4097035fd7cac64d82e5250a3a691d2985b2c4894b91c258391ee6592fc1f61a

Resubmissions

12-08-2024 17:47

240812-wdcepssark 8

Analysis

max time kernel
316s
max time network
317s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-08-2024 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Burpy/Windows_setup.ps1
Size

4KB
MD5

a73b48e0fb186611feae995695839cd7
SHA1

a01d14bcfbc5c70f5a5bb323a5b3655bdad9fe1b
SHA256

5ab8bdffdbec79d415460bea619c42c841d334923ed20b22b03b3c5ece29aba0
SHA512

47143cb6eb944e9f57e0dd3e66913da0ccb179edaf85b817ef85f3d20a97c469ef5c399e57e9e82e34ec3377da1a707878354f745fb06eb760f7f4af02a86213
SSDEEP

96:+Babm/UoaSkGNe2P02RuPNULrVy/DAiXMP02RutZn:jXtSkw9zQrxXgsZn

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exemsiexec.exe

flow pid process

16 1176 powershell.exe
19 2544 msiexec.exe
32 1176 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

jdk-19.exejdk-19.exejava.exejava.exejava.exejava.exe

pid process

380 jdk-19.exe
2208 jdk-19.exe
4548 java.exe
4580 java.exe
2568 java.exe
2592 java.exe

flow	pid	process
16	1176	powershell.exe
19	2544	msiexec.exe
32	1176	powershell.exe

pid	process
380	jdk-19.exe
2208	jdk-19.exe
4548	java.exe
4580	java.exe
2568	java.exe
2592	java.exe

Loads dropped DLL 40 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exejava.exejava.exe

pid	process
4064	MsiExec.exe
4064	MsiExec.exe
4064	MsiExec.exe
5064	MsiExec.exe
5064	MsiExec.exe
5064	MsiExec.exe
5064	MsiExec.exe
5064	MsiExec.exe
5064	MsiExec.exe
5064	MsiExec.exe
5064	MsiExec.exe
5064	MsiExec.exe
5064	MsiExec.exe
5064	MsiExec.exe
5064	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
2568	java.exe
2568	java.exe
2568	java.exe
2568	java.exe
2568	java.exe
2568	java.exe
2568	java.exe
2592	java.exe
2568	java.exe
2592	java.exe
2568	java.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1176 powershell.exe

pid	process
1176	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in System32 directory 2 IoCs

Processes:

MsiExec.exe

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	MsiExec.exe
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	MsiExec.exe

Drops file in Program Files directory 64 IoCs

Processes:

MsiExec.exe

description	ioc	process
File created	C:\Program Files\Java\jdk-19\bin\api-ms-win-core-heap-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\include\win32\bridge\AccessBridgePackages.h	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\jmods\java.base.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\jmods\jdk.crypto.cryptoki.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\javadoc.exe	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\serialver.exe	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\java.desktop\freetype.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\jdk.crypto.ec\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\jimage.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\java.instrument\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\jdk.incubator.vector\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\jdk.internal.le\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\jdk.javadoc\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\lib\security\cacerts	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\api-ms-win-core-namedpipe-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\jmods\jdk.jpackage.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\java.xml\bcel.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\jdk.crypto.mscapi\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\lib\security\blocked.certs	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\jdk.naming.dns\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\api-ms-win-core-errorhandling-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\dt_shmem.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\mlib_image.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\java.se\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\jmods\java.scripting.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\jmods\java.sql.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\jdk.crypto.cryptoki\pkcs11wrapper.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\jdk.naming.rmi\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\saproc.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\java.security.sasl\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\jdk.jartool\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\api-ms-win-core-sysinfo-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\jmods\java.security.sasl.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\java.desktop\giflib.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\jdk.javadoc\jquery.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\jdk.zipfs\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\jmods\jdk.internal.opt.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\jmods\jdk.jdeps.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\jmods\jdk.localedata.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\jdk.incubator.vector\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\management_ext.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\java.transaction.xa\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\jdk.jstatd\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\java.xml.crypto\santuario.md	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\lib\jfr\profile.jfc	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\api-ms-win-core-memory-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\api-ms-win-core-string-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\api-ms-win-crt-process-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\jmods\jdk.crypto.ec.jmod	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\java.naming\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\lib\jfr\default.jfc	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\api-ms-win-crt-stdio-l1-1-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\management.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\rmiregistry.exe	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\java.datatransfer\LICENSE	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\fontmanager.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\keytool.exe	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\conf\security\policy\unlimited\default_local.policy	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\java.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\include\jawt.h	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\legal\jdk.management\COPYRIGHT	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\api-ms-win-core-localization-l1-2-0.dll	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\bin\jstatd.exe	MsiExec.exe
File created	C:\Program Files\Java\jdk-19\jmods\java.smartcardio.jmod	MsiExec.exe

