76c83d1bebd6b01bab76d9a94f223e1a3cf20f2040b8d58a12625074e2936f7c

Resubmissions

10-11-2024 11:50

241110-nzxzjayrep 8

10-11-2024 11:47

241110-nyb1nswdlq 8

10-11-2024 11:42

241110-nvex6ayqfj 8

Analysis

max time kernel
1151s
max time network
1143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Krnl_8.10.8_x64_en-US.msi
Size

5.0MB
MD5

b837d10b9a71425dbf3d62b2cc59f447
SHA1

85c9ba3331f7eb432c28365b0d1f36a201373a72
SHA256

76c83d1bebd6b01bab76d9a94f223e1a3cf20f2040b8d58a12625074e2936f7c
SHA512

f20999d19c470941c85912725d6f89c5073d475572ece92ce5b8e5425cdf012950f230c353870d86469ab6658bdc504abbb41260cb676f109551860433bcb405
SSDEEP

98304:XPky+agPtUpupDeOds+883iSh79bubjnvmu5/qv4eYb2Tqg9EeYImwqPY6Bvv8m:XPky9GtAcdsENbubzSJb9lyw

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4332	powershell.exe
4332	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files\JJSploit\resources\luascripts\jailbreak\policeesp.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\dab.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\jailbreak\removewalls.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\noclip.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\multidimensionalcharacter.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\jailbreak\criminalesp.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\levitate.lua	msiexec.exe
File created	C:\Program Files\JJSploit\Uninstall JJSploit.lnk	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\tptool.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\infinitejump.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\aimbot.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\fly.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\teleportto.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\magnetizeto.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\beesim\autodig.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\energizegui.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\jailbreak\walkspeed.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\god.lua	msiexec.exe
File created	C:\Program Files\JJSploit\JJSploit.exe	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\jumpland.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\chattroll.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\walkthrough.lua	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI52CE.tmp	msiexec.exe
File created	C:\Windows\Installer\{3D33D542-D2B2-4F33-A39D-CD4F70D3442E}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{3D33D542-D2B2-4F33-A39D-CD4F70D3442E}\ProductIcon	msiexec.exe
File created	C:\Windows\Installer\e5851b5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5851b5.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3D33D542-D2B2-4F33-A39D-CD4F70D3442E}	msiexec.exe
File created	C:\Windows\Installer\e5851b7.msi	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
2600	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2504	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 35 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\245D33D32B2D33F43AD9DCF4073D44E2\Environment = "MainProgram"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\ProductName = "JJSploit"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA\245D33D32B2D33F43AD9DCF4073D44E2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\245D33D32B2D33F43AD9DCF4073D44E2\External	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\Version = "134873096"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\245D33D32B2D33F43AD9DCF4073D44E2\MainProgram	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\Language = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\SourceList\PackageName = "Krnl_8.10.8_x64_en-US.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\245D33D32B2D33F43AD9DCF4073D44E2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\245D33D32B2D33F43AD9DCF4073D44E2\ShortcutsFeature = "MainProgram"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\Assignment = "1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\245D33D32B2D33F43AD9DCF4073D44E2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\PackageCode = "6BA04691B11BD7E458FA5475B2122A24"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\245D33D32B2D33F43AD9DCF4073D44E2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\245D33D32B2D33F43AD9DCF4073D44E2\ProductIcon = "C:\\Windows\\Installer\\{3D33D542-D2B2-4F33-A39D-CD4F70D3442E}\\ProductIcon"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4424	msiexec.exe
