80a5f327c62316dc8a757ed1d234a22c037efecb8f6b020e0e5cd9056d02a019 | Triage

Analysis

max time kernel
106s
max time network
115s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28/05/2024, 12:41

Sharing

Report Analysis Logs

General

Target

LeaderCheats TPM BYPAS.exe
Size

2.9MB
MD5

33ae81aafa932c5c425e86d01efdcc75
SHA1

b5d553b56310e9b2ead6b20f5325cbd30a2951bd
SHA256

80a5f327c62316dc8a757ed1d234a22c037efecb8f6b020e0e5cd9056d02a019
SHA512

050478c4de2abd4853a23a4aa988bd0a956cce3d56ff62808005eb82d01f29cc6e010d2338927ca4355ef11275bb748fccb4bcaa7f6b9f1e20e1cbb6ce60d1f1
SSDEEP

49152:rawO66h7yNgzXgd45Xb33gVjQFhy68t2ORe90m+NZ7:2wO66h7yNCy4lb33gZShLQe2m2Z7

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\qcUPEOXuWWHbkuvfIaYYUqfIVW\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\qcUPEOXuWWHbkuvfIaYYUqfIVW"	Mapper.exe

Executes dropped EXE 1 IoCs

pid	Process
3396	Mapper.exe

Modifies file permissions 1 TTPs 1 IoCs

File and Directory Permissions Modification

pid	Process
2412	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1716900131854.tmp"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	LeaderCheats TPM BYPAS.exe

Runs net.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
3396	Mapper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3396	Mapper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3700	javaw.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 3684	4460	LeaderCheats TPM BYPAS.exe	72
PID 4460 wrote to memory of 3684	4460	LeaderCheats TPM BYPAS.exe	72
PID 4460 wrote to memory of 3684	4460	LeaderCheats TPM BYPAS.exe	72
PID 4460 wrote to memory of 3700	4460	LeaderCheats TPM BYPAS.exe	74
PID 4460 wrote to memory of 3700	4460	LeaderCheats TPM BYPAS.exe	74
PID 3684 wrote to memory of 4384	3684	cmd.exe	75
PID 3684 wrote to memory of 4384	3684	cmd.exe	75
PID 3684 wrote to memory of 4384	3684	cmd.exe	75
PID 4384 wrote to memory of 4380	4384	net.exe	76
PID 4384 wrote to memory of 4380	4384	net.exe	76
PID 4384 wrote to memory of 4380	4384	net.exe	76
PID 3684 wrote to memory of 3396	3684	cmd.exe	77
PID 3684 wrote to memory of 3396	3684	cmd.exe	77
PID 3700 wrote to memory of 2412	3700	javaw.exe	78
PID 3700 wrote to memory of 2412	3700	javaw.exe	78
PID 3700 wrote to memory of 4824	3700	javaw.exe	80
PID 3700 wrote to memory of 4824	3700	javaw.exe	80
PID 3700 wrote to memory of 1900	3700	javaw.exe	82
PID 3700 wrote to memory of 1900	3700	javaw.exe	82
PID 1900 wrote to memory of 2852	1900	cmd.exe	84
PID 1900 wrote to memory of 2852	1900	cmd.exe	84

Views/modifies file attributes 1 TTPs 1 IoCs

Hidden Files and Directories

pid	Process
4824	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LeaderCheats TPM BYPAS.exe
"C:\Users\Admin\AppData\Local\Temp\LeaderCheats TPM BYPAS.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Start.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\SysWOW64\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:4380
- - C:\Users\Admin\AppData\Local\Temp\Mapper.exe
    Mapper.exe TPM.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:3396
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\JavaExpo.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:2412
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716900131854.tmp
    3⤵
    - Views/modifies file attributes
    PID:4824
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716900131854.tmp" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1716900131854.tmp" /f
      4⤵
      Adds Run key to start application
      PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

File and Directory Permissions Modification

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
1faf136e4135bfa4d65540598ff4ce93

SHA1
a787a177682e6a50d42931192f1bd02ef01acea3

SHA256
69f9649649d4c11306cec863c1dd859f2931321edb66280a8ebb7fddaba0bdfd

SHA512
37aea8eebce85de025e40073167b25f7c36844d694ecf11f8fbd34c0bfa617a1b8e4e1e32355a75f5d872d87ebebf87f38d9fbadc18a147fe34a6e2170251afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaExpo.jar

Filesize
2.7MB

MD5
dfe073adbf50f4a7ab20463d237de04a

SHA1
51c7c9b3a5268f6e522a516def94857493e759fe

SHA256
90e0812431a06aee6377464e979900a327417af3c1ff159bfa667af745280842

SHA512
6406517e49a4e83e90e6a6d7516c3738c12abad4d23b659c7cf09b5caa3de2b20c77acd5d9d14676f541580896ec95ccc6cee78f84785db6ab031bf290c77976

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mapper.exe

Filesize
133KB

MD5
284396aa4d663e010b4ecee9ddf90269

SHA1
1746d269a0c3f2fb2b75750a732c8339f0cfbfe9

SHA256
2a9e2f0f019399b393354db70af0cfabda83f87251943db7d93e50e716c824fb

SHA512
bd9466f00e71b5787bddaf410b71b04af37a7ca60deff6550df344af8dcae5d3ad138e8371dabd3003e3f6e92b92ce457ffa1d83134bf3f68fb2bd090903f062

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start.bat

Filesize
613B

MD5
b5e107ec0b9b960a0fa4efa625b1d55b

SHA1
08a34d9bd11a052356812e421a30d00b7c11ec68

SHA256
c0cd0aaac402e795d696f117c86d59c97192d434e997c5337124886b528033b4

SHA512
50754b0cb00055cf17498529249602ed8c2b9c840b016e6493959b80b7a39d917ee63d61299a6d26da8c5a288b175931177008e34947a747cd59318747620c68

Download Submit
memory/3700-11-0x000002DA6E300000-0x000002DA6E570000-memory.dmp

Filesize
2.4MB

Download
memory/3700-26-0x000002DA6CAC0000-0x000002DA6CAC1000-memory.dmp

Filesize
4KB

Download
memory/3700-42-0x000002DA6CAC0000-0x000002DA6CAC1000-memory.dmp

Filesize
4KB

Download
memory/3700-60-0x000002DA6CAC0000-0x000002DA6CAC1000-memory.dmp

Filesize
4KB

Download
memory/3700-65-0x000002DA6CAC0000-0x000002DA6CAC1000-memory.dmp

Filesize
4KB

Download
memory/3700-67-0x000002DA6E300000-0x000002DA6E570000-memory.dmp

Filesize
2.4MB

Download
memory/3700-73-0x000002DA6CAC0000-0x000002DA6CAC1000-memory.dmp

Filesize
4KB

Download