Drops file in Windows directory 34 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e581ce9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI28A8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3817.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3962.tmp	msiexec.exe
File created	C:\Windows\Installer\e581ceb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3ACD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3610.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3973.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5E32314F-F4C9-59D1-A229-BC58CEA0D74A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI26A0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI29B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A92.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3895.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3983.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3984.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI26DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI28D8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2975.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3206.tmp	msiexec.exe
File created	C:\Windows\Installer\e581ce9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI276D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3533.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI217D.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2869.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI35E0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI38C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2631.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A52.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3650.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3680.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies data under HKEY_USERS 22 IoCs

Processes:

MsiExec.exemsiexec.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Environment	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\System	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\ProgId = "AppXq0fevzme2pys62n3e0fbqa7peapykr8v"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Printers	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\Hash = "n6MiGKBfJR8="	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\EUDC	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_http = "1"	MsiExec.exe

Modifies registry class 35 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F41323E59C4F1D952A92CB85EC0A7DA4\ToolsFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\java.exe\IsHostApp	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\ = "Executable Jar File"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jar\ = "jarfile"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A46297B6D117AA8000B0D021009\F41323E59C4F1D952A92CB85EC0A7DA4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList\PackageName = "jdk19.0.264.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\Version = "318767106"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jdk19.0.2_x64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\ProductName = "Java(TM) SE Development Kit 19.0.2 (64-bit)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\PackageCode = "B281DDAB94D4DFF4D9529228B6C19A6F"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\java.exe	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\jarfile\shell\open\command	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4F4A3A46297B6D117AA8000B0D021009	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList\Media\2 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\LocalLow\\Oracle\\Java\\jdk19.0.2_x64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F41323E59C4F1D952A92CB85EC0A7DA4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\ProductIcon = "C:\\Program Files\\Java\\jdk-19\\\\bin\\java.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\javaw.exe\IsHostApp	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\jarfile	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\shell\open\command\ = "\"C:\\Program Files\\Java\\jdk-19\\bin\\javaw.exe\" -jar \"%1\" %*"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.jar	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F41323E59C4F1D952A92CB85EC0A7DA4\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\javaw.exe	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exemsiexec.exe

pid process

1176 powershell.exe
1176 powershell.exe
1176 powershell.exe
912 msiexec.exe
912 msiexec.exe

