0db57d68f35e9206699e82c8bdaa4fdda6cccb09a21b854ada0aaf2b5a43626e

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JJSploit.exe
Size

9.9MB
MD5

7abcbbc815f738f0f699554a0d3fea67
SHA1

a7aa96670ca147440c277b8480b2bc9cc173ea3e
SHA256

0db57d68f35e9206699e82c8bdaa4fdda6cccb09a21b854ada0aaf2b5a43626e
SHA512

a9b93607bb45e794485874ac0111ff23b38e3700ca604ed754abd45c8f519775caf6d1ae7045a5c48559d22d3886ad31b6eba3d0c4e5710ee8c86b6424356b19
SSDEEP

196608:gpczcC0p5NzPa3wu24rzSIMeEFv2uL6gizSSGzEzq5PQJfQlDLruFLz1p2gVVR1S:MdC0p5NzOwu2im5tuyzCcPQax/Wz1zS

Score

10^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1016	powershell.exe
2352	powershell.exe
2552	powershell.exe
1016	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHRAJGDI\ImagePath = "C:\\ProgramData\\nalfdgwigwyg\\lhhsgwktkatl.exe"	services.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2708	build.exe
2024	lhhsgwktkatl.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx	svchost.exe

Loads dropped DLL 11 IoCs

pid	Process
2756	JJSploit.exe
2756	JJSploit.exe
480	services.exe
480	services.exe
2964	MsiExec.exe
2064	msiexec.exe
2064	msiexec.exe
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
4	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2896	powercfg.exe
2888	powercfg.exe
1036	powercfg.exe
3052	powercfg.exe
1368	powercfg.exe
2268	powercfg.exe
2004	powercfg.exe
2792	powercfg.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\CatRoot2\edb.log	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	build.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	lhhsgwktkatl.exe
File opened for modification	C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot2\edb.chk	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 2932	2708	build.exe	56
PID 2024 set thread context of 1324	2024	lhhsgwktkatl.exe	88
PID 2024 set thread context of 2632	2024	lhhsgwktkatl.exe	90
PID 2024 set thread context of 2508	2024	lhhsgwktkatl.exe	91

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files\JJSploit\resources\luascripts\jailbreak\walkspeed.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\tptool.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\jailbreak\criminalesp.lua	msiexec.exe
File opened for modification	C:\Program Files\JJSploit\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\JJSploit\JJSploit.exe	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\infinitejump.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\dab.lua	msiexec.exe
File created	C:\Program Files\JJSploit\Uninstall JJSploit.lnk	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\fly.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\jumpland.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\magnetizeto.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\jailbreak\removewalls.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\walkthrough.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\levitate.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\jailbreak\policeesp.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\multidimensionalcharacter.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\god.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\noclip.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\teleportto.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\beesim\autodig.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\energizegui.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\chattroll.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\aimbot.lua	msiexec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Installer\f779efd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f779efe.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1FA.tmp	msiexec.exe
File created	C:\Windows\Installer\{C62B7338-B484-48A1-AEB6-9AF4EF5E384B}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f779efd.msi	msiexec.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Installer\{C62B7338-B484-48A1-AEB6-9AF4EF5E384B}\ProductIcon	msiexec.exe
File created	C:\Windows\Installer\f779f00.msi	msiexec.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f779efe.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1156	sc.exe
788	sc.exe
2928	sc.exe
2392	sc.exe
1272	sc.exe
1796	sc.exe
332	sc.exe
916	sc.exe
2088	sc.exe
2184	sc.exe
2936	sc.exe
2796	sc.exe
1456	sc.exe
448	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JJSploit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 801eb099453bdb01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8337B26C484B1A84EA6BA94FFEE583B4\Environment = "MainProgram"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\Version = "134873102"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8337B26C484B1A84EA6BA94FFEE583B4\ShortcutsFeature = "MainProgram"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\ProductIcon = "C:\\Windows\\Installer\\{C62B7338-B484-48A1-AEB6-9AF4EF5E384B}\\ProductIcon"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA\8337B26C484B1A84EA6BA94FFEE583B4	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\PackageCode = "A18BDF92C7E95474E9D3DF8A68D823C3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8337B26C484B1A84EA6BA94FFEE583B4\External	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\8337B26C484B1A84EA6BA94FFEE583B4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\ProductName = "JJSploit"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList\PackageName = "JJSploit.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8337B26C484B1A84EA6BA94FFEE583B4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8337B26C484B1A84EA6BA94FFEE583B4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8337B26C484B1A84EA6BA94FFEE583B4\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8337B26C484B1A84EA6BA94FFEE583B4\MainProgram	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2708	build.exe
2552	powershell.exe
2708	build.exe
2708	build.exe
2708	build.exe
2708	build.exe
2708	build.exe
2708	build.exe
2708	build.exe
2708	build.exe
2708	build.exe
2708	build.exe
2708	build.exe
2708	build.exe
2932	dialer.exe
2932	dialer.exe
2932	dialer.exe
2932	dialer.exe
2932	dialer.exe
2932	dialer.exe
2708	build.exe
2932	dialer.exe
2932	dialer.exe
2708	build.exe
2708	build.exe
2932	dialer.exe
2932	dialer.exe
2024	lhhsgwktkatl.exe
2932	dialer.exe
2932	dialer.exe
2352	powershell.exe
2932	dialer.exe
2932	dialer.exe
2932	dialer.exe
2932	dialer.exe
2024	lhhsgwktkatl.exe
2024	lhhsgwktkatl.exe
2024	lhhsgwktkatl.exe
2024	lhhsgwktkatl.exe
2024	lhhsgwktkatl.exe
2932	dialer.exe
2932	dialer.exe
2024	lhhsgwktkatl.exe
2024	lhhsgwktkatl.exe
2024	lhhsgwktkatl.exe
2024	lhhsgwktkatl.exe
2024	lhhsgwktkatl.exe
2024	lhhsgwktkatl.exe
2024	lhhsgwktkatl.exe
1324	dialer.exe
1324	dialer.exe
1324	dialer.exe
1324	dialer.exe
2024	lhhsgwktkatl.exe
1324	dialer.exe
1324	dialer.exe
1324	dialer.exe
1324	dialer.exe
1324	dialer.exe
1324	dialer.exe
1324	dialer.exe
1324	dialer.exe
1324	dialer.exe
1324	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	2064	msiexec.exe
Token: SeTakeOwnershipPrivilege	2064	msiexec.exe
Token: SeSecurityPrivilege	2064	msiexec.exe
Token: SeCreateTokenPrivilege	860	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	860	msiexec.exe
Token: SeLockMemoryPrivilege	860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	860	msiexec.exe
Token: SeMachineAccountPrivilege	860	msiexec.exe
Token: SeTcbPrivilege	860	msiexec.exe
Token: SeSecurityPrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeLoadDriverPrivilege	860	msiexec.exe
Token: SeSystemProfilePrivilege	860	msiexec.exe
