ef40941f1b54b52747d98330ca845374bccb8e3635fc7f647f60405cf51eb17f

Analysis

max time kernel
111s
max time network
232s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2023 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jdk-20_windows-x64_bin.exe
Size

160.1MB
MD5

95f20fdf9e5091671fe763b16b172b6b
SHA1

26d71d782904d5b3901cbc2bfbc4b52af0922e55
SHA256

ef40941f1b54b52747d98330ca845374bccb8e3635fc7f647f60405cf51eb17f
SHA512

2b715a7c86d8934be2c64b534e8eba103ee73d9d4b50081a8bc3feb922141a947da42080f1b8325d9564acb48b03ce48a24e91b41ff1e231db3cd6ad93b031f5
SSDEEP

3145728:h2lbi8jnUj8wb3W3IGVEYV981TNnLTWlNOkeXhm:gieE80KGWlGk

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
32	2756	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
468	jdk-20_windows-x64_bin.exe

Loads dropped DLL 3 IoCs

pid	Process
1656	MsiExec.exe
1656	MsiExec.exe
1656	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2756	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2756	msiexec.exe
Token: SeSecurityPrivilege	2868	msiexec.exe
Token: SeCreateTokenPrivilege	2756	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2756	msiexec.exe
Token: SeLockMemoryPrivilege	2756	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2756	msiexec.exe
Token: SeMachineAccountPrivilege	2756	msiexec.exe
Token: SeTcbPrivilege	2756	msiexec.exe
Token: SeSecurityPrivilege	2756	msiexec.exe
Token: SeTakeOwnershipPrivilege	2756	msiexec.exe
Token: SeLoadDriverPrivilege	2756	msiexec.exe
Token: SeSystemProfilePrivilege	2756	msiexec.exe
Token: SeSystemtimePrivilege	2756	msiexec.exe
Token: SeProfSingleProcessPrivilege	2756	msiexec.exe
Token: SeIncBasePriorityPrivilege	2756	msiexec.exe
Token: SeCreatePagefilePrivilege	2756	msiexec.exe
Token: SeCreatePermanentPrivilege	2756	msiexec.exe
Token: SeBackupPrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2756	msiexec.exe
Token: SeShutdownPrivilege	2756	msiexec.exe
Token: SeDebugPrivilege	2756	msiexec.exe
Token: SeAuditPrivilege	2756	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2756	msiexec.exe
Token: SeChangeNotifyPrivilege	2756	msiexec.exe
Token: SeRemoteShutdownPrivilege	2756	msiexec.exe
Token: SeUndockPrivilege	2756	msiexec.exe
Token: SeSyncAgentPrivilege	2756	msiexec.exe
Token: SeEnableDelegationPrivilege	2756	msiexec.exe
Token: SeManageVolumePrivilege	2756	msiexec.exe
Token: SeImpersonatePrivilege	2756	msiexec.exe
Token: SeCreateGlobalPrivilege	2756	msiexec.exe
Token: SeCreateTokenPrivilege	2756	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2756	msiexec.exe
Token: SeLockMemoryPrivilege	2756	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2756	msiexec.exe
Token: SeMachineAccountPrivilege	2756	msiexec.exe
Token: SeTcbPrivilege	2756	msiexec.exe
Token: SeSecurityPrivilege	2756	msiexec.exe
Token: SeTakeOwnershipPrivilege	2756	msiexec.exe
Token: SeLoadDriverPrivilege	2756	msiexec.exe
Token: SeSystemProfilePrivilege	2756	msiexec.exe
Token: SeSystemtimePrivilege	2756	msiexec.exe
Token: SeProfSingleProcessPrivilege	2756	msiexec.exe
Token: SeIncBasePriorityPrivilege	2756	msiexec.exe
Token: SeCreatePagefilePrivilege	2756	msiexec.exe
Token: SeCreatePermanentPrivilege	2756	msiexec.exe
Token: SeBackupPrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2756	msiexec.exe
Token: SeShutdownPrivilege	2756	msiexec.exe
Token: SeDebugPrivilege	2756	msiexec.exe
Token: SeAuditPrivilege	2756	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2756	msiexec.exe
Token: SeChangeNotifyPrivilege	2756	msiexec.exe
Token: SeRemoteShutdownPrivilege	2756	msiexec.exe
Token: SeUndockPrivilege	2756	msiexec.exe
Token: SeSyncAgentPrivilege	2756	msiexec.exe
Token: SeEnableDelegationPrivilege	2756	msiexec.exe
Token: SeManageVolumePrivilege	2756	msiexec.exe
Token: SeImpersonatePrivilege	2756	msiexec.exe
Token: SeCreateGlobalPrivilege	2756	msiexec.exe
Token: SeCreateTokenPrivilege	2756	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2756	msiexec.exe
Token: SeLockMemoryPrivilege	2756	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2756	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 468	1692	jdk-20_windows-x64_bin.exe	83
PID 1692 wrote to memory of 468	1692	jdk-20_windows-x64_bin.exe	83
PID 468 wrote to memory of 2756	468	jdk-20_windows-x64_bin.exe	91
PID 468 wrote to memory of 2756	468	jdk-20_windows-x64_bin.exe	91
PID 2868 wrote to memory of 1656	2868	msiexec.exe	95
PID 2868 wrote to memory of 1656	2868	msiexec.exe	95