4424	msiexec.exe
4332	powershell.exe
4332	powershell.exe
4332	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2504	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2504	msiexec.exe
Token: SeSecurityPrivilege	4424	msiexec.exe
Token: SeCreateTokenPrivilege	2504	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2504	msiexec.exe
Token: SeLockMemoryPrivilege	2504	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2504	msiexec.exe
Token: SeMachineAccountPrivilege	2504	msiexec.exe
Token: SeTcbPrivilege	2504	msiexec.exe
Token: SeSecurityPrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeLoadDriverPrivilege	2504	msiexec.exe
Token: SeSystemProfilePrivilege	2504	msiexec.exe
Token: SeSystemtimePrivilege	2504	msiexec.exe
Token: SeProfSingleProcessPrivilege	2504	msiexec.exe
Token: SeIncBasePriorityPrivilege	2504	msiexec.exe
Token: SeCreatePagefilePrivilege	2504	msiexec.exe
Token: SeCreatePermanentPrivilege	2504	msiexec.exe
Token: SeBackupPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeShutdownPrivilege	2504	msiexec.exe
Token: SeDebugPrivilege	2504	msiexec.exe
Token: SeAuditPrivilege	2504	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2504	msiexec.exe
Token: SeChangeNotifyPrivilege	2504	msiexec.exe
Token: SeRemoteShutdownPrivilege	2504	msiexec.exe
Token: SeUndockPrivilege	2504	msiexec.exe
Token: SeSyncAgentPrivilege	2504	msiexec.exe
Token: SeEnableDelegationPrivilege	2504	msiexec.exe
Token: SeManageVolumePrivilege	2504	msiexec.exe
Token: SeImpersonatePrivilege	2504	msiexec.exe
Token: SeCreateGlobalPrivilege	2504	msiexec.exe
Token: SeCreateTokenPrivilege	2504	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2504	msiexec.exe
Token: SeLockMemoryPrivilege	2504	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2504	msiexec.exe
Token: SeMachineAccountPrivilege	2504	msiexec.exe
Token: SeTcbPrivilege	2504	msiexec.exe
Token: SeSecurityPrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeLoadDriverPrivilege	2504	msiexec.exe
Token: SeSystemProfilePrivilege	2504	msiexec.exe
Token: SeSystemtimePrivilege	2504	msiexec.exe
Token: SeProfSingleProcessPrivilege	2504	msiexec.exe
Token: SeIncBasePriorityPrivilege	2504	msiexec.exe
Token: SeCreatePagefilePrivilege	2504	msiexec.exe
Token: SeCreatePermanentPrivilege	2504	msiexec.exe
Token: SeBackupPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeShutdownPrivilege	2504	msiexec.exe
Token: SeDebugPrivilege	2504	msiexec.exe
Token: SeAuditPrivilege	2504	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2504	msiexec.exe
Token: SeChangeNotifyPrivilege	2504	msiexec.exe
Token: SeRemoteShutdownPrivilege	2504	msiexec.exe
Token: SeUndockPrivilege	2504	msiexec.exe
Token: SeSyncAgentPrivilege	2504	msiexec.exe
Token: SeEnableDelegationPrivilege	2504	msiexec.exe
Token: SeManageVolumePrivilege	2504	msiexec.exe
Token: SeImpersonatePrivilege	2504	msiexec.exe
Token: SeCreateGlobalPrivilege	2504	msiexec.exe
Token: SeCreateTokenPrivilege	2504	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2504	msiexec.exe
Token: SeLockMemoryPrivilege	2504	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2504	msiexec.exe
2504	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 2600	4424	msiexec.exe	101
PID 4424 wrote to memory of 2600	4424	msiexec.exe	101
PID 4424 wrote to memory of 2600	4424	msiexec.exe	101
PID 4424 wrote to memory of 592	4424	msiexec.exe	109
PID 4424 wrote to memory of 592	4424	msiexec.exe	109
PID 4424 wrote to memory of 4332	4424	msiexec.exe	111
PID 4424 wrote to memory of 4332	4424	msiexec.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Krnl_8.10.8_x64_en-US.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2504

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 65E79F296D82FE8375964F40410C8AE1 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4332