Token: SeSystemtimePrivilege	860	msiexec.exe
Token: SeProfSingleProcessPrivilege	860	msiexec.exe
Token: SeIncBasePriorityPrivilege	860	msiexec.exe
Token: SeCreatePagefilePrivilege	860	msiexec.exe
Token: SeCreatePermanentPrivilege	860	msiexec.exe
Token: SeBackupPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeShutdownPrivilege	860	msiexec.exe
Token: SeDebugPrivilege	860	msiexec.exe
Token: SeAuditPrivilege	860	msiexec.exe
Token: SeSystemEnvironmentPrivilege	860	msiexec.exe
Token: SeChangeNotifyPrivilege	860	msiexec.exe
Token: SeRemoteShutdownPrivilege	860	msiexec.exe
Token: SeUndockPrivilege	860	msiexec.exe
Token: SeSyncAgentPrivilege	860	msiexec.exe
Token: SeEnableDelegationPrivilege	860	msiexec.exe
Token: SeManageVolumePrivilege	860	msiexec.exe
Token: SeImpersonatePrivilege	860	msiexec.exe
Token: SeCreateGlobalPrivilege	860	msiexec.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2708	build.exe
Token: SeDebugPrivilege	2932	dialer.exe
Token: SeShutdownPrivilege	1036	powercfg.exe
Token: SeShutdownPrivilege	2792	powercfg.exe
Token: SeShutdownPrivilege	2896	powercfg.exe
Token: SeShutdownPrivilege	2888	powercfg.exe
Token: SeAuditPrivilege	876	svchost.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2024	lhhsgwktkatl.exe
Token: SeDebugPrivilege	1324	dialer.exe
Token: SeShutdownPrivilege	2268	powercfg.exe
Token: SeShutdownPrivilege	3052	powercfg.exe
Token: SeShutdownPrivilege	2004	powercfg.exe
Token: SeShutdownPrivilege	1368	powercfg.exe
Token: SeLockMemoryPrivilege	2508	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe
Token: SeIncreaseQuotaPrivilege	876	svchost.exe
Token: SeSecurityPrivilege	876	svchost.exe
Token: SeTakeOwnershipPrivilege	876	svchost.exe
Token: SeLoadDriverPrivilege	876	svchost.exe
Token: SeSystemtimePrivilege	876	svchost.exe
Token: SeBackupPrivilege	876	svchost.exe
Token: SeRestorePrivilege	876	svchost.exe
Token: SeShutdownPrivilege	876	svchost.exe
Token: SeSystemEnvironmentPrivilege	876	svchost.exe
Token: SeUndockPrivilege	876	svchost.exe
Token: SeManageVolumePrivilege	876	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe
Token: SeIncreaseQuotaPrivilege	876	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
860	msiexec.exe
1188	Explorer.EXE
860	msiexec.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1188	Explorer.EXE
1188	Explorer.EXE
1188	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2708	2756	JJSploit.exe	30
PID 2756 wrote to memory of 2708	2756	JJSploit.exe	30
PID 2756 wrote to memory of 2708	2756	JJSploit.exe	30
PID 2756 wrote to memory of 2708	2756	JJSploit.exe	30
PID 2756 wrote to memory of 860	2756	JJSploit.exe	31
PID 2756 wrote to memory of 860	2756	JJSploit.exe	31
PID 2756 wrote to memory of 860	2756	JJSploit.exe	31
PID 2756 wrote to memory of 860	2756	JJSploit.exe	31
PID 2756 wrote to memory of 860	2756	JJSploit.exe	31
PID 2756 wrote to memory of 860	2756	JJSploit.exe	31
PID 2756 wrote to memory of 860	2756	JJSploit.exe	31
PID 2232 wrote to memory of 1296	2232	cmd.exe	39
PID 2232 wrote to memory of 1296	2232	cmd.exe	39
PID 2232 wrote to memory of 1296	2232	cmd.exe	39
PID 2708 wrote to memory of 2932	2708	build.exe	56
PID 2708 wrote to memory of 2932	2708	build.exe	56
PID 2708 wrote to memory of 2932	2708	build.exe	56
PID 2708 wrote to memory of 2932	2708	build.exe	56
PID 2708 wrote to memory of 2932	2708	build.exe	56
PID 2708 wrote to memory of 2932	2708	build.exe	56
PID 2708 wrote to memory of 2932	2708	build.exe	56
PID 2932 wrote to memory of 432	2932	dialer.exe	5
PID 2932 wrote to memory of 480	2932	dialer.exe	6
PID 2932 wrote to memory of 488	2932	dialer.exe	7
PID 2932 wrote to memory of 496	2932	dialer.exe	8
PID 2932 wrote to memory of 604	2932	dialer.exe	9
PID 2932 wrote to memory of 680	2932	dialer.exe	10
PID 2932 wrote to memory of 760	2932	dialer.exe	11
PID 2932 wrote to memory of 828	2932	dialer.exe	12
PID 2932 wrote to memory of 876	2932	dialer.exe	13
PID 2932 wrote to memory of 980	2932	dialer.exe	15
PID 2932 wrote to memory of 268	2932	dialer.exe	16
PID 2932 wrote to memory of 380	2932	dialer.exe	17
PID 2932 wrote to memory of 1076	2932	dialer.exe	18
PID 2932 wrote to memory of 1116	2932	dialer.exe	19
PID 2932 wrote to memory of 1164	2932	dialer.exe	20
PID 2932 wrote to memory of 1188	2932	dialer.exe	21
PID 2932 wrote to memory of 1640	2932	dialer.exe	23
PID 2932 wrote to memory of 1260	2932	dialer.exe	24
PID 2932 wrote to memory of 1664	2932	dialer.exe	25
PID 2932 wrote to memory of 1804	2932	dialer.exe	26
PID 2932 wrote to memory of 2188	2932	dialer.exe	27
PID 2932 wrote to memory of 2708	2932	dialer.exe	30
PID 2932 wrote to memory of 2064	2932	dialer.exe	32
PID 2932 wrote to memory of 2792	2932	dialer.exe	48
PID 2932 wrote to memory of 1036	2932	dialer.exe	49
PID 2932 wrote to memory of 2888	2932	dialer.exe	50
PID 2932 wrote to memory of 2896	2932	dialer.exe	51
PID 2932 wrote to memory of 2860	2932	dialer.exe	52
PID 2932 wrote to memory of 692	2932	dialer.exe	53
PID 2932 wrote to memory of 2884	2932	dialer.exe	54
PID 2932 wrote to memory of 2920	2932	dialer.exe	55
PID 2932 wrote to memory of 2928	2932	dialer.exe	57
PID 2932 wrote to memory of 1272	2932	dialer.exe	59
PID 2932 wrote to memory of 2252	2932	dialer.exe	60
PID 2932 wrote to memory of 2796	2932	dialer.exe	61
PID 2932 wrote to memory of 1796	2932	dialer.exe	62
PID 2932 wrote to memory of 824	2932	dialer.exe	63
PID 2932 wrote to memory of 1588	2932	dialer.exe	64
PID 480 wrote to memory of 2024	480	services.exe	65
PID 480 wrote to memory of 2024	480	services.exe	65
PID 480 wrote to memory of 2024	480	services.exe	65
PID 2932 wrote to memory of 2024	2932	dialer.exe	65
PID 2932 wrote to memory of 2024	2932	dialer.exe	65

