strrat | bee58c6ca7604c6947eae5d73e39e8573473beba276c27efc6cff6ece65e0c86

Resubmissions

08-08-2024 14:44

240808-r4fslaydjd 3

18-07-2024 07:12

240718-h1wvza1fla 10

Analysis

max time kernel
178s
max time network
185s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
18-07-2024 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

parcel_label_photo.vhdx
Size

36.0MB
MD5

48806b8dd97db25041bc3678a095dba4
SHA1

9c1a36fd5ca76390d4a102e1f5e85977d9d22b8c
SHA256

6d59388482835a122b9522752ef1c61b249ed12909258fab0aa10de69f3bf26d
SHA512

0fd66a64e816eb9ac19d9991e60e6189317fac04f00707dca6531074a48b1bfc5cfcfc76a65f2961a6ec87ee0f30a450443a94eecc3f9e8417cca95dfc8cc359
SSDEEP

6144:9rZn7y/EGuH/cpiysa2yuGncYM5YAImUaBe1Y0Pgne8cq1Gt8PbdC:1UDuH/c8ysCuGnNmUaBe1Nm1Y

Score

10^/10

strrat discovery persistence stealer trojan

Malware Config

Extracted

Family

strrat

lozado.duia.ro:9553

pingyoung.duckdns.org:9553

Attributes

license_id
MB4Q-SLG2-7HDN-EM52-K3JL
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
false
secondary_startup
true
startup
false

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Drops startup file 1 IoCs

Processes:

java.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\package_label_photo.jar java.exe
Loads dropped DLL 1 IoCs

Processes:

java.exe

pid process

64 java.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4144 icacls.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\package_label_photo.jar	java.exe

pid	process
64	java.exe

pid	process
4144	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\package_label_photo = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\package_label_photo.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\package_label_photo = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\package_label_photo.jar\""	java.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
34	ip-api.com

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ = "0"	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000003\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4464	WMIC.exe
Token: SeSecurityPrivilege	4464	WMIC.exe
Token: SeTakeOwnershipPrivilege	4464	WMIC.exe
Token: SeLoadDriverPrivilege	4464	WMIC.exe
Token: SeSystemProfilePrivilege	4464	WMIC.exe
Token: SeSystemtimePrivilege	4464	WMIC.exe
Token: SeProfSingleProcessPrivilege	4464	WMIC.exe
Token: SeIncBasePriorityPrivilege	4464	WMIC.exe
Token: SeCreatePagefilePrivilege	4464	WMIC.exe
Token: SeBackupPrivilege	4464	WMIC.exe
Token: SeRestorePrivilege	4464	WMIC.exe
Token: SeShutdownPrivilege	4464	WMIC.exe
Token: SeDebugPrivilege	4464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4464	WMIC.exe
Token: SeRemoteShutdownPrivilege	4464	WMIC.exe
Token: SeUndockPrivilege	4464	WMIC.exe
Token: SeManageVolumePrivilege	4464	WMIC.exe
Token: 33	4464	WMIC.exe
Token: 34	4464	WMIC.exe
Token: 35	4464	WMIC.exe
Token: 36	4464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4464	WMIC.exe
Token: SeSecurityPrivilege	4464	WMIC.exe
Token: SeTakeOwnershipPrivilege	4464	WMIC.exe
Token: SeLoadDriverPrivilege	4464	WMIC.exe
Token: SeSystemProfilePrivilege	4464	WMIC.exe
Token: SeSystemtimePrivilege	4464	WMIC.exe
Token: SeProfSingleProcessPrivilege	4464	WMIC.exe
Token: SeIncBasePriorityPrivilege	4464	WMIC.exe
Token: SeCreatePagefilePrivilege	4464	WMIC.exe
Token: SeBackupPrivilege	4464	WMIC.exe
Token: SeRestorePrivilege	4464	WMIC.exe
Token: SeShutdownPrivilege	4464	WMIC.exe
Token: SeDebugPrivilege	4464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4464	WMIC.exe
Token: SeRemoteShutdownPrivilege	4464	WMIC.exe
Token: SeUndockPrivilege	4464	WMIC.exe
Token: SeManageVolumePrivilege	4464	WMIC.exe
Token: 33	4464	WMIC.exe
Token: 34	4464	WMIC.exe
Token: 35	4464	WMIC.exe
Token: 36	4464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5004	WMIC.exe
Token: SeSecurityPrivilege	5004	WMIC.exe
Token: SeTakeOwnershipPrivilege	5004	WMIC.exe
Token: SeLoadDriverPrivilege	5004	WMIC.exe
Token: SeSystemProfilePrivilege	5004	WMIC.exe
Token: SeSystemtimePrivilege	5004	WMIC.exe
Token: SeProfSingleProcessPrivilege	5004	WMIC.exe
Token: SeIncBasePriorityPrivilege	5004	WMIC.exe
Token: SeCreatePagefilePrivilege	5004	WMIC.exe
Token: SeBackupPrivilege	5004	WMIC.exe
Token: SeRestorePrivilege	5004	WMIC.exe
Token: SeShutdownPrivilege	5004	WMIC.exe
Token: SeDebugPrivilege	5004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5004	WMIC.exe
Token: SeRemoteShutdownPrivilege	5004	WMIC.exe
Token: SeUndockPrivilege	5004	WMIC.exe
Token: SeManageVolumePrivilege	5004	WMIC.exe
Token: 33	5004	WMIC.exe
Token: 34	5004	WMIC.exe
Token: 35	5004	WMIC.exe
Token: 36	5004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5004	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