C:\Users\Admin\AppData\Local\Temp\jdk-20_windows-x64_bin.exe
"C:\Users\Admin\AppData\Local\Temp\jdk-20_windows-x64_bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\jds240646171.tmp\jdk-20_windows-x64_bin.exe
  "C:\Users\Admin\AppData\Local\Temp\jds240646171.tmp\jdk-20_windows-x64_bin.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\System32\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk20.0.2_x64\jdk20.0.264.msi" WRAPPER=1
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2756

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 9A852081BE05E9E8F3BF87A9E3AD883A C
  2⤵
  - Loads dropped DLL
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk20.0.2_x64\jdk20.0.264.msi

Filesize
158.9MB

MD5
039c798bd3b0681415c94dec615b1344

SHA1
854bb4fc4ec637a397746c5a5745e30760adcef4

SHA256
d6b4db0821789bffe1b6c88937d061e878e9773e2e7d6469d99c970c97e0d3f5

SHA512
34dbd0827e309154b5bf03c2fb957f286f3a9e35bc5a80c52a60e237161df58a00d75fa1fb7a35f6d31efea35def56b4e35dc9bb386651c1bbd6e20bcf443366

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8807.tmp

Filesize
932KB

MD5
399cecbcb5221967f45f3f7409b9748d

SHA1
82460cb381f7204cfd062db009cfa6c01f391689

SHA256
c28bf8c194488af651a84d2a6f05df7b5b2bb906f9251b83b89242ad1531d3f7

SHA512
c08d94b9dcd737c9fbbc0dab999f118004355fb048457db241795d3bdf5d17d9f699ed3dc0b541d69d33f2117dbfeb851099777f453fe9ff0b4a96c11944a68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8807.tmp

Filesize
932KB

MD5
399cecbcb5221967f45f3f7409b9748d

SHA1
82460cb381f7204cfd062db009cfa6c01f391689

SHA256
c28bf8c194488af651a84d2a6f05df7b5b2bb906f9251b83b89242ad1531d3f7

SHA512
c08d94b9dcd737c9fbbc0dab999f118004355fb048457db241795d3bdf5d17d9f699ed3dc0b541d69d33f2117dbfeb851099777f453fe9ff0b4a96c11944a68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8856.tmp

Filesize
932KB

MD5
399cecbcb5221967f45f3f7409b9748d

SHA1
82460cb381f7204cfd062db009cfa6c01f391689

SHA256
c28bf8c194488af651a84d2a6f05df7b5b2bb906f9251b83b89242ad1531d3f7

SHA512
c08d94b9dcd737c9fbbc0dab999f118004355fb048457db241795d3bdf5d17d9f699ed3dc0b541d69d33f2117dbfeb851099777f453fe9ff0b4a96c11944a68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8856.tmp

Filesize
932KB

MD5
399cecbcb5221967f45f3f7409b9748d

SHA1
82460cb381f7204cfd062db009cfa6c01f391689

SHA256
c28bf8c194488af651a84d2a6f05df7b5b2bb906f9251b83b89242ad1531d3f7

SHA512
c08d94b9dcd737c9fbbc0dab999f118004355fb048457db241795d3bdf5d17d9f699ed3dc0b541d69d33f2117dbfeb851099777f453fe9ff0b4a96c11944a68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8886.tmp