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  - Drops file in Windows directory
  PID:604
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1640
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1664
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:1088
- - C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000584" "00000000000004BC"
    3⤵
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:1864
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    3⤵
    PID:2612
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:2736
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:760
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:828
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1164
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:980
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  - Drops file in System32 directory
  PID:268
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:380
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1076
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1116
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1260
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1804
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2188
- C:\Windows\system32\msiexec.exe
  C:\Windows\system32\msiexec.exe /V
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- - C:\Windows\syswow64\MsiExec.exe
    C:\Windows\syswow64\MsiExec.exe -Embedding C1A7D947DF18575951F30E3C1B86ADA7 C
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    PID:1016
- C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
  C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1940
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:1016
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1456
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2088
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:332
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2392
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:916
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3052
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2632
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- C:\Windows\system32\vssvc.exe
  C:\Windows\system32\vssvc.exe
  2⤵
  PID:2276
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k swprv
  2⤵
  PID:2684

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1188
- C:\Users\Admin\AppData\Local\Temp\JJSploit.exe
  "C:\Users\Admin\AppData\Local\Temp\JJSploit.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:1296
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:448
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1156
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:2184
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:788
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2936
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2792
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1036
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2888
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2896
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2932
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "QHRAJGDI"
      4⤵
      Launches sc.exe
      PID:2928
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1272
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2796
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "QHRAJGDI"
      4⤵
      Launches sc.exe
      PID:1796
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\JJSploit.msi"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1384615036152282083317954631781650832040-18549853431371796476-19257095381742518020"
1⤵
PID:2860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1069422003-2599394415985918542133281755-1839939868336807063-581047667649137030"
1⤵
PID:692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1868262397-1264856431-1514135906-818665482-9790574301932277060-1209197542-905016669"
1⤵
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-80593216179348381370035858-478104227-149422444812310671641166786326644332509"
1⤵
PID:2920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "553617242460687711-421215718-1711171290-10958354322115970598948314838-522772614"
1⤵
PID:2252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "555179243-5699495833919385-1406855162-316037169-2060133564913393731281129427"
1⤵
PID:824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11179020631460198920-1392155918-51466306820768335971893624486-17129050541539910461"
1⤵
PID:1588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "797815852-1537290554-992225767-615955664-251015746-1611787439279752146-1819309366"
1⤵
PID:2372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "846760896-1587136066-741898664940569091-612895642-586383597-805721135837744643"
1⤵
PID:1584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9536471402431176291475649130-432253863-1505525346-10689785021097063522-1983419427"
1⤵
PID:2404

