml HTTP/1.1
User-Agent: jupdate
Host: javadl-esd.sun.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/xml
ETag: "9e4d7a3b0782e5a37fba3e68a6ad06ad:1534185705"
Last-Modified: Tue, 05 Sep 2017 18:42:35 GMT
Server: AkamaiNetStorage
Content-Length: 1299
Expires: Wed, 19 Jul 2023 12:06:58 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Wed, 19 Jul 2023 12:06:58 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Request2.136.104.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request254.20.238.8.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request155.101.63.23.in-addr.arpaIN PTRResponse155.101.63.23.in-addr.arpaIN PTRa23-63-101-155deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request68.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request108.211.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request208.194.73.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request202.74.101.95.in-addr.arpaIN PTRResponse202.74.101.95.in-addr.arpaIN PTRa95-101-74-202deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request59.128.231.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request158.240.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request63.13.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.173.189.20.in-addr.arpaIN PTRResponse
-
23.63.101.155:80http://javadl-esd.sun.com/update/1.6.0/1.6.0_25-b06.xmlhttpjre-6u25-windows-x64.exe440 B 1.9kB 7 5
HTTP Request
GET http://javadl-esd.sun.com/update/1.6.0/1.6.0_25-b06.xmlHTTP Response
200
-
64 B 176 B 1 1
DNS Request
javadl-esd.sun.com
DNS Response
23.63.101.15523.63.101.154
-
71 B 157 B 1 1
DNS Request
2.136.104.51.in-addr.arpa
-
71 B 125 B 1 1
DNS Request
254.20.238.8.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
155.101.63.23.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
68.32.126.40.in-addr.arpa
-
74 B 145 B 1 1
DNS Request
108.211.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
208.194.73.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
202.74.101.95.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
59.128.231.4.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
158.240.127.40.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
63.13.109.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.173.189.20.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
666KB
MD5dda7f40550bf9fe60d92c21a8b178ec2
SHA1c521736f4b82ff666e5cadef80101dce08e1a5d3
SHA25603557cf4e516fb1da79a7c9b0bb886235d98f6f006fe98cada13c27fd890a798
SHA5127ae993c33c6b2e64e69b98d5a85bc654884dc4ce4d90dd71340495c1788683031a18aa5e691dff09c8a2aa3f725fdb730785901a670caf890c941606ad5afc26
-
Filesize
103KB
MD5d1c4f355d9924611bf790ab7e9973806
SHA1b688845aea73f6696c14187bdf31c46242090272
SHA2561096d8b0e56e3f148ad1ef2dd2047344196719d2229e57d69d7d87b73c505f94
SHA5125fb79e0a88350f0508570062b7206f0f3161e738f7d9e9a217d74776a143dcd5e399741eedca71e0dea16f09a5b2c9f782750d6b0951aaf0d48603cf95f7b1bb
-
Filesize
103KB
MD5d1c4f355d9924611bf790ab7e9973806
SHA1b688845aea73f6696c14187bdf31c46242090272
SHA2561096d8b0e56e3f148ad1ef2dd2047344196719d2229e57d69d7d87b73c505f94
SHA5125fb79e0a88350f0508570062b7206f0f3161e738f7d9e9a217d74776a143dcd5e399741eedca71e0dea16f09a5b2c9f782750d6b0951aaf0d48603cf95f7b1bb