Filesize
932KB

MD5
399cecbcb5221967f45f3f7409b9748d

SHA1
82460cb381f7204cfd062db009cfa6c01f391689

SHA256
c28bf8c194488af651a84d2a6f05df7b5b2bb906f9251b83b89242ad1531d3f7

SHA512
c08d94b9dcd737c9fbbc0dab999f118004355fb048457db241795d3bdf5d17d9f699ed3dc0b541d69d33f2117dbfeb851099777f453fe9ff0b4a96c11944a68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8886.tmp

Filesize
932KB

MD5
399cecbcb5221967f45f3f7409b9748d

SHA1
82460cb381f7204cfd062db009cfa6c01f391689

SHA256
c28bf8c194488af651a84d2a6f05df7b5b2bb906f9251b83b89242ad1531d3f7

SHA512
c08d94b9dcd737c9fbbc0dab999f118004355fb048457db241795d3bdf5d17d9f699ed3dc0b541d69d33f2117dbfeb851099777f453fe9ff0b4a96c11944a68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8886.tmp

Filesize
932KB

MD5
399cecbcb5221967f45f3f7409b9748d

SHA1
82460cb381f7204cfd062db009cfa6c01f391689

SHA256
c28bf8c194488af651a84d2a6f05df7b5b2bb906f9251b83b89242ad1531d3f7

SHA512
c08d94b9dcd737c9fbbc0dab999f118004355fb048457db241795d3bdf5d17d9f699ed3dc0b541d69d33f2117dbfeb851099777f453fe9ff0b4a96c11944a68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240646171.tmp\jdk-20_windows-x64_bin.exe

Filesize
159.7MB

MD5
e1d4b5b8160da6d70b5a1ad4591d538c

SHA1
8b8486dbcd0ad66849465c5ca5c9fc39e7458cbb

SHA256
4860c2b356a3fc90aa56317ba7cc479f676785620f79eda8ad44520e9c8b7b36

SHA512
ec46252ebf62253dab4ebbf96ca3af880604c145d1fea380949e4811fda357ad2105b96a7e25e8d03977951ea7fbe7095c6a53d8022279610bc36c679e184951

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240646171.tmp\jdk-20_windows-x64_bin.exe

Filesize
159.7MB

MD5
e1d4b5b8160da6d70b5a1ad4591d538c

SHA1
8b8486dbcd0ad66849465c5ca5c9fc39e7458cbb

SHA256
4860c2b356a3fc90aa56317ba7cc479f676785620f79eda8ad44520e9c8b7b36

SHA512
ec46252ebf62253dab4ebbf96ca3af880604c145d1fea380949e4811fda357ad2105b96a7e25e8d03977951ea7fbe7095c6a53d8022279610bc36c679e184951

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
267KB

MD5
4ab9b5bd4c0ceb47b6125906a67eccf2

SHA1
48eb18bb987cc4319ce4f6d0d878ad54086883cc

SHA256
0b29eca02ae18fb4831733435d98314bf224d2095fc615d562ae06cb696ca15d

SHA512
80e383ee382b9b9a2ec0855d245ddfa93c9f912ee4b094870662a7074de12544932beea12b83a59e376a1103f5fac497b7c48889ebf456e31364358f03c9183a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
274KB

MD5
61b9d76dcb51f158eadcf7a9fa2de2ed

SHA1
ae500692e45ef05dbac41f172a3f154ee1eb4b47

SHA256
9dec15f698d0c550833b755a4216e28117f70e0f5ae31862a97569557b3042e1

SHA512
47e802821310333897886695025a7c852de860c9fdc284101dc35e6672062ab943e54d75888691339e0f92ae286701f545a15217be80a23f1860f601d278797d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
294KB

MD5
4777b32b54ed9948cb23c1d08b5052af

SHA1
49021fd1d2383c52a90b1576ef382a10dfa453c0

SHA256
8f661c46290e092fc5f954285a1cbe81260b754b04cb0986c75a6746e2583538

SHA512
fcd93b730ad66a18290e700387d226bab089a71698b16c1ac036b49fe4b93814e049a95a42457d28e2072403cfa9b7864aa87584a6cd1e50551d77968d7e4659

Download Submit