pid	process
1176	powershell.exe
1176	powershell.exe
1176	powershell.exe
912	msiexec.exe
912	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeSecurityPrivilege	912	msiexec.exe
Token: SeShutdownPrivilege	2544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2544	msiexec.exe
Token: SeCreateTokenPrivilege	2544	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2544	msiexec.exe
Token: SeLockMemoryPrivilege	2544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2544	msiexec.exe
Token: SeMachineAccountPrivilege	2544	msiexec.exe
Token: SeTcbPrivilege	2544	msiexec.exe
Token: SeSecurityPrivilege	2544	msiexec.exe
Token: SeTakeOwnershipPrivilege	2544	msiexec.exe
Token: SeLoadDriverPrivilege	2544	msiexec.exe
Token: SeSystemProfilePrivilege	2544	msiexec.exe
Token: SeSystemtimePrivilege	2544	msiexec.exe
Token: SeProfSingleProcessPrivilege	2544	msiexec.exe
Token: SeIncBasePriorityPrivilege	2544	msiexec.exe
Token: SeCreatePagefilePrivilege	2544	msiexec.exe
Token: SeCreatePermanentPrivilege	2544	msiexec.exe
Token: SeBackupPrivilege	2544	msiexec.exe
Token: SeRestorePrivilege	2544	msiexec.exe
Token: SeShutdownPrivilege	2544	msiexec.exe
Token: SeDebugPrivilege	2544	msiexec.exe
Token: SeAuditPrivilege	2544	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2544	msiexec.exe
Token: SeChangeNotifyPrivilege	2544	msiexec.exe
Token: SeRemoteShutdownPrivilege	2544	msiexec.exe
Token: SeUndockPrivilege	2544	msiexec.exe
Token: SeSyncAgentPrivilege	2544	msiexec.exe
Token: SeEnableDelegationPrivilege	2544	msiexec.exe
Token: SeManageVolumePrivilege	2544	msiexec.exe
Token: SeImpersonatePrivilege	2544	msiexec.exe
Token: SeCreateGlobalPrivilege	2544	msiexec.exe
Token: SeCreateTokenPrivilege	2544	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2544	msiexec.exe
Token: SeLockMemoryPrivilege	2544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2544	msiexec.exe
Token: SeMachineAccountPrivilege	2544	msiexec.exe
Token: SeTcbPrivilege	2544	msiexec.exe
Token: SeSecurityPrivilege	2544	msiexec.exe
Token: SeTakeOwnershipPrivilege	2544	msiexec.exe
Token: SeLoadDriverPrivilege	2544	msiexec.exe
Token: SeSystemProfilePrivilege	2544	msiexec.exe
Token: SeSystemtimePrivilege	2544	msiexec.exe
Token: SeProfSingleProcessPrivilege	2544	msiexec.exe
Token: SeIncBasePriorityPrivilege	2544	msiexec.exe
Token: SeCreatePagefilePrivilege	2544	msiexec.exe
Token: SeCreatePermanentPrivilege	2544	msiexec.exe
Token: SeBackupPrivilege	2544	msiexec.exe
Token: SeRestorePrivilege	2544	msiexec.exe
Token: SeShutdownPrivilege	2544	msiexec.exe
Token: SeDebugPrivilege	2544	msiexec.exe
Token: SeAuditPrivilege	2544	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2544	msiexec.exe
Token: SeChangeNotifyPrivilege	2544	msiexec.exe
Token: SeRemoteShutdownPrivilege	2544	msiexec.exe
Token: SeUndockPrivilege	2544	msiexec.exe
Token: SeSyncAgentPrivilege	2544	msiexec.exe
Token: SeEnableDelegationPrivilege	2544	msiexec.exe
Token: SeManageVolumePrivilege	2544	msiexec.exe
Token: SeImpersonatePrivilege	2544	msiexec.exe
Token: SeCreateGlobalPrivilege	2544	msiexec.exe
Token: SeCreateTokenPrivilege	2544	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2544	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2544 msiexec.exe
2544 msiexec.exe

pid	process
2544	msiexec.exe
2544	msiexec.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

powershell.exejdk-19.exejdk-19.exemsiexec.exejava.exejava.exe

description	pid	process	target process
PID 1176 wrote to memory of 380	1176	powershell.exe	jdk-19.exe
PID 1176 wrote to memory of 380	1176	powershell.exe	jdk-19.exe
PID 380 wrote to memory of 2208	380	jdk-19.exe	jdk-19.exe
PID 380 wrote to memory of 2208	380	jdk-19.exe	jdk-19.exe
PID 2208 wrote to memory of 2544	2208	jdk-19.exe	msiexec.exe
PID 2208 wrote to memory of 2544	2208	jdk-19.exe	msiexec.exe
PID 912 wrote to memory of 4064	912	msiexec.exe	MsiExec.exe
PID 912 wrote to memory of 4064	912	msiexec.exe	MsiExec.exe
PID 912 wrote to memory of 4112	912	msiexec.exe	srtasks.exe
PID 912 wrote to memory of 4112	912	msiexec.exe	srtasks.exe
PID 912 wrote to memory of 5064	912	msiexec.exe	MsiExec.exe
PID 912 wrote to memory of 5064	912	msiexec.exe	MsiExec.exe
PID 912 wrote to memory of 1552	912	msiexec.exe	MsiExec.exe
PID 912 wrote to memory of 1552	912	msiexec.exe	MsiExec.exe
PID 1176 wrote to memory of 4548	1176	powershell.exe	java.exe
PID 1176 wrote to memory of 4548	1176	powershell.exe	java.exe
PID 1176 wrote to memory of 4580	1176	powershell.exe	java.exe
PID 1176 wrote to memory of 4580	1176	powershell.exe	java.exe
PID 4580 wrote to memory of 2568	4580	java.exe	java.exe
PID 4580 wrote to memory of 2568	4580	java.exe	java.exe
PID 4548 wrote to memory of 2592	4548	java.exe	java.exe
PID 4548 wrote to memory of 2592	4548	java.exe	java.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Burpy\Windows_setup.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Local\Temp\Burpy\jdk-19.exe
"C:\Users\Admin\AppData\Local\Temp\Burpy\jdk-19.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380

