e52a8d0337bae656b01cb76c03975ac3d75ac4984c028ba2a6531396dea6dddd

Analysis

max time kernel
152s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jre-8u401-windows-x64.exe
Size

64.4MB
MD5

af1d24091758f1e02d51dc5f5297c932
SHA1

dc3f98dded6c1f1e363db6752c512e01ac9433f3
SHA256

e52a8d0337bae656b01cb76c03975ac3d75ac4984c028ba2a6531396dea6dddd
SHA512

8d4264a6b17f7bbfd533b11ec30d7754a960a9f2fbef10c9977b620051c5538d8eb6080ea78e070904c7c52a6ce998736fad2037f6389ad4c5c0ce3f1d09e756
SSDEEP

1572864:v7p5VFBCjL4FwlRN2Adn3aQrJlPVYIcBO7:vGTW63aEiIcBS

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	2028	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4DD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA53D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA7EE.tmp	msiexec.exe
File created	C:\Windows\Installer\f787514.ipi	msiexec.exe
File created	C:\Windows\Installer\f787511.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f787511.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA666.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA722.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAAAE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABC8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA2BB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA3B6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA9B3.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2568	jre-8u401-windows-x64.exe

Loads dropped DLL 12 IoCs

pid	Process
2688	jre-8u401-windows-x64.exe
1412	Process not Found
2552	MsiExec.exe
2552	MsiExec.exe
2552	MsiExec.exe
2552	MsiExec.exe
2552	MsiExec.exe
2552	MsiExec.exe
2552	MsiExec.exe
2552	MsiExec.exe
2552	MsiExec.exe
2552	MsiExec.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	jre-8u401-windows-x64.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	jre-8u401-windows-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	jre-8u401-windows-x64.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2028	msiexec.exe
2028	msiexec.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeSecurityPrivilege	2028	msiexec.exe
Token: SeCreateTokenPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeAssignPrimaryTokenPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeLockMemoryPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeIncreaseQuotaPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeMachineAccountPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeTcbPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeSecurityPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeTakeOwnershipPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeLoadDriverPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeSystemProfilePrivilege	2568	jre-8u401-windows-x64.exe
Token: SeSystemtimePrivilege	2568	jre-8u401-windows-x64.exe
Token: SeProfSingleProcessPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeIncBasePriorityPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeCreatePagefilePrivilege	2568	jre-8u401-windows-x64.exe
Token: SeCreatePermanentPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeBackupPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeRestorePrivilege	2568	jre-8u401-windows-x64.exe
Token: SeShutdownPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeDebugPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeAuditPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeSystemEnvironmentPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeChangeNotifyPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeRemoteShutdownPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeUndockPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeSyncAgentPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeEnableDelegationPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeManageVolumePrivilege	2568	jre-8u401-windows-x64.exe
Token: SeImpersonatePrivilege	2568	jre-8u401-windows-x64.exe
Token: SeCreateGlobalPrivilege	2568	jre-8u401-windows-x64.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2568	jre-8u401-windows-x64.exe
2568	jre-8u401-windows-x64.exe
2568	jre-8u401-windows-x64.exe
2568	jre-8u401-windows-x64.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2568	2688	jre-8u401-windows-x64.exe	28
PID 2688 wrote to memory of 2568	2688	jre-8u401-windows-x64.exe	28
PID 2688 wrote to memory of 2568	2688	jre-8u401-windows-x64.exe	28
PID 2028 wrote to memory of 2552	2028	msiexec.exe	37
PID 2028 wrote to memory of 2552	2028	msiexec.exe	37
PID 2028 wrote to memory of 2552	2028	msiexec.exe	37
PID 2028 wrote to memory of 2552	2028	msiexec.exe	37
PID 2028 wrote to memory of 2552	2028	msiexec.exe	37

C:\Users\Admin\AppData\Local\Temp\jre-8u401-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jre-8u401-windows-x64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\jds259419039.tmp\jre-8u401-windows-x64.exe
  "C:\Users\Admin\AppData\Local\Temp\jds259419039.tmp\jre-8u401-windows-x64.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2568

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2720

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 9938CFDB4E8639C9C4D9B600D722E949
  2⤵
  - Loads dropped DLL
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8926c3ee9214ce6cd2e645963c9c9da

SHA1
79707fbe9fcab3dc0a4b8ba7e3f9f1fd973928d8

SHA256
db9fc2dce88ab403492030bfca6ddbf9e6c937e40e2a97569203afa744e6bb8d

SHA512
68e74d208f2be930c045a811bf59e042ca8571b806b425787875f1536d56ca5120a5e9a172570b9e7c156ba6c7e61bbe8202966ac6b838009b8f106cdd9910b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_401_x64\jre1.8.0_40164.msi

Filesize
17.9MB

MD5
ec666ee81e9d8faa518451cab530e28d

SHA1
1094cfc15f25c4bd4f299aa8fb5563a70d378d37

SHA256
438852376f4852b8ef5029b9b0978f57a519b5e6011d9c7b9ebb7a9ccb2bd57d

SHA512
d85d4a3ccb4982c3fc254ae90a9102b5565e82a06c30740663fa376d6493c9e7f0b4fa286c6f1039872008f7200f06dd3a241ba7b4c2f0c9eb1003bcaab81da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8363.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar94F2.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259419039.tmp\jre-8u401-windows-x64.exe

