71d4b153af014ac81576fb91bb97ef6c4640f0486f98c2e4c9bb15b87fb9df58

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JavaSetup8u391.exe
Size

2.2MB
MD5

029ae246a9b5fd436a1b979e5f4aa54f
SHA1

4ab915f93bc2ea46eda2fcfbf037b956099ada45
SHA256

71d4b153af014ac81576fb91bb97ef6c4640f0486f98c2e4c9bb15b87fb9df58
SHA512

6c3140c1d8dca2be8ad8eb6360318a8cef78e4f31fbee635f0870e0d2bb0f1679948da3b98af1282fe8d586f9f7c3d3a82016f522a1d1447b1e59158146caf31
SSDEEP

49152:XKU/ESvdaU+c0/IVes7kJXBjYOMjUfkptVxOdxiyh:XKU/xvzg/IVeMjUu5C

Score

6^/10

adware persistence stealer

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	rundll32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Tell_City	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\COPYRIGHT	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Pyongyang	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Ushuaia	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jsdt.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\libxml2.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\localedata.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\jmxremote.access	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Matamoros	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dt_shmem.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kuching	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-11	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Eirunepe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ulaanbaatar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cuiaba	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\sunmscapi.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Seoul	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\java.security	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\javafx.policy	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yellowknife	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Colombo	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yerevan	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-4	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Andorra	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Troll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kcms.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Araguaina	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\La_Rioja	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Baku	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Currie	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Mazatlan	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jli.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Accra	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\currency.data	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Eucla	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\net.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belem	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.bfc	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfxrt.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EST	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIBC51.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f769e73.ipi	msiexec.exe
File created	C:\Windows\Installer\f769e73.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA341.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA352.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB27.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB56.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1732	JavaSetup8u391.exe
2824	MSIBB56.tmp

Loads dropped DLL 11 IoCs

pid	Process
1948	JavaSetup8u391.exe
884	MsiExec.exe
884	MsiExec.exe
1252	msiexec.exe
884	MsiExec.exe
984	rundll32.exe
984	rundll32.exe
984	rundll32.exe
984	rundll32.exe
984	rundll32.exe
984	rundll32.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0032-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0066-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0044-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0059-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0050-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0043-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0059-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0070-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0027-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0070-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "19"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	JavaSetup8u391.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0032-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0035-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0045-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0077-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0035-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0045-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0076-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0023-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0050-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled\CurVer\ = "JavaWebStart.isInstalled.1.7.0.0"	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	JavaSetup8u391.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	JavaSetup8u391.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2824	MSIBB56.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1732	JavaSetup8u391.exe
Token: SeIncreaseQuotaPrivilege	1732	JavaSetup8u391.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeSecurityPrivilege	1252	msiexec.exe
Token: SeCreateTokenPrivilege	1732	JavaSetup8u391.exe
Token: SeAssignPrimaryTokenPrivilege	1732	JavaSetup8u391.exe
Token: SeLockMemoryPrivilege	1732	JavaSetup8u391.exe
Token: SeIncreaseQuotaPrivilege	1732	JavaSetup8u391.exe
Token: SeMachineAccountPrivilege	1732	JavaSetup8u391.exe
Token: SeTcbPrivilege	1732	JavaSetup8u391.exe
Token: SeSecurityPrivilege	1732	JavaSetup8u391.exe
Token: SeTakeOwnershipPrivilege	1732	JavaSetup8u391.exe
Token: SeLoadDriverPrivilege	1732	JavaSetup8u391.exe
Token: SeSystemProfilePrivilege	1732	JavaSetup8u391.exe
Token: SeSystemtimePrivilege	1732	JavaSetup8u391.exe
Token: SeProfSingleProcessPrivilege	1732	JavaSetup8u391.exe
Token: SeIncBasePriorityPrivilege	1732	JavaSetup8u391.exe
Token: SeCreatePagefilePrivilege	1732	JavaSetup8u391.exe
Token: SeCreatePermanentPrivilege	1732	JavaSetup8u391.exe
Token: SeBackupPrivilege	1732	JavaSetup8u391.exe
Token: SeRestorePrivilege	1732	JavaSetup8u391.exe
Token: SeShutdownPrivilege	1732	JavaSetup8u391.exe
Token: SeDebugPrivilege	1732	JavaSetup8u391.exe
Token: SeAuditPrivilege	1732	JavaSetup8u391.exe
Token: SeSystemEnvironmentPrivilege	1732	JavaSetup8u391.exe
Token: SeChangeNotifyPrivilege	1732	JavaSetup8u391.exe
Token: SeRemoteShutdownPrivilege	1732	JavaSetup8u391.exe
Token: SeUndockPrivilege	1732	JavaSetup8u391.exe
Token: SeSyncAgentPrivilege	1732	JavaSetup8u391.exe
Token: SeEnableDelegationPrivilege	1732	JavaSetup8u391.exe
Token: SeManageVolumePrivilege	1732	JavaSetup8u391.exe
Token: SeImpersonatePrivilege	1732	JavaSetup8u391.exe
Token: SeCreateGlobalPrivilege	1732	JavaSetup8u391.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeDebugPrivilege	2824	MSIBB56.tmp
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeBackupPrivilege	984	rundll32.exe
Token: SeRestorePrivilege	984	rundll32.exe
Token: SeBackupPrivilege	984	rundll32.exe
Token: SeRestorePrivilege	984	rundll32.exe
Token: SeBackupPrivilege	984	rundll32.exe
Token: SeRestorePrivilege	984	rundll32.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1732	JavaSetup8u391.exe
1732	JavaSetup8u391.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1732	1948	JavaSetup8u391.exe	28
PID 1948 wrote to memory of 1732	1948	JavaSetup8u391.exe	28
PID 1948 wrote to memory of 1732	1948	JavaSetup8u391.exe	28
PID 1948 wrote to memory of 1732	1948	JavaSetup8u391.exe	28
PID 1948 wrote to memory of 1732	1948	JavaSetup8u391.exe	28
PID 1948 wrote to memory of 1732	1948	JavaSetup8u391.exe	28
PID 1948 wrote to memory of 1732	1948	JavaSetup8u391.exe	28
PID 1252 wrote to memory of 884	1252	msiexec.exe	31
PID 1252 wrote to memory of 884	1252	msiexec.exe	31
PID 1252 wrote to memory of 884	1252	msiexec.exe	31
PID 1252 wrote to memory of 884	1252	msiexec.exe	31
PID 1252 wrote to memory of 884	1252	msiexec.exe	31
PID 1252 wrote to memory of 2824	1252	msiexec.exe	32
PID 1252 wrote to memory of 2824	1252	msiexec.exe	32
PID 1252 wrote to memory of 2824	1252	msiexec.exe	32
PID 1252 wrote to memory of 984	1252	msiexec.exe	33
PID 1252 wrote to memory of 984	1252	msiexec.exe	33
PID 1252 wrote to memory of 984	1252	msiexec.exe	33