C:\Users\Admin\AppData\Local\Temp\jds240638765.tmp\jdk-19.exe
"C:\Users\Admin\AppData\Local\Temp\jds240638765.tmp\jdk-19.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk19.0.2_x64\jdk19.0.264.msi" WRAPPER=1
4⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2544

C:\Program Files\Common Files\Oracle\Java\javapath\java.exe
"C:\Program Files\Common Files\Oracle\Java\javapath\java.exe" -jar New-loader.jar
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548

C:\Program Files\Java\jdk-19\bin\java.exe
"C:\Program Files\Java\jdk-19\bin\java.exe" -jar New-loader.jar
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592

C:\Program Files\Common Files\Oracle\Java\javapath\java.exe
"C:\Program Files\Common Files\Oracle\Java\javapath\java.exe" --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm.tree=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm.Opcodes=ALL-UNNAMED -javaagent:New-loader.jar -noverify -jar burpsuite_pro.jar
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580

C:\Program Files\Java\jdk-19\bin\java.exe
"C:\Program Files\Java\jdk-19\bin\java.exe" --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm.tree=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm.Opcodes=ALL-UNNAMED -javaagent:New-loader.jar -noverify -jar burpsuite_pro.jar
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 230A418D1F01AB19714D2CDE820D42B0 C
2⤵
- Loads dropped DLL
PID:4064

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4112

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 754BC2175FCD2024362BBABCEF857194
2⤵
- Loads dropped DLL
PID:5064

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 39D4D4474B3CC760777A84B18CFE3F48 E Global\MSI0000
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:1552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e581cea.rbs
Filesize
9KB

MD5
f08d4012c6199786fc5b6b273a8a3363

SHA1
b02c7a8901aed5312b5bf2db36ed234e2580cee3

SHA256
96eb6e9c7e414c787a3fd1b0f100c85bb1dc7f02414d183e9cc887de9925866c

SHA512
3ef55b85bd0bef42116de86f1d9c44c1135371f3c0cebaa252eac4028f2cc37bd027148e834d6fe7e00ca83f82c4f6787b77592ba8db2847aa8c14466d6ce4d4

Download Submit
C:\Program Files\Java\jdk-19\LICENSE
Filesize
6KB

MD5
7369866495acb2d7e57397f06a3ab0ba

SHA1
e75e828ba2898c74b4a682ce5291a69acf9cc55a

SHA256
4d156eecbf6ca462d8cf772552fff874b167f87def9566837fb8e4fb347f29a5

SHA512
6c1ae5229953259a258bf140241afa9dc50b642dbb5a11c183c8920678292266aecc26dd1254c3ce9184fe08c3068e2183a694a9a06f5972cc535015461ff825

Download Submit
C:\Program Files\Java\jdk-19\bin\windowsaccessbridge-64.dll
Filesize
71KB

MD5
d0f2ded56013e0f7beff01e7955d980c

SHA1
2c27d8f6bffa6ee538a43daba9cb0fac07abb146

SHA256
0a6b0bca5086994476cac894dc945eee43ede4e2f266435b5c812db54fec06f9

SHA512
19803c8222f3923d2813187198e79a4d8f35622694a3a36a5c5f43f9cde397f8fdfdd54293dd909897dd56712befe51263cbeb21afb8a390c01410fe0446ff74

Download Submit
C:\Program Files\Java\jdk-19\legal\java.logging\COPYRIGHT
Filesize
35B

