Analysis

  • max time kernel
    338s
  • max time network
    331s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/11/2024, 04:33

General

  • Target

    JJSploit_8.10.10_x64_en-US (1).msi

  • Size

    5.0MB

  • MD5

    8cb1e85b5723e3d186cc1742b6c71122

  • SHA1

    f4638a9849b2bea46c8120930c7727cfae70b4d2

  • SHA256

    f1db224af0f14b971ba8be3e33482322b2f821695a4bbe2782b956217da383ad

  • SHA512

    b447f7b4e6590120ed50eaad798b271e7ebbe52ad61dbe5e621e0c99a6314fbcfd10ce8e6f837a7ca76e1084651c65dcb0eafcdac6cce6eebe2d1729249add5b

  • SSDEEP

    98304:6jmBVvK7NEfE6nal/6r5mzaB325gGiU9fh8ztt8xuvuUnm18uHwCEtFW+VAv8m:srNEfulImzfh8IquKq8uA

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Loads dropped DLL 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\JJSploit_8.10.10_x64_en-US (1).msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3832
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7EF9B23280BC313699D3402D595B863F C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1612
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4832
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4776

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\MSIDD6.tmp

            Filesize

            132KB

            MD5

            cfbb8568bd3711a97e6124c56fcfa8d9

            SHA1

            d7a098ae58bdd5e93a3c1b04b3d69a14234d5e57

            SHA256

            7f47d98ab25cfea9b3a2e898c3376cc9ba1cd893b4948b0c27caa530fd0e34cc

            SHA512

            860cbf3286ac4915580cefaf56a9c3d48938eb08e3f31b7f024c4339c037d7c8bdf16e766d08106505ba535be4922a87dc46bd029aae99a64ea2fc02cf3aec04

          • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

            Filesize

            24.1MB

            MD5

            f392de307b1286c8dcc6d533ee978ab7

            SHA1

            220ae30a1a9705f4fd1ad93f7e841659c7dd08cc

            SHA256

            ce562ae9f97fee0bf53c52b8774e3562a18f554a7d9f14f9e56cb6803e652cee

            SHA512

            d920dd977b0ac69333bd1e07f6c1cdcd44afd44e421c591721145193cf6a94449708074a65c248f4ee573a4aed44ca97a8bdcc55d5f1f3050df56871a89afea5

          • \??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4fe3e71f-4bd7-44bd-97fd-3ec6d7f906c0}_OnDiskSnapshotProp

            Filesize

            6KB

            MD5

            e7700ca31344d9e8f838188741b3a44d

            SHA1

            5fe8df70f4ece54a1d9eb1f9ac5dc7ceecefe672

            SHA256

            990beda2eb2f8c8aed16467270949b5d16b2110359629d9516060da7ed7a107d

            SHA512

            6946bbe30c8da42f5c1120b54db72506540a39b787cfd9a68f7b9f848aab189667d0ceb387caed7645d48f1a36c24776e16315ad23c320a95319f803af352652