6c761b70176abe0a07d5316a7169151b7db03812eb87f2362948e8c50c57acc6

Resubmissions

23/04/2024, 05:15

240423-fxjecsde3z 7

21/04/2024, 15:04

240421-sfxlwadg83 7

21/04/2024, 14:07

240421-rfd9vsdd3x 7

21/04/2024, 13:57

240421-q9d1hsdc2x 7

Analysis

max time kernel
295s
max time network
302s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
21/04/2024, 13:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

strikepractice-3.9.0.jar
Size

3.1MB
MD5

1cbe165c8075f8dbe6e6a509b9ef6992
SHA1

f0a4015e8f97ee4df445b744bdc637377c203aed
SHA256

6c761b70176abe0a07d5316a7169151b7db03812eb87f2362948e8c50c57acc6
SHA512

3b2357f59e76d0644c68a683576e5a3a1d8e788bfd8f368288f7cce0fc06ad731c94e488e5b77f5296324942c9db3e5547b632c95bbac17a0bb1bddeba88869b
SSDEEP

49152:BMGHnTF5BSMT9VGsxhR7P2+Vw6ZuFt2ubo28LZJEdqNoLTYKxZcRqlFM0JS:HHTLR2SrZuFtHbJgJ1haaX

Score

7^/10

microsoft discovery phishing

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2676	icacls.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4452	msedge.exe
4452	msedge.exe
3680	msedge.exe
3680	msedge.exe
1608	msedge.exe
1608	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 2676	4072	java.exe	81
PID 4072 wrote to memory of 2676	4072	java.exe	81
PID 3680 wrote to memory of 4128	3680	msedge.exe	105
PID 3680 wrote to memory of 4128	3680	msedge.exe	105
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 2964	3680	msedge.exe	106
PID 3680 wrote to memory of 4452	3680	msedge.exe	107
PID 3680 wrote to memory of 4452	3680	msedge.exe	107
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108
PID 3680 wrote to memory of 360	3680	msedge.exe	108

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\strikepractice-3.9.0.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4732

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1112

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=2157517
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff906db3cb8,0x7ff906db3cc8,0x7ff906db3cd8
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,9036153245190148530,17790708585461009724,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,9036153245190148530,17790708585461009724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,9036153245190148530,17790708585461009724,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  PID:360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9036153245190148530,17790708585461009724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9036153245190148530,17790708585461009724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,9036153245190148530,17790708585461009724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2004,9036153245190148530,17790708585461009724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
bfab0811125b00e261ed1b8e638ae7a5

SHA1
8ce29bc88eaecac052c8c032aba5c2aa17bdc2a1

SHA256
b3152bebc203211fb15115bd4e06b5c35634198824324680cf9c899cd17741ca

SHA512
6efe10b58516e4fc6a1a460cbe0960a3372c18391b462ea94522c8daed86c200a76705b7c6b145328af7f6a9f0c623ac5d1a0b06166c57858e292a5773328d77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f3f6e86c8b7bdc605f5559df800bfd34

SHA1
862d05bfba760ae8adcbb509216dc18ead59a6b2

SHA256
5dfe9be21d4916615025055f1a70151362bdb404b40f074685e39b33ad545a78

SHA512
de576ebf0cbe1c5e7639c42517253796cf4b5770298271ac2e6958404998f2d6b8e3378a535f2f316f4020fd8e60b5cc9c1b6b5171d307ca3215afe8ac47a7c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1a9c7fa806c60a3c2ed8a7829b1461f

SHA1
376cafc1b1b6b2a70cd56455124554c21b25c683

SHA256
1eb39b1409ce78188c133089bf3660393ac043b5baade7ff322df5a0ca95380b

SHA512
e1cb2f84b5cbd86b107c0a9ec0356ab65a54c91208f9f8e83fec64bf17ae89356a09b0cd39d2726424f4041d7b25b962c23672b8645c2e10f11ff4d2075f4afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
8f6607771e4a37de7d6fe7050e835750

SHA1
77d3143261706b8751205fd224c84ae440934610

SHA256
b4ee9eac074f0bcb595ea394bb61c52b95fc940eb6faa0e125cb719a8fae8b8b

SHA512
6ad670ef61814a336490f62105a8afe35454b4eccb35af06bae73820c9dc4d3abace00ac08a1debb079a0c3aac092e08504f483c45488f4ac5df3da729833423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
189B

MD5
5e1f9068447613da1cf1cef1ac1ecd24

SHA1
96a471227975a7987934c420f6c0cf3a8457302f

SHA256
e018c545680b0da8a04b069210dffb60f4a21c19dfbaa8ad1dda4e64acedc35d

SHA512
764d9814b388d8cbaa1892843e951b3717bdfcfbd88be4e881f0694eb96fc6a9a4c77fab9204f42e70142b58dc9cbc55c2d208e704ae0473a7f65175fc611ee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af512f911ffa411214d041934cf812c2

SHA1
29a82b493c182962fae153b035a1adec57d25fd0

SHA256
21d263f361462b0b4c6acfe13e265b9e07689ee93aa67ec5a3a931d31f26d1d3

SHA512
8d4e33a5eec0cbdd12210c827ea4037ffc8d535c6ae693a36e89a2361e47581d99895c4ea0d19bcdcd311aad82977be698ee75528f763e9f2181eb03bd6f1dd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
41ba7a66a8c9855022199e3d44d489b5

SHA1
312c8f744f56dec6d0fcc28f5003d8e9b3487e6c

SHA256
63c615de0235706ff7ffcea0deb40710c496ac690ac3c93fda423f619ba65f77

SHA512
da8826ef1502408d746d8b5b9ec34ffc44fa62c17a7d769dfe35e1a90a36a765bddd780b0c5b4adc8eaf98479fc8a6613ce0272bbe11066509f3451680900e0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d419cf7a404186eca21c69212d1e1cf5

SHA1
10e3e08d06fa3c1d26ba324eb184d9ebeb6011e1

SHA256
52c165845e2256a6ccaa5429ead9e6d15bf3718397cd1b44227720cc8102480d

SHA512
d5b634329f6d4a65e2218f9f6910dedcc1be049861ee9a8d53d76ca542b3ab8e37c8baaa1d0adfd9c4e47ba4533f822cfe7fefb77df0cc274d31b219ebe6f60b

Download Submit
memory/4072-4-0x000001D12F920000-0x000001D130920000-memory.dmp

Filesize
16.0MB

Download
memory/4072-11-0x000001D12E040000-0x000001D12E041000-memory.dmp

Filesize
4KB

Download
memory/4072-13-0x000001D12F920000-0x000001D130920000-memory.dmp

Filesize
16.0MB

Download