MD5
4586c3797f538d41b7b2e30e8afebbc9

SHA1
3419ebac878fa53a9f0ff1617045ddaafb43dce0

SHA256
7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

SHA512
f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

Download Submit
C:\Program Files\Java\jdk-19\legal\java.logging\LICENSE
Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit\Reference Documentation.url
Filesize
197B

MD5
8cba0d2ab4d19e447e4d0d7b39186947

SHA1
62479b2c9ea8191e05da8eeb32210226de1ce16f

SHA256
4c087321e392f3c4598ae09b4e70b8fe732bd1401fb3ad21ac5e69c86ac0ac9e

SHA512
0dab9f55c23308f87a360c935ebcfe634de431e2b6567d4eb1886f63c032f535dfa75a37aa7ea9b7c386e609e8b5671874500238b7109e19b739dcfb6932a241

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63
Filesize
727B

MD5
754db6902deeee30ceee464cfc64ab58

SHA1
b03d10d92b4ed573c8ca2180f690b8821e55bcfc

SHA256
021264df0937503368d5514b20d73bda18309e87425ce22b1130c725bdbe2dea

SHA512
57a2e3cebd74730f73a36af929adc7a034451570a9929c90a0478c218f524d787e266f2cfccf3a1f5b4be48fddd4a60266473e73d40eb5fc918c787571492dfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63
Filesize
404B

MD5
a77135d5fca053065109b70f7bfb50a7

SHA1
2479596e92c00eaafaf0c72b5c4aea505ff26822

SHA256
ae0023cdf9960088b175726e5c7d84420e66611f297040dcfeef60dc7cf6a505

SHA512
2612894e4ea2e9d6c50da50df59ab2c2996677db2e0291957764253beee459c057c20b0ed8850d50ddfdabdce8e7e8ea72c5eea3651f155c692f37ef78d45085

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaLauncher.log
Filesize
1014B

MD5
0a064488cd810ddb9116a39aeda13170

SHA1
9b06588b9dd55f340d4546a75092a22e86ab92b4

SHA256
abd5c5e1212a83b31e3eca8345b17a72dd54eabdfedd1b15d8698a0d4f01e0af

SHA512
7570dd17939a663927c015d668adc29e9e72c441a99233be8d559473dce104cd9f925e82fc82046b26101ab1ef43b99123d809d4eeca198bceac499bf29b89ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaLauncher.log
Filesize
2KB

MD5
69f6a464aec2c2f903d59b8f4917bf6e

SHA1
5b3569473a9b5c35742c5133502e8eea83416310

SHA256
4655aad210c54f652ca5ae8388c01b0e9793fcbf5900ccbcc416ba11af7a3d94

SHA512
bc6a60b5cd7245deaa6faf181c98db0601ae1df71ed05ab905633da33e128ca96b15923dafda472763fc2eec8f54ffb1b2e0157275155ca20bd6eb1569881950

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaLauncher.log
Filesize
4KB

MD5
24277a8cd030344ab56dabeb8fa9b520

SHA1
251c30ab62d235a419ba3934d7d8ce51b287c2ef

SHA256
6a465c57cd2d014db9553fc8cbcd900722bdb1782d0f453dbd3143d43aef3e72

SHA512
d722ea7d0a8ec1325323800dc86ee1185980ce3d377e126cdf30220926386b1cc7871e5313ea22da2fc1d7388c063658320ccd5f4bf4d42a5ffec58136f2f280

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE5CC.tmp
Filesize
894KB

MD5
d849eed8fef39365cb0987f2c3d1c26f

SHA1
25ad42230ba2d0f163649f560ec09250d60f263c

SHA256
9ffced196504a78813600ad96108f45ed4667c13dc0ea545b0444d923b871650

SHA512
8b418c1f71c6d9b8c922d1634258132a0cc280ff90272b042cbfcea67c8576bb8db38a595fe27d65e90275d9e5d52c8dd5bbdff52e71c5d5f7e576685352184b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3knqtiqm.bhd.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
167KB

MD5
e19485e744744d688d5dc402c80d3f31

SHA1
defe2d91faa0b01a676a51b798ee839b34919d8a

SHA256
1aea5ce915cc55b2955f9797d187e23d60a08bf31cd72d0e80191f7844b3dae7

SHA512
9911e1c38bd6e97ea37a9532643981d241fb155a20fd328f25444692007d5fb98cd41aa48b03fbabcf683804f112264bf4385e6a62699de3bf454e0f7507cc50

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
169KB

MD5
f799ea244e82d21f130c8fb512ea279e

SHA1
909ead7c763644f4ee0d3513f7a4c19d37e81779

SHA256
bb0326768a6e4eb2585a811ffa2bcb66809da19fcc6455c7a6dc508be79b0441

SHA512
da485b6c1d2c7f1d9e1c254d42bd557dd1ead185a7b847a6a7f51a28346cd9938decd0362a38e4ab376b9fe7c5a253c64528e928d463571d61906ef76604f28e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
172KB

MD5
a27a47dc275104464910403e5041a2b0

SHA1
eb254536fccb5d913585aaebc50e9962c52bfc61

SHA256
ecfacb6c8ca49da1bde5f6f441272492218e8fda0accea514d169837dc5964e8

SHA512
b10046c0d4a126e43e8df8c5e419c0ef06e3da87750185db6ac0e3f72479cef8952dae75c432b9052a06c2f0623f62a96cb8208e471553bad7f4e77365b29025

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
154KB

MD5
c93645171964d092402cd8b883a196aa

SHA1
d37a985e78ba21da89ae8851b8c6b0b8f4c0b800

SHA256
c605e280b41502e327f8a6e7d69f768e59d2e9c61b7e723293b21a9ca6ed357b

SHA512
5711452cbeea7a29556c0af8520b0e6a47db322cc9dd7ea48db971bdd213ad3133e9bf58bd88f6b9640c4ea64d1f96d0398d9006d0d1d8ae66faa5cc08459b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
161KB

MD5
0ecc71ebca0bd28eb4329b7c5fec527f

SHA1
52df7f9ef305aa9fe9f3ebca51afe778b1e47c89

SHA256
fecc050654e9e87315e961a39d7f32e85d3c0d5c0620546189255050eec9cb3f

SHA512
2c6c649fa58a78b9ba6091899c6508e6224d73149f6b6211668d9418be9965664150c35a89ddd3c5a52306a0d727e2cea3b69114c5458b50c3d19025bda2e5ed

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
26.0MB

MD5
39e32f2f93cedc92e3e627f848bc72c7

SHA1
40cc6654a66611780b41dd4ad492921affc92fae

SHA256
da636d31a100d811bd451071f2def89914c09855fbe51efce68072e47e5d3cb6

SHA512
b327dfeaa6cb755a4a789a50bc333890040cf2368ea88e5e465f9befe3572365892eae694f83828a89272655465c7de8a80cdb1a4fb739c3d42655cf35d100ea

Download Submit
\??\Volume{39cd0eda-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{089a6e46-e8f5-44a0-909d-9e881e694243}_OnDiskSnapshotProp
Filesize
5KB

MD5
85b652beaa0ff0f6cfeb129d9ba0ba7a

SHA1
792095239fb885a94376fbea84f9c420bd6715f7

SHA256
e7ec0c43567a02b215ba9f0ba97000ed46e7480437e1746aa7a1b9967497c4f6

SHA512
28e593575f245792e1d96ccc24514a779196ac8b195e1a0025dc3f6f572bcf3c2715f70268f851a349f4b42e96af77f60b8f04d0d32ab2f0a0840add44b4bc6b

Download Submit
memory/1176-4-0x00007FFC23353000-0x00007FFC23354000-memory.dmp

Filesize
4KB

Download
memory/1176-57-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmp

Filesize
9.9MB

Download
memory/1176-36-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmp

Filesize
9.9MB

Download
memory/1176-35-0x00007FFC23353000-0x00007FFC23354000-memory.dmp

Filesize
4KB

Download
memory/1176-32-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmp

Filesize
9.9MB

Download
memory/1176-10-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmp

Filesize
9.9MB

Download
memory/1176-9-0x000001C16CE50000-0x000001C16CEC6000-memory.dmp

Filesize
472KB

Download
memory/1176-8-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmp

Filesize
9.9MB

Download
memory/1176-5-0x000001C16CD20000-0x000001C16CD42000-memory.dmp

Filesize
136KB

Download
memory/1176-1030-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmp

Filesize
9.9MB

Download