Analysis
-
max time kernel
126s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
29-06-2024 17:13
General
-
Target
Burpy-main/Windows_setup.ps1
-
Size
4KB
-
MD5
74f29e4d8a32cc05bcf2c178776bd474
-
SHA1
d12b722495c870c3d14f0bf63bea982327aab47b
-
SHA256
8425f0551e0370598a2971d6d1643ea66a46120e0091bc780cd4f2796dd1b0ba
-
SHA512
57ebd2f8389e093d6253a13c5b55d311e890f80c998cd44d177711ebafe878c734db42b7603db2f308c9f57415ba7d885db23540ab9f8ba649f8966cfc017f7d
-
SSDEEP
96:HBDJa7Cc0SN5Hghz2P02RuPUeLbk7lfPQ5P02RutZn:dj7SjAhGeLMlnQLsZn
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 40 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 34 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 14 IoCs
-
Modifies registry class 35 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Burpy-main\Windows_setup.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Burpy-main\jdk-19.exe"C:\Users\Admin\AppData\Local\Temp\Burpy-main\jdk-19.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jds240625390.tmp\jdk-19.exe"C:\Users\Admin\AppData\Local\Temp\jds240625390.tmp\jdk-19.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk19.0.2_x64\jdk19.0.264.msi" WRAPPER=14⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Common Files\Oracle\Java\javapath\java.exe"C:\Program Files\Common Files\Oracle\Java\javapath\java.exe" -jar New-loader.jar2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jdk-19\bin\java.exe"C:\Program Files\Java\jdk-19\bin\java.exe" -jar New-loader.jar3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Common Files\Oracle\Java\javapath\java.exe"C:\Program Files\Common Files\Oracle\Java\javapath\java.exe" --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm.tree=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm.Opcodes=ALL-UNNAMED -javaagent:New-loader.jar -noverify -jar burpsuite_pro.jar2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jdk-19\bin\java.exe"C:\Program Files\Java\jdk-19\bin\java.exe" --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm.tree=ALL-UNNAMED --add-opens=java.base/jdk.internal.org.objectweb.asm.Opcodes=ALL-UNNAMED -javaagent:New-loader.jar -noverify -jar burpsuite_pro.jar3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 31C8DF051237712B10A1E08D38249F80 C2⤵
- Loads dropped DLL
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 480E49546A7808D2BD7191B708E505062⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 2691E32491690FA22791D931520810B5 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e5807fb.rbsFilesize
10KB
MD52c46315d44449fc432d55619bbdcb6cc
SHA16104b71ff3c95e97186528c155b5a597bd543406
SHA2562c948c6ee6689e4c1ce712cb2e81ffc390168fdcd5489ab59c9a9631bbaa919d
SHA5126da4af621779ba932c13f396a3b249d30ce3271c9b66b8d238d49d727b7c2f6baa0d494b725ccd6cfc5b5ff062c09145fbaa6f4fe251133bb9198635896cfb73
-
C:\Program Files\Java\jdk-19\LICENSEFilesize
6KB
MD57369866495acb2d7e57397f06a3ab0ba
SHA1e75e828ba2898c74b4a682ce5291a69acf9cc55a
SHA2564d156eecbf6ca462d8cf772552fff874b167f87def9566837fb8e4fb347f29a5
SHA5126c1ae5229953259a258bf140241afa9dc50b642dbb5a11c183c8920678292266aecc26dd1254c3ce9184fe08c3068e2183a694a9a06f5972cc535015461ff825
-
C:\Program Files\Java\jdk-19\bin\windowsaccessbridge-64.dllFilesize
71KB
MD5d0f2ded56013e0f7beff01e7955d980c
SHA12c27d8f6bffa6ee538a43daba9cb0fac07abb146
SHA2560a6b0bca5086994476cac894dc945eee43ede4e2f266435b5c812db54fec06f9
SHA51219803c8222f3923d2813187198e79a4d8f35622694a3a36a5c5f43f9cde397f8fdfdd54293dd909897dd56712befe51263cbeb21afb8a390c01410fe0446ff74
-
C:\Program Files\Java\jdk-19\legal\java.logging\COPYRIGHTFilesize
35B
MD54586c3797f538d41b7b2e30e8afebbc9
SHA13419ebac878fa53a9f0ff1617045ddaafb43dce0
SHA2567afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018
SHA512f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3
-
C:\Program Files\Java\jdk-19\legal\java.logging\LICENSEFilesize
33B
MD516989bab922811e28b64ac30449a5d05
SHA151ab20e8c19ee570bf6c496ec7346b7cf17bd04a
SHA25686e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192
SHA51286571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63Filesize
727B
MD58c4490bfed0c55aad8293c94b0798275
SHA102520f22bba6701cba5b08c8010cb3d6437b9c5e
SHA25693b6267ebf74cfb0aa57ef3380931f530f6a36c5f2f7df673fbe259cb8a2f01a
SHA5125674de30201161d51b50ff697a2443b8f2363f60d34cb2e488100087c8b548cc4b8b2412516512d30ae3814cc18e71a876c9b07b0e0ad59d02871af55ac964c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_4E75C8005B53AA371E24DB28B7200E63Filesize
404B
MD5f1cf94bebc863875ddfae91cc46ac7ab
SHA1018ebaa0d665edb5b3ac6901b96786b3ecef8192
SHA256a23d76d7aec5f9832bbcd9eb8e9bfbf89c6cad00bd566176f29604787d18afc8
SHA5123f66f7d242879e4ca1a6770388d8f220e7928581de372ed30b9aae41e1c682b49525947c1c265904f0450d4b4b8e2fd1e914b36b022794d654c88f201e045766
-
C:\Users\Admin\AppData\Local\Temp\JavaLauncher.logFilesize
1KB
MD5fe68e8d1bd0089533d36b5c34c4557c0
SHA10f3336d65d90224b5a6b73acc78e4ccffcