f797154f434619a0ebe9042c3332cdf888db2e97da4c689421c2c606e2ad4c94

Analysis

max time kernel
155s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bleachhack-1.16.5.jar
Size

1.3MB
MD5

af504def848ecf37f7f43d74f2b5cd74
SHA1

45bac4bba872b659e44a6f399c72cb5acad024f1
SHA256

f797154f434619a0ebe9042c3332cdf888db2e97da4c689421c2c606e2ad4c94
SHA512

227c2e265a99a72fc26bd0f9bfdf30ecb2f49f2cbeca44875032502295afa304e6130973910ee2686ed8970c5d3f904b1c0b02b25ccad5d55561958772a300d8
SSDEEP

24576:btOULck6iV0hCIklCZyS/IsVGJMFCa/8ORsVh0yR0goM:gTayCFCZyS/H1Ca/8zjR0ZM

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4144	msedge.exe
4144	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	taskmgr.exe
Token: SeSystemProfilePrivilege	4376	taskmgr.exe
Token: SeCreateGlobalPrivilege	4376	taskmgr.exe
Token: 33	4376	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4376	taskmgr.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe
4376	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 420	2140	msedge.exe	123
PID 2140 wrote to memory of 420	2140	msedge.exe	123
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4932	2140	msedge.exe	124
PID 2140 wrote to memory of 4144	2140	msedge.exe	125
PID 2140 wrote to memory of 4144	2140	msedge.exe	125
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126
PID 2140 wrote to memory of 764	2140	msedge.exe	126

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\bleachhack-1.16.5.jar
1⤵
PID:3264

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4f38ba57h9ddeh4275hb306hf3fd97aa9242
1⤵
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc6ee746f8,0x7ffc6ee74708,0x7ffc6ee74718
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,7820697660234094431,4116857935976622006,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,7820697660234094431,4116857935976622006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,7820697660234094431,4116857935976622006,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
  2⤵
  PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4cb6e34a003daed93a07aaaaa8ff78f7

SHA1
cd53d43da5fe948998b3b54bf37277b38e2401e4

SHA256
12751ee305152c655906ba0bcfec8ac5808e5640cc3c21451e1a6cf0518fd9d5

SHA512
9364b69a4d28675c49390ad7a2c823cd260b21b9e929d525a6b42d8ead3e549bdfb1a225476a2e2580043ed817dce39b44c5ab58c21f20ff4b53851b3457b098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
9dc2f45a03e36b7afe934b8fafa3a9c6

SHA1
679bf4ba234ca8cf207fa5c42591c85395b2e171

SHA256
1b02f5b849af6b6086c52b8dbc26e4bed663bfcaa15146a66752462ba52cfbbe

SHA512
4afd5fa1fea28bbbaf68de404b67a572eb6c77977f5e25e62ee9efb27c7f20edbbdb69e53ddec2a50851180a82e1466ee2cd5cf2dc4496f46ba9e04f4bada913

Download Submit
memory/3264-3-0x0000025712AE0000-0x0000025713AE0000-memory.dmp

Filesize
16.0MB

Download
memory/3264-2-0x0000025712AE0000-0x0000025713AE0000-memory.dmp

Filesize
16.0MB

Download
memory/4376-6-0x0000025CCFAC0000-0x0000025CCFAC1000-memory.dmp

Filesize
4KB

Download
memory/4376-12-0x0000025CCFAC0000-0x0000025CCFAC1000-memory.dmp

Filesize
4KB

Download
memory/4376-14-0x0000025CCFAC0000-0x0000025CCFAC1000-memory.dmp

Filesize
4KB

Download
memory/4376-16-0x0000025CCFAC0000-0x0000025CCFAC1000-memory.dmp

Filesize
4KB

Download
memory/4376-15-0x0000025CCFAC0000-0x0000025CCFAC1000-memory.dmp

Filesize
4KB

Download
memory/4376-13-0x0000025CCFAC0000-0x0000025CCFAC1000-memory.dmp

Filesize
4KB

Download
memory/4376-10-0x0000025CCFAC0000-0x0000025CCFAC1000-memory.dmp

Filesize
4KB

Download
memory/4376-11-0x0000025CCFAC0000-0x0000025CCFAC1000-memory.dmp

Filesize
4KB

Download
memory/4376-4-0x0000025CCFAC0000-0x0000025CCFAC1000-memory.dmp

Filesize
4KB

Download
memory/4376-5-0x0000025CCFAC0000-0x0000025CCFAC1000-memory.dmp

Filesize
4KB

Download