Filesize
21.6MB

MD5
a7478b28b57a6512a65718d494267068

SHA1
12fc1f9a9084f9828997e139c3b1f9c683c42f5d

SHA256
ad8fec1e079d08872433d33685f12d25125a9b00b9890f5fcb82c0279e4a11eb

SHA512
5d380bf9ff40401aef5644b541a9f3b7ae5887aefc392145a8bf95ab60455c8a557a8761f56ea466a60ee8c53e13e994fa73d83fd6b43a62d36b5a0d5ea05e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds259419039.tmp\jre-8u401-windows-x64.exe

Filesize
17.5MB

MD5
7afc908ae434d93a8f132808586ae3eb

SHA1
d64d7b27d8b0000e658f5cd9e112a23541cb6e8e

SHA256
4e57aea1aa9451da4afef951b28dbfc301de71372b84c91a4723e3e7474984e2

SHA512
540116113c6fd770ff62266b9b59dfd71e4b79ccbd2e93f3ed094da871a10a7bdd6d3739b1ed1b97128874fb8e2847573a3353ff53a072fa6845eca4141db3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
3KB

MD5
f8dc4addcc080733065b7a38bac858ad

SHA1
fb0ef9d4bd0a4a31abeaa3c0f6cc856a2272d646

SHA256
5af8b98f5824a53ccc059c892aac99969d8ce649dbbfd37410e4d6799ca3dec7

SHA512
573bf4fd546f95e8dd3b73a3e61260de14ce2d80ecccb8b3b4bd2cd9a0198802f778832f1b59f01ff9debce76a4280876874e4dc3ce2c35ae9a88f74b8680004

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
25KB

MD5
bfeef85ba3c17cccf880b115a3206c8c

SHA1
eb1ff86799f4b65586879e125d8d523440754aa6

SHA256
6bc41af82d61036a2c07b6176670cd6cada7325417eff67d82818ceb31daff60

SHA512
2ba64d37c7a57282aab15b76daad47c523cb8f38d9a99653826538376cc99ae54749390cf45de6fa85f5e232fe8a1d8454a5ff5708fc3fc12b745a92cffd7931

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
5KB

MD5
fee89daf64e21f486a12bc4ec88ac101

SHA1
20da6c2fc24fdf9473321eb105db443f3f059b2f

SHA256
09870510a1b9dbc455e8255b374ccbca9085c6a4346e57b2cfeaa424a9896750

SHA512
77bb850e7ded8474818782a7044d2ccc1451124fceb92f2096229d41bdba729405cae18793601c83ff323bc78bcf706f2f46b489a795953634587d00d18d9bdf

Download Submit
C:\Windows\Installer\MSIA2BB.tmp

Filesize
953KB

MD5
64a261a6056e5d2396e3eb6651134bee

SHA1
32a34baf051b514f12b3e3733f70e608083500f9

SHA256
15c1007015be7356e422050ed6fa39ba836d0dd7fbf1aa7d2b823e6754c442a0

SHA512
d3f95e0c8b5d76b10b61b0ef1453f8d90af90f97848cad3cb22f73878a3c48ea0132ecc300bfb79d2801500d5390e5962fb86a853695d4f661b9ea9aae6b8be8

Download Submit
\Users\Admin\AppData\Local\Temp\jds259419039.tmp\jre-8u401-windows-x64.exe

Filesize
14.4MB

MD5
2a964d4384fafd82f119e53a2953e38a

SHA1
15e72d98740ec15304e42b416961293be495da45

SHA256
421833fbfae98d651d156c88c692346e8a79035f8f1944ae8e829b48637987ec

SHA512
c8723bbcd004e90300e8106b38bc362e4daddd06c11554ee54ce7b692887ed49e0129cc2103819d1a015087ef5eb87a3d463f8ee430dfa46b7cc97827c2d3f58

Download Submit
\Users\Admin\AppData\Local\Temp\jds259419039.tmp\jre-8u401-windows-x64.exe

Filesize
156KB

MD5
6abd528d61eae703b55171e771c0f438

SHA1
d42b03986d78d55995bd38b5a3a7e35ff4376eb3

SHA256
934c79a9f9ce16993e08eada342bfd5e02dfa861fe020688a6c1a8831d00b02a

SHA512
1fea7ac52c5ecb14c606ef42062052e29052fa4334a2c77cf0f3eb15831aeac0cf969b1d7a93066043251e5d62d29bc1431414646347c80dbd348e0f3d341fc9

Download Submit
\Windows\Installer\MSIB4DD.tmp

Filesize
935KB

MD5
e38a4eaf80c6649703fd4daff808b94b

SHA1
d530c7ed5257392dcfc8796ea8ed7bfa1b5a8d89

SHA256
66b899d23fbe4ed0af45454d9e57cad84fada0d6c940e358b07c535bdfad17a9

SHA512
bfa850723f8aa0b8c01030b79835196ee87af168447dd06912f79f0b7f30a12640991cd529d7be1b7d969e11fb3f71917b087109f4075f3428bc634cd8f50d3f

Download Submit