C:\Users\Admin\AppData\Local\Temp\JavaSetup8u391.exe
"C:\Users\Admin\AppData\Local\Temp\JavaSetup8u391.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\jds259408961.tmp\JavaSetup8u391.exe
  "C:\Users\Admin\AppData\Local\Temp\jds259408961.tmp\JavaSetup8u391.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding A58E512034A7C9FC7105DBD0BACFF31C
  2⤵
  - Loads dropped DLL
  PID:884
- C:\Windows\Installer\MSIBB56.tmp
  "C:\Windows\Installer\MSIBB56.tmp" C:\Program Files\Java\jre7\;C;2
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Program Files\Java\jre7\bin\\installer.dll",UninstallJREEntryPoint
  2⤵
  - Installs/modifies Browser Helper Object
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f769e74.rbs

Filesize
113KB

MD5
630f6bc79faa23ed0149efbf4f534ebe

SHA1
6f5ad8f7abbf3170c023062a0de682b99c42a63e

SHA256
8aacc1bd89e45336fc424cab4b12deb87b6318272ade85c9bdf96df563e5992b

SHA512
0c9c78e73e9cb31c3cf19e75377a4654fc7dd0dc69e05b649c17374309a85e205d09f8ca8172306d0841b4525c01b845880182f3803a37b0441fe94c4d549b7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A89I98IL\layout[1]

Filesize
2KB

MD5
cc86b13a186fa96dfc6480a8024d2275

SHA1
d892a7f06dc12a0f2996cc094e0730fe14caf51a

SHA256
fab91ced243da62ec1d938503fa989462374df470be38707fbf59f73715af058

SHA512
0e3e4c9755aa8377e00fc9998faab0cd839dfa9f88ce4f4a46d8b5aaf7a33e59e26dbf55e9e7d1f8ef325d43302c68c44216adb565913d30818c159a182120fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A89I98IL\masthead_left[1]

