ca5ad8ed93eb896a14b62ca531bafae3d33cac7234f0d0a05f5dbe888b9d12c4

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
31-10-2023 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee7104bcd2faaf2c6a466e52199463039ed73fb8de856e9b0d571915b74e15e9.exe
Size

7.0MB
MD5

fdf7ad31c9f76d711e9f8532062e4ab4
SHA1

b0ddea7bfb8d9eb4f6c5d36416b3092dcf604e2f
SHA256

ee7104bcd2faaf2c6a466e52199463039ed73fb8de856e9b0d571915b74e15e9
SHA512

431954dda606caea8fdf0cde34e2a34e91b834c5fb53616897ccbb5cf77e378af3fbda990be6ec493eeebbe2586466eacd25a813c3a8a1a1805d1937d69fd3da
SSDEEP

196608:hZYwZl+XfRjp9mZBw9999999JwY9K69996GNfl+7p1VC2UkM:hhlu9mZu9999999JN9K6999dL+1tM

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2656	JVSetup.exe

Loads dropped DLL 5 IoCs

pid	Process
1676	ee7104bcd2faaf2c6a466e52199463039ed73fb8de856e9b0d571915b74e15e9.exe
2656	JVSetup.exe
2656	JVSetup.exe
2656	JVSetup.exe
2964	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ee7104bcd2faaf2c6a466e52199463039ed73fb8de856e9b0d571915b74e15e9.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2816	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2816	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2816	msiexec.exe
Token: SeRestorePrivilege	2844	msiexec.exe
Token: SeTakeOwnershipPrivilege	2844	msiexec.exe
Token: SeSecurityPrivilege	2844	msiexec.exe
Token: SeCreateTokenPrivilege	2816	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2816	msiexec.exe
Token: SeLockMemoryPrivilege	2816	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2816	msiexec.exe
Token: SeMachineAccountPrivilege	2816	msiexec.exe
Token: SeTcbPrivilege	2816	msiexec.exe
Token: SeSecurityPrivilege	2816	msiexec.exe
Token: SeTakeOwnershipPrivilege	2816	msiexec.exe
Token: SeLoadDriverPrivilege	2816	msiexec.exe
Token: SeSystemProfilePrivilege	2816	msiexec.exe
Token: SeSystemtimePrivilege	2816	msiexec.exe
Token: SeProfSingleProcessPrivilege	2816	msiexec.exe
Token: SeIncBasePriorityPrivilege	2816	msiexec.exe
Token: SeCreatePagefilePrivilege	2816	msiexec.exe
Token: SeCreatePermanentPrivilege	2816	msiexec.exe
Token: SeBackupPrivilege	2816	msiexec.exe
Token: SeRestorePrivilege	2816	msiexec.exe
Token: SeShutdownPrivilege	2816	msiexec.exe
Token: SeDebugPrivilege	2816	msiexec.exe
Token: SeAuditPrivilege	2816	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2816	msiexec.exe
Token: SeChangeNotifyPrivilege	2816	msiexec.exe
Token: SeRemoteShutdownPrivilege	2816	msiexec.exe
Token: SeUndockPrivilege	2816	msiexec.exe
Token: SeSyncAgentPrivilege	2816	msiexec.exe
Token: SeEnableDelegationPrivilege	2816	msiexec.exe
Token: SeManageVolumePrivilege	2816	msiexec.exe
Token: SeImpersonatePrivilege	2816	msiexec.exe
Token: SeCreateGlobalPrivilege	2816	msiexec.exe
Token: SeCreateTokenPrivilege	2816	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2816	msiexec.exe
