58bc85b2306a383a333e8ae4013e0e4b0fbdb7b02e5ec5abbcab202fad149e6c

Analysis

max time kernel
88s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
03/02/2024, 10:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Size

115.7MB
MD5

ebfd2b52da54a56fde06a8928866933c
SHA1

56bd4a9745d1dee5c9766c132e4d25213d08ffde
SHA256

b029e9f7f288635ac3869363bc4e29240b2413327503c5bfdb68d318e6bc05b5
SHA512

daf53ab7876f3185b9e5c318d7b6679f57e13e92e7cbd0aba34f885afd357beab524cbc054dc1705998295c76a79a5d0df93f5fcd7c577566f41a00552b6852d
SSDEEP

3145728:3e97CoHsll/HmVdszIXaB0OMZDpkE+X+rIsmT4lqXl:u1MT/Hc6zIX1rDCaM9Xl

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\O:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\R:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\X:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\U:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\S:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\M:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\Q:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\W:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\H:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\V:	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Loads dropped DLL 8 IoCs

pid	Process
3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
1092	MsiExec.exe
420	MsiExec.exe
420	MsiExec.exe
420	MsiExec.exe
420	MsiExec.exe
420	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	404	msiexec.exe
Token: SeCreateTokenPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeAssignPrimaryTokenPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeLockMemoryPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeIncreaseQuotaPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeMachineAccountPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeTcbPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeSecurityPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeTakeOwnershipPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeLoadDriverPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeSystemProfilePrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeSystemtimePrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeProfSingleProcessPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeIncBasePriorityPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeCreatePagefilePrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeCreatePermanentPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeBackupPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeRestorePrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeShutdownPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeDebugPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeAuditPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeSystemEnvironmentPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeChangeNotifyPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeRemoteShutdownPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeUndockPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeSyncAgentPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeEnableDelegationPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeManageVolumePrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeImpersonatePrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeCreateGlobalPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeCreateTokenPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeAssignPrimaryTokenPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeLockMemoryPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeIncreaseQuotaPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeMachineAccountPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeTcbPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeSecurityPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeTakeOwnershipPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeLoadDriverPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeSystemProfilePrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeSystemtimePrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeProfSingleProcessPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeIncBasePriorityPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeCreatePagefilePrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeCreatePermanentPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeBackupPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeRestorePrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeShutdownPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeDebugPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeAuditPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeSystemEnvironmentPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeChangeNotifyPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeRemoteShutdownPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeUndockPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeSyncAgentPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeEnableDelegationPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeManageVolumePrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeImpersonatePrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeCreateGlobalPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeCreateTokenPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeAssignPrimaryTokenPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeLockMemoryPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeIncreaseQuotaPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
Token: SeMachineAccountPrivilege	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
1596	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 1092	404	msiexec.exe	83
PID 404 wrote to memory of 1092	404	msiexec.exe	83
PID 404 wrote to memory of 1092	404	msiexec.exe	83
PID 3240 wrote to memory of 1596	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe	84
PID 3240 wrote to memory of 1596	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe	84
PID 3240 wrote to memory of 1596	3240	AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe	84
PID 404 wrote to memory of 420	404	msiexec.exe	85
PID 404 wrote to memory of 420	404	msiexec.exe	85
PID 404 wrote to memory of 420	404	msiexec.exe	85

C:\Users\Admin\AppData\Local\Temp\AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe
"C:\Users\Admin\AppData\Local\Temp\AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe"
1⤵
- Enumerates connected drives
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\HotSpot\Stream Dock AJAZZ Global 2.9.174\install\Stream-Dock-AJAZZ-Installer_Windows_global.msi" TRANSFORMS=:1033 AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\AJAZZ_AKP153E_ 单模键盘驱动_V1.174版(Win_国际版).exe" SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates "
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:1596

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AFD24E2638F9CA8BFA9C8CECE8FBB921 C
  2⤵
  - Loads dropped DLL
  PID:1092
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B6AFD4938374744D4CA406991B8AF92B C
  2⤵
  - Loads dropped DLL
  PID:420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AIE7CE1.tmp

Filesize
422KB

MD5
a6da2ed076e335104f66cab79a30d694

SHA1
118c93c083581b2230c7371650e06e2ed0873cfd

SHA256
0971abe84585eadfafd473759944ab6daeee1400f4b38ffb4c5b675bd638810a

SHA512
5d2916631b113058d7cfa09f5448e876e559b2271ecb221a5de03e3cce2a82c8378899664d8c8081b8ce8ef7004f589c973fc4501685f79f490d23e892360d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIE7CE1.tmp

Filesize
601KB

MD5
30e9f207a4fb4119cc55cb1b6677b26c

SHA1
b1b22e5a7945f143c18161f757cacdaec597c376

SHA256
e757eaffd99808ceed15ecad1a0af362bb7127ce9a7cb37f958849340b54c8e0

SHA512
13a66b1fb0ba3c3a12aec88e5c1d0f30068e7124d1f74d28b1e551f105c92920c51ac2afcc1bfc18f487cc4a5d4c3119e3c13823cf219c6acdf975b049f29321

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7DFC.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Roaming\HotSpot\Stream Dock AJAZZ Global 2.9.174\install\1033.dll

Filesize
105KB

MD5
87422755c2541e1cee4cd836ff3bbf4b

SHA1
634c5f44034345c3b30a860ba86d8bbd536994e0

SHA256
da91bf835236f54923d6556608b9456ac0f1f89ce1a2ef412cdd3e62f6c62309

SHA512
191c5b7242aab4ca9f0118b88e0b6fe68609bc7ce15a20b3893352f1315a64d9e0f40417d8d6aadd119cb61377c99c24dd18d7b708bbf5e3df6a04b66065041f

Download Submit
C:\Users\Admin\AppData\Roaming\HotSpot\Stream Dock AJAZZ Global 2.9.174\install\Stream-Dock-AJAZZ-Installer_Windows_global.msi

Filesize
1.0MB

MD5
e251eb70063d2ed6367bfc3bba032012

SHA1
cf5273bdf464f67ce4b47a82b2c62a192d3a2780

SHA256
819ef3ea7e179a2792f651f221e94faa37c3b02a7428d0d81e04090399aca416

SHA512
a94004fbc12b563f1b50a32db7cd69adeec43075539ab7878a89e77767c136e5027af89b9aede2691020e1b858c9d5064acb89e4b64e3bd4ceac7c40ca154712

Download Submit