3492 7zG.exe

pid	process
3492	7zG.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

javaw.exejava.exejava.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1636 wrote to memory of 4144	1636	javaw.exe	icacls.exe
PID 1636 wrote to memory of 4144	1636	javaw.exe	icacls.exe
PID 1636 wrote to memory of 3688	1636	javaw.exe	java.exe
PID 1636 wrote to memory of 3688	1636	javaw.exe	java.exe
PID 3688 wrote to memory of 64	3688	java.exe	java.exe
PID 3688 wrote to memory of 64	3688	java.exe	java.exe
PID 64 wrote to memory of 2684	64	java.exe	cmd.exe
PID 64 wrote to memory of 2684	64	java.exe	cmd.exe
PID 2684 wrote to memory of 4464	2684	cmd.exe	WMIC.exe
PID 2684 wrote to memory of 4464	2684	cmd.exe	WMIC.exe
PID 64 wrote to memory of 1404	64	java.exe	cmd.exe
PID 64 wrote to memory of 1404	64	java.exe	cmd.exe
PID 1404 wrote to memory of 5004	1404	cmd.exe	WMIC.exe
PID 1404 wrote to memory of 5004	1404	cmd.exe	WMIC.exe
PID 64 wrote to memory of 5040	64	java.exe	cmd.exe
PID 64 wrote to memory of 5040	64	java.exe	cmd.exe
PID 5040 wrote to memory of 1836	5040	cmd.exe	WMIC.exe
PID 5040 wrote to memory of 1836	5040	cmd.exe	WMIC.exe
PID 64 wrote to memory of 3600	64	java.exe	cmd.exe
PID 64 wrote to memory of 3600	64	java.exe	cmd.exe
PID 3600 wrote to memory of 2252	3600	cmd.exe	WMIC.exe
PID 3600 wrote to memory of 2252	3600	cmd.exe	WMIC.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\parcel_label_photo.vhdx
1⤵
- Modifies registry class
PID:3424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2612

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "E:\faq\package_label_photo.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:4144
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\package_label_photo.jar"
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\package_label_photo.jar"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:64
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
        5⤵
        
        PID:1836
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3600
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
        5⤵
        
        PID:2252

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"E:\faq\" -an -ai#7zMap19604:64:7zEvent4900
1⤵
- Suspicious use of FindShellTrayWindow
PID:3492

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "E:\faq\package_label_photo.jar"
1⤵
PID:5808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
b48fa8a375c5743dc5cc7f94c3258215

SHA1
a39e1fc288e12c4ce46e5a1e8ddc4648b70cf7bc

SHA256
8c4173e76cd2a823c6d5ba2fc86ddf083c11cc6307ef2cddd6f9a863c6eb3904

SHA512
40e05f6cacf11a65b68ce57a38a75021f3b328c04d30433f424037bc14a9874ef0e2a3da57f9f26c5cc4e32743b8246c63491b96d34b3e8f67f11ae06ef504de

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1453213197-474736321-1741884505-1000\83aa4cc77f591dfc2374580bbd95f6ba_f5749a82-599b-445b-bbdf-fb54150d3ac0

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\lib\jna-5.5.0.jar

Filesize
1.4MB

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\lib\jna-platform-5.5.0.jar

Filesize
2.6MB

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

Filesize
4.1MB

MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\lib\system-hook-3.5.jar

Filesize
772KB

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
C:\Users\Admin\package_label_photo.jar

Filesize
269KB

MD5
be41ae45f29c273fc450633cfe6aebbd

SHA1
627490759fa5837fb9857d689ddbfb71e3a16f45

SHA256
003a72c9422edd882435f6de90d3ed29bcc7cd40f0bed016d67540998294794c

SHA512
7d1c9622290c7bd16261fe9e18fd036267636585a7fd37ec7cb7e79609bec20749bfcb353ea0ec22a70c21a43bb23528b68dbb5f919db1a975348e61a9fd9a74

Download Submit
\Device\HarddiskVolume4\faq\carLambo\70.class\caesium_25.class

Filesize
1B

MD5
93b885adfe0da089cdf634904fd59f71

SHA1
5ba93c9db0cff93f52b521d7420e43f6eda2784f

SHA256
6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d

SHA512
b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

Download Submit
\Users\Admin\AppData\Local\Temp\jna-63116079\jna7489481844830051844.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
memory/64-136-0x000001F87E4B0000-0x000001F87E4B1000-memory.dmp

Filesize
4KB

Download
memory/64-160-0x000001F87E4B0000-0x000001F87E4B1000-memory.dmp

Filesize
4KB

Download
memory/64-142-0x000001F87E4B0000-0x000001F87E4B1000-memory.dmp

Filesize
4KB

Download
memory/1636-65-0x0000026275630000-0x0000026275631000-memory.dmp

Filesize
4KB

Download
memory/1636-33-0x0000026275630000-0x0000026275631000-memory.dmp

Filesize
4KB

Download
memory/1636-56-0x0000026275630000-0x0000026275631000-memory.dmp

Filesize
4KB

Download
memory/1636-60-0x0000026275630000-0x0000026275631000-memory.dmp

Filesize
4KB

Download
memory/1636-12-0x0000026275630000-0x0000026275631000-memory.dmp

Filesize
4KB

Download
memory/1636-79-0x0000026275630000-0x0000026275631000-memory.dmp

Filesize
4KB

Download
memory/1636-68-0x0000026275630000-0x0000026275631000-memory.dmp

Filesize
4KB

Download
memory/1636-81-0x0000026275630000-0x0000026275631000-memory.dmp

Filesize
4KB

Download
memory/3688-97-0x0000019423AC0000-0x0000019423AC1000-memory.dmp

Filesize
4KB

Download
memory/5808-1097-0x00000162F6490000-0x00000162F6491000-memory.dmp

Filesize
4KB

Download