Filesize
4KB

MD5
b663555027df2f807752987f002e52e7

SHA1
aef83d89f9c712a1cbf6f1cd98869822b73d08a6

SHA256
0ce32c034dfb7a635a7f6e8152666def16d860b6c631369013a0f34af9d17879

SHA512
b104ed3327fed172501c5aa990357b44e3b31bb75373fb8a4ea6470ee6a72e345c9dc4bcf46a1983c81adb567979e6e8e6517d943eb204c3f7fac559cd17c451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A89I98IL\runtime[1]

Filesize
42KB

MD5
487b524601bf1f83bcc16920073ab077

SHA1
6b8592fcca51fc35744cf9b46ff0ac3a84ade72a

SHA256
4d9b29f3b85d513e0bb441e3879f060dabaaea588b5eab20ed5585b212b2f8fc

SHA512
336f5c389b8bf1bb65806532a44ba947b9eb5f7aba413ed1129faef64d637caf609daeebef6ebdf6b115cd6048dcaa04b2f80f55bd4336409d7228ad7aeb310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E1CCB52I\common[1]

Filesize
1KB

MD5
f5bb484d82e7842a602337e34d11a8f6

SHA1
09ea1dee4b7c969771e97991c8f5826de637716f

SHA256
219108bfef63f97562c4532681b03675c9e698c5ae495205853dbcbfd93faf1a

SHA512
a23cc05b94842e1f3a53c2ea8a0b78061649e0a97fcd51c8673b2bcb6de80162c841e9fdde212d3dfd453933df2362dcb237fe629f802bafaa144e33ca78b978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E1CCB52I\l10n[1]

Filesize
4KB

MD5
1fd5111b757493a27e697d57b351bb56

SHA1
9ca81a74fa5c960f4e8b3ad8a0e1ec9f55237711

SHA256
85bbec802e8624e7081abeae4f30bd98d9a9df6574bd01fe5251047e8fdaf59f

SHA512
80f532e4671d685fa8360ef47a09efcb3342bcfcf929170275465f9800bfbfffc35728a1ba496d4c04a1fdefb2776af02262c3774f83fea289585a5296d560b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U1J1BPYJ\rtutils[1]

Filesize
244B

MD5
c0a4cebb2c15be8262bf11de37606e07

SHA1
cafc2ccb797df31eecd3ae7abd396567de8e736d

SHA256
7da9aa32aa10b69f34b9d3602a3b8a15eb7c03957512714392f12458726ac5f1

SHA512
cc68f4bc22601430a77258c1d7e18d6366b6bf8f707d31933698b2008092ba5348c33fa8b03e18c4c707abf20ce3cbcb755226dc6489d2b19833809c98a11c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YV6H14B0\host[1]

Filesize
1KB

MD5
a752a4469ac0d91dd2cb1b766ba157de

SHA1
724ae6b6d6063306cc53b6ad07be6f88eaffbab3

SHA256
1e67043252582aea0e042f5a7be4a849b7cd01b133a489c3b2e67c10ade086f3

SHA512
abc2899705a23f15862acf3d407b700bb91c545722c02c7429745ab7f722507285c62614dcb87ea846f88fc0779345cb2e22dc3ad5f8113f6907821505be2c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YV6H14B0\masthead_fill[1]

Filesize
1KB

MD5
91a7b390315635f033459904671c196d

SHA1
b996e96492a01e1b26eb62c17212e19f22b865f3

SHA256
155d2a08198237a22ed23dbb6babbd87a0d4f96ffdc73e0119ab14e5dd3b7e00

SHA512
b3c8b6f86ecf45408ac6b6387ee2c1545115ba79771714c4dd4bbe98f41f7034eae0257ec43c880c2ee88c44e8fc48c775c5bb4fd48666a9a27a8f8ac6bcfdcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

Filesize
5KB

MD5
515c45d9da4c615f7aa931fe67941121

SHA1
71582470022487dc37cbcae8395bf9614ee8b365

SHA256
251c6dcbaff7129aba535ab84bba4e4828f2eacee8172d6b07acb4db2714c6c9

SHA512
587c416a401848ee7306a26c8a3100f778e71ccf1cbccdb04be9b405f85201120c2a1aac7551d6d119153d52b464eace7bf78fd4b0a81b8952700d30cb44f06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259408961.tmp\JavaSetup8u391.exe