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19106752965100014262091256221-1828775195-986065237751543280184744983456335973"
1⤵
PID:2688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1513345932-6493572781573567614211870676216321979321362976622226621541-1400749725"
1⤵
PID:1308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1902709492773421291-1974889325-744810650-68517793-1577399323-118047410-1203148752"
1⤵
PID:1724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1444969937-1794119495-1171371435-11656763242084412921732300264-1065231094-76342533"
1⤵
PID:2324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1752236384-369794889-6277453301856459392-720774687-1149512280-15717810682040082626"
1⤵
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JJSploit\JJSploit.lnk

Filesize
1KB

MD5
d0753e3ef27ee37d13ac625bf2ed239a

SHA1
af176dfa6cd92e339b3134821066587e55538b57

SHA256
5ceba40e0dee69b15618bb49645b64aab55f591d7695a64f4a79ab89a0b95fef

SHA512
f01c7ac8669aa8f4fe91895cc15dbe016be257f0512acd47e953e29d43fdcbdf31ef82bc1cf57abf8a84d8957143bb7c7f245dbbc4c28732d9fbc99d822007a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJSploit.msi

Filesize
5.0MB

MD5
9a5e4420fd429b7444e7f02b2b52d0bc

SHA1
056e5ac7ef1334698f4337435985a2d6a52ae059

SHA256
44ef9c095fdc078cad8648bc9ec75f744d2c72229ee427eac65fbc1859e57172

SHA512
7728f89d67bf145106d7c86dd7a1ad27aac74898210bd86d944d7a9111c41fb3df1ab2acab5a4d5bd9cf1a6dd66d9b460368c7994bfbe8807e4c21ae142f8f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI229E.tmp

Filesize
132KB

MD5
cfbb8568bd3711a97e6124c56fcfa8d9

SHA1
d7a098ae58bdd5e93a3c1b04b3d69a14234d5e57

SHA256
7f47d98ab25cfea9b3a2e898c3376cc9ba1cd893b4948b0c27caa530fd0e34cc

SHA512
860cbf3286ac4915580cefaf56a9c3d48938eb08e3f31b7f024c4339c037d7c8bdf16e766d08106505ba535be4922a87dc46bd029aae99a64ea2fc02cf3aec04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
310f965d98ad736dbfb237114f7ef243

SHA1
54e9198edd969f803d0e47e5007db9a6058d215a

SHA256
3695c39757f0df49f49f7468df3e4da6e46e4eef408ab6cc55ef3f09801fbaad

SHA512
7715f2db26589d36b7e91d21851c054cdbe404a5bc991226af339e45fad0b6f1a7707be0c3845a141e512b3a8d0ea85ef1fae95941b9521a8849a114076b73da

Download Submit
C:\Users\Public\Desktop\JJSploit.lnk

Filesize
930B

MD5
3e877b0a50438d69623539df9250b46c

SHA1
483a09434e724ea4395edc37711488f15b1a9b6c

SHA256
f05ed2b3b30a9bceb65f19e211c7ad3417ec1e1a5ffc7d078028d05b7f3062d6

SHA512
2a2678046ab6f80d011c2477ee3616815b5707e6cf13310ef744a64dcf0fe0bcab46cdb75964494d03bb46546b581e296b0842c64ef7a496cab60889ea9f54ed

Download Submit
C:\Windows\System32\catroot2\edb.chk

Filesize
8KB

MD5
f1383d6a71c7adab4716258a10f7d22c

SHA1
e615a4126bbe3423b6b160516d7d6c0474ec849e

SHA256
a3aeb5a0e83e5e98a608879d12818fdb3e20e092ef662799723cb3170f504d58

SHA512
add425d9cc7f4b776a7a79f86c8960601b29d58d185a30dee519d28f9a479638d4e169b70fb21fc1619fc6b66328c8b37a5f4c6af4f8218cfd930fd756f89c24

Download Submit
C:\Windows\System32\catroot2\edb.log

Filesize
64KB

MD5
c20a26429785c0296a7ce87a9a1a4016

SHA1
b4afafffd7c481e20326264aa1001bbb7944a0da

SHA256
f7e4bf5f8eb63cd8efb2a283f318b1513ed4e70cb9f90898a4540cde40546af6

SHA512
d424870f5c89ac0c5de5b08186c97b6cf108fa6325b5aa3c8638d931c91c64801339fbc75f87ee47fd98b98bb08a5f3896d03b567da61286a1e52372c6d8512c

Download Submit
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb

Filesize
1.0MB

MD5
92f3b4e0dc2ff8c0b50a0db34bad14f0

SHA1
66aeebcdacf18e34b5199a3374aec05ccc2c2f47

SHA256
1a875aa65bbe3f35c036f77fbefc3c65c90a1903c387eba06fe489f636995dcf

SHA512
1b9bf2522dd401fe65eb5da09a9f6413f7621b02c3c145af75aefcfd50120c62f27d8fdc67a59377090a113c4d39073f5d4dc0407347aaef59577b02876639bf

Download Submit
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

Filesize
40.8MB

MD5
72e64d1a28a04068b3a8abd03e59d02f

SHA1
0c000351f438dd949529737d1e35e1a4c7e46191

SHA256
94dd9a3c01addcb8b2c98faec42a46562b26f21c1bd7962f23965a9d23f6ba24

SHA512
cb0c59f1234c4a76e27a6133394f7da1256c5da5257549ec2a6dd63215ab806ad743df551ed72bb518c4ceab1d1608bfce92c87a3e66b8c5d0f7b9ea27e9389a

Download Submit
\Program Files\JJSploit\JJSploit.exe

Filesize
9.7MB

MD5
281a79abb33f10b3f9c6c40c0e165cc3

SHA1
ea7bd361ca528f02f0f95c376d844af98105e218

SHA256
30f840be1b9249d22c6bdc943d6901ee8723284770be1b7e18ea12a844d91f77

SHA512
2f6deba4a2cdba68820dc8a47f20253107a3420a18cf3f0995fa12b434afe41fa6213d392cab2826517b4cf8cf59fceb2083f855531daf9310128754dab7ea1b

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe

Filesize
5.3MB

MD5
8d24ade8e0cabd7090846c338765f394

SHA1
9a2b48b71640963e100a79cc2f4636d7e59a1c58

SHA256
9e2ce4a25866f23aa4e845c19a3239689b9e123c7722381c78067e92e66a5c2d

SHA512
f936274b3cc132e082ca8b74c14f55ff5eb7e114b9086e4e2f73736258172606256ef9548e8ab3aeccb1e53e0118f3738337f0350a7f9713dec68e36342e14bd

Download Submit
memory/432-34-0x000007FEBF620000-0x000007FEBF630000-memory.dmp

Filesize
64KB

Download
memory/432-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/432-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/432-35-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/432-33-0x0000000000C30000-0x0000000000C5B000-memory.dmp

Filesize
172KB

Download
memory/480-76-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/480-75-0x000007FEBF620000-0x000007FEBF630000-memory.dmp

Filesize
64KB

Download
memory/480-40-0x0000000000CE0000-0x0000000000D0B000-memory.dmp

Filesize
172KB

Download
memory/488-79-0x0000000037420000-0x0000000037430000-memory.dmp

Filesize
64KB

Download
memory/488-44-0x0000000000B10000-0x0000000000B3B000-memory.dmp

Filesize
172KB

Download
memory/488-78-0x000007FEBF620000-0x000007FEBF630000-memory.dmp

Filesize
64KB

Download
memory/1016-745-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1016-744-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2352-323-0x000000001A030000-0x000000001A312000-memory.dmp

Filesize
2.9MB

Download
memory/2352-324-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2552-18-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/2552-17-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2932-27-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2932-25-0x00000000773E0000-0x0000000077589000-memory.dmp

Filesize
1.7MB

Download
memory/2932-21-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2932-22-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2932-26-0x00000000772C0000-0x00000000773DF000-memory.dmp

Filesize
1.1MB

Download
memory/2932-20-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2932-24-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2932-19-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download