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\JJSploit\JJSploit.exe

Filesize
9.7MB

MD5
d0d04bc3cb9e341925f36736c7730dc5

SHA1
c958e77cd69768e3753835dbfcb66a903b373c21

SHA256
bc360c4a540aad33bcd8a358566bb4e0844ca36138ef36fb5dd8084d36517495

SHA512
2f04c151d57826a89b52f82c6b8c4ae5c0a45b83556c9aa6c45aa520f312d1a0edd2bb36c90c94b5a4967ea1b498634c4673828ef4afbdb63ab0e9d76609b31a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JJSploit\JJSploit.lnk

Filesize
1KB

MD5
04fc5299e8d6f67125979ab9a43591c3

SHA1
9212b27562849c9c89c29fd3f713d9fc8bb8c19f

SHA256
f7f4e0212b6587523c637c53e911a73a887f23adc0575074896f5250810a122e

SHA512
cf0ab837ea434c830f5ba7a25de1224d910d543e3f5d4122d3f850c4095207e72920caab96c49f1f9948b8305137f36c366afd9f47d047d85bc9afb6ad44f5e5

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JJSploit\JJSploit.lnk~RFe5856f5.TMP

Filesize
1KB

MD5
1d9f1f070d915f50be448f30dd3c7781

SHA1
1abc1ffd341a331b24aed44735485cdc233d60ad

SHA256
bc1abe3f69f0c5c03558883eaacb6cb68f9d1476bd21c2b3161000f619f18d68

SHA512
44950ae4313bef114a07eea07fa8ce437e6785a20d8ff920035a0246df040c5f094bf7ce0dead00bf9c3fecc7f0837cb49c0a40b5b2d7868e790c69f7dd5c029

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI68.tmp

Filesize
132KB

MD5
cfbb8568bd3711a97e6124c56fcfa8d9

SHA1
d7a098ae58bdd5e93a3c1b04b3d69a14234d5e57

SHA256
7f47d98ab25cfea9b3a2e898c3376cc9ba1cd893b4948b0c27caa530fd0e34cc

SHA512
860cbf3286ac4915580cefaf56a9c3d48938eb08e3f31b7f024c4339c037d7c8bdf16e766d08106505ba535be4922a87dc46bd029aae99a64ea2fc02cf3aec04

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdhukgw4.gh0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\e5851b5.msi

Filesize
5.0MB

MD5
b837d10b9a71425dbf3d62b2cc59f447

SHA1
85c9ba3331f7eb432c28365b0d1f36a201373a72

SHA256
76c83d1bebd6b01bab76d9a94f223e1a3cf20f2040b8d58a12625074e2936f7c

SHA512
f20999d19c470941c85912725d6f89c5073d475572ece92ce5b8e5425cdf012950f230c353870d86469ab6658bdc504abbb41260cb676f109551860433bcb405

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
b2b83e016eebc35397dd31cff1d7d7a3

SHA1
86fd480249ed116cf1627a118f6e96c07483472b

SHA256
f93d4b6bfc95947c293ae82ada3edd1fdb739725e8926df4d924bfd035eaaecc

SHA512
d2fe664914452b8ab31e6826b6e1b432dcf72d3e6ae3500d8f0c96cc1cdd1050c1a8c143a881d16ce23f7290ddefce46f35958dbd53a86227fbc36aa15ffb364

Download Submit
\??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b3bea22c-084d-4025-a0c0-c9a4a130b8cd}_OnDiskSnapshotProp

Filesize
6KB

MD5
ae8ddd843ec88b10af200da9348154a2

SHA1
cd9154eb5be8e5b1e8ae020fa4d7c9cbb9cd5b59

SHA256
d2627c44080ebf0a6f6ffee16461ef5a85cacce0eaf07d7ca0e0871c658a31dd

SHA512
ec14e67049671dfd4985cbd1c66c9773dc7e295a2ac82cc01a51c230472b96e0f751bd3f78e1f1e3677a44f0eb0f9eca5ae534029cc229ef2b31c53be1d43f0c

Download Submit
memory/4332-67-0x0000020D77D50000-0x0000020D77D72000-memory.dmp

Filesize
136KB

Download