Filesize
465KB

MD5
b73dd6c1eee05008ce0daec7ea39745b

SHA1
886627d9332dfed40d48839f6831b06ce4104afc

SHA256
fa0730b4cede7dce08135c4e27046675964fb92542e0e21768d081ffe71d3dd4

SHA512
b46631b122c463924c749f5145fdc9ca59e161a89015f8129fc1db6b8a27d6027676e0db74d540a6dcb17ad8ea4179e2c8d11774bb861aec4f4c9a7ccf0c6990

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
1KB

MD5
2fb2c17df27a18772b71acbfc26b6a4e

SHA1
e81bfabf1d4adc28c347521f247db0e73512aceb

SHA256
0c9deaaa316f1639817071cc75380eaf3f5a590bf80a8c9078e795efe23c1f14

SHA512
5389f06800397b22f4b1793262db09b6974b596f6d7529061fc3a2cf60324feae971e119f2987116ad3af60526b20ee3228aaab5655800714da6b5e51be6dcb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
6KB

MD5
2eb11aa80e2668a8bc91aca7db2d29e2

SHA1
eb9832752a52bd03ba551bf19da303f9f521d138

SHA256
12ec0372877c3e90cfc4e1e303c8681096f9ce5333b6c5f56b36d769c77f18b2

SHA512
b8afe5f9ca1579a7c60b72402cfa10952dd1c0505263d2c61d458f65f830eb88090cd0e1719358589df8e03d4d9e1b46720b3abdb8cf7b3ebbd1d77f29529235

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
59KB

MD5
4b765558b6ab5a0fa00c941a4b961a5b

SHA1
6db6c29d6445a456fb0265663231ea2c8848acdb

SHA256
eccb1d3a7d7b782fd4e54cb3d9b91f536e7013636b041aee4f01d601b13a55f0

SHA512
bbbf973086d69e46dcbb7181a75a9e64b8d212ff0d7e021bd309d3fc2583e1acc51bfabbcf45cf230f83106eb093ad658365ba890594b9e12d9a848ce1eb966f

Download Submit
C:\Windows\Installer\MSIA352.tmp

Filesize
235KB

MD5
16cae7c3dce97c9ab1c1519383109141

SHA1
10e29384e2df609caea7a3ce9f63724b1c248479

SHA256
8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2

SHA512
5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

Download Submit
\Program Files\Java\jre7\bin\deploy.dll

Filesize
481KB

MD5
2b652299b9967a6d7f9c321b04cd9c5b

SHA1
f26f9e22a1ba45fc5fd68b975889a1a637781056

SHA256
26b9a76128153429f3f5d668b134fe3c14b8b8430ae0e671191033bdda296097

SHA512
4e0bd2a70b6f82eb2ab80d5992d65455defb3b38021231e3d7cafa63e82634661bf9aa9eaee3b3e26d03c60fdc6666a59bdeee8c0bab0ef12740de6727366c2b

Download Submit
\Program Files\Java\jre7\bin\wsdetect.dll

Filesize
187KB

MD5
a06336b79db4da78f4af955e26f7c0c6

SHA1
3c24fb0f8bf38999ccffc75a0f5710878bc40fc1

SHA256
2d96fc7ddb77288f05b78340cf6ac85dd604a2e5d53d6fcb825eead1a9b008d8

SHA512
c664e9259db49075cedd933f64ab4247384a117c5be609958e440a44cf2bfba13a10ade36f7c8bcacdec063c3ca63b3c70c5392e5b7d2ea02fd5be06a62c180a

Download Submit
\Users\Admin\AppData\Local\Temp\jds259408961.tmp\JavaSetup8u391.exe

Filesize
1.9MB

MD5
75d9ccd961bf6a9a479da2ef26d81b3b

SHA1
920f6bf9ec385cab84de5339089946a787c44618

SHA256
eadeddda2ca9d88d666ce6614389cdba25f518132e8245c5454b98a09888d252

SHA512
3dcfef4cd2c43137977b56931d920b43e86985722e05079863457b5c2ddf433f04be074fc719256fec372932b9f9ab87e7930a0cc8208f322cd0896e18a2cca4

Download Submit
\Windows\Installer\MSIBB56.tmp

Filesize
309KB

MD5
8b285b5164ac3dbd6f6c97c81c77fb59

SHA1
2d846f00f4a1533d93d9f7fcf797cf406b7a79e5

SHA256
7c932b844dd505281a0eb1e3cb3c1b27be9ca47866655cc3bfd6ae660d4f6b2c

SHA512
2669938f68238a5e68accdd2c3f7dcdbafacd58e00418f32769bd452580e4a4fa0169b001652801ec3ec0ec67f093997a87f1bb80bd83c20cbf1145d3249e2b8

Download Submit