Token: SeLockMemoryPrivilege	2816	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2816	msiexec.exe
Token: SeMachineAccountPrivilege	2816	msiexec.exe
Token: SeTcbPrivilege	2816	msiexec.exe
Token: SeSecurityPrivilege	2816	msiexec.exe
Token: SeTakeOwnershipPrivilege	2816	msiexec.exe
Token: SeLoadDriverPrivilege	2816	msiexec.exe
Token: SeSystemProfilePrivilege	2816	msiexec.exe
Token: SeSystemtimePrivilege	2816	msiexec.exe
Token: SeProfSingleProcessPrivilege	2816	msiexec.exe
Token: SeIncBasePriorityPrivilege	2816	msiexec.exe
Token: SeCreatePagefilePrivilege	2816	msiexec.exe
Token: SeCreatePermanentPrivilege	2816	msiexec.exe
Token: SeBackupPrivilege	2816	msiexec.exe
Token: SeRestorePrivilege	2816	msiexec.exe
Token: SeShutdownPrivilege	2816	msiexec.exe
Token: SeDebugPrivilege	2816	msiexec.exe
Token: SeAuditPrivilege	2816	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2816	msiexec.exe
Token: SeChangeNotifyPrivilege	2816	msiexec.exe
Token: SeRemoteShutdownPrivilege	2816	msiexec.exe
Token: SeUndockPrivilege	2816	msiexec.exe
Token: SeSyncAgentPrivilege	2816	msiexec.exe
Token: SeEnableDelegationPrivilege	2816	msiexec.exe
Token: SeManageVolumePrivilege	2816	msiexec.exe
Token: SeImpersonatePrivilege	2816	msiexec.exe
Token: SeCreateGlobalPrivilege	2816	msiexec.exe
Token: SeCreateTokenPrivilege	2816	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2816	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2656	1676	ee7104bcd2faaf2c6a466e52199463039ed73fb8de856e9b0d571915b74e15e9.exe	28
PID 1676 wrote to memory of 2656	1676	ee7104bcd2faaf2c6a466e52199463039ed73fb8de856e9b0d571915b74e15e9.exe	28
PID 1676 wrote to memory of 2656	1676	ee7104bcd2faaf2c6a466e52199463039ed73fb8de856e9b0d571915b74e15e9.exe	28
PID 1676 wrote to memory of 2656	1676	ee7104bcd2faaf2c6a466e52199463039ed73fb8de856e9b0d571915b74e15e9.exe	28
PID 1676 wrote to memory of 2656	1676	ee7104bcd2faaf2c6a466e52199463039ed73fb8de856e9b0d571915b74e15e9.exe	28
PID 1676 wrote to memory of 2656	1676	ee7104bcd2faaf2c6a466e52199463039ed73fb8de856e9b0d571915b74e15e9.exe	28
PID 1676 wrote to memory of 2656	1676	ee7104bcd2faaf2c6a466e52199463039ed73fb8de856e9b0d571915b74e15e9.exe	28
PID 2656 wrote to memory of 2816	2656	JVSetup.exe	29
PID 2656 wrote to memory of 2816	2656	JVSetup.exe	29
PID 2656 wrote to memory of 2816	2656	JVSetup.exe	29
PID 2656 wrote to memory of 2816	2656	JVSetup.exe	29
PID 2656 wrote to memory of 2816	2656	JVSetup.exe	29
PID 2656 wrote to memory of 2816	2656	JVSetup.exe	29
PID 2656 wrote to memory of 2816	2656	JVSetup.exe	29
PID 2844 wrote to memory of 2964	2844	msiexec.exe	31
PID 2844 wrote to memory of 2964	2844	msiexec.exe	31
PID 2844 wrote to memory of 2964	2844	msiexec.exe	31
PID 2844 wrote to memory of 2964	2844	msiexec.exe	31
PID 2844 wrote to memory of 2964	2844	msiexec.exe	31
PID 2844 wrote to memory of 2964	2844	msiexec.exe	31
PID 2844 wrote to memory of 2964	2844	msiexec.exe	31

C:\Users\Admin\AppData\Local\Temp\ee7104bcd2faaf2c6a466e52199463039ed73fb8de856e9b0d571915b74e15e9.exe
"C:\Users\Admin\AppData\Local\Temp\ee7104bcd2faaf2c6a466e52199463039ed73fb8de856e9b0d571915b74e15e9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JVSetup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JVSetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe /i"Microsoft Windows Journal Viewer.msi"
    3⤵
    - Enumerates connected drives
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2816

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C152560EB1C186E9C2DC24FC7DF43171 C
  2⤵
  - Loads dropped DLL
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JVSetup.exe

Filesize
35KB

MD5
0cfcb894c1c0ba2c6b9e57c7ca269e07

SHA1
0926790458f30a167e867fa6b7c9a3960511cf51

SHA256
e9540fa30ebcf6cbff7b1b438b48396604e3fbd03e089265ca513128275146d4

SHA512
22b9e880d8dac8d5845437739ebdb654314734ed38bb44a9b1aebaf7adfd5981239b29803b4b0ec54fe481649ff3941603513a652337f16c006d9e57b7f8c682

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JVSetup.exe

Filesize
35KB

MD5
0cfcb894c1c0ba2c6b9e57c7ca269e07

SHA1
0926790458f30a167e867fa6b7c9a3960511cf51

SHA256
e9540fa30ebcf6cbff7b1b438b48396604e3fbd03e089265ca513128275146d4

SHA512
22b9e880d8dac8d5845437739ebdb654314734ed38bb44a9b1aebaf7adfd5981239b29803b4b0ec54fe481649ff3941603513a652337f16c006d9e57b7f8c682

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Microsoft Windows Journal Viewer.msi

Filesize
5.6MB

MD5
5ed4cecfa302f336c4ea93272dff1fdb

SHA1
45743995a209d8f9721d59ce0bd5d16093c3a392

SHA256
53dd92c4af84f961568e3499d68b3429ba9c40649afc1aa3f88971b52c29c802

SHA512
220bbd207dbd9b3a2c2cc301869ff50fb5af7d8240cb9e96282b1a88af335cc124c69e10eed78abdef559c4f1119a48e646d95e57f77ad3ad9b1eb3798c877e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI391A.tmp

Filesize
16KB

MD5
81e2bdf1be54b13aea5b26a995d26f4f

SHA1
245f568cc208d64d56f6bfc2951ffad8e59e7f1f

SHA256
19ce6a6e6ab7d331a612950963bae2ee4e65bc66398aea74423edda4d0f748be

SHA512
e6c0cb965e3307bcf0e5b00c46873062bbffa8bdf8dcd707512504f8e15ff39e38666169dde3c463a467a00bde7029c8229b2a253a06c01b416fce08b17b20dd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\JVSetup.exe

Filesize
35KB

MD5
0cfcb894c1c0ba2c6b9e57c7ca269e07

SHA1
0926790458f30a167e867fa6b7c9a3960511cf51

SHA256
e9540fa30ebcf6cbff7b1b438b48396604e3fbd03e089265ca513128275146d4

SHA512
22b9e880d8dac8d5845437739ebdb654314734ed38bb44a9b1aebaf7adfd5981239b29803b4b0ec54fe481649ff3941603513a652337f16c006d9e57b7f8c682

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\JVSetup.exe

Filesize
35KB

MD5
0cfcb894c1c0ba2c6b9e57c7ca269e07

SHA1
0926790458f30a167e867fa6b7c9a3960511cf51

SHA256
e9540fa30ebcf6cbff7b1b438b48396604e3fbd03e089265ca513128275146d4

SHA512
22b9e880d8dac8d5845437739ebdb654314734ed38bb44a9b1aebaf7adfd5981239b29803b4b0ec54fe481649ff3941603513a652337f16c006d9e57b7f8c682

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\JVSetup.exe

Filesize
35KB

MD5
0cfcb894c1c0ba2c6b9e57c7ca269e07

SHA1
0926790458f30a167e867fa6b7c9a3960511cf51

SHA256
e9540fa30ebcf6cbff7b1b438b48396604e3fbd03e089265ca513128275146d4

SHA512
22b9e880d8dac8d5845437739ebdb654314734ed38bb44a9b1aebaf7adfd5981239b29803b4b0ec54fe481649ff3941603513a652337f16c006d9e57b7f8c682

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\JVSetup.exe

Filesize
35KB

MD5
0cfcb894c1c0ba2c6b9e57c7ca269e07

SHA1
0926790458f30a167e867fa6b7c9a3960511cf51

SHA256
e9540fa30ebcf6cbff7b1b438b48396604e3fbd03e089265ca513128275146d4

SHA512
22b9e880d8dac8d5845437739ebdb654314734ed38bb44a9b1aebaf7adfd5981239b29803b4b0ec54fe481649ff3941603513a652337f16c006d9e57b7f8c682

Download Submit
\Users\Admin\AppData\Local\Temp\MSI391A.tmp

Filesize
16KB

MD5
81e2bdf1be54b13aea5b26a995d26f4f

SHA1
245f568cc208d64d56f6bfc2951ffad8e59e7f1f

SHA256
19ce6a6e6ab7d331a612950963bae2ee4e65bc66398aea74423edda4d0f748be

SHA512
e6c0cb965e3307bcf0e5b00c46873062bbffa8bdf8dcd707512504f8e15ff39e38666169dde3c463a467a00bde7029c8229b2a253a06c01b416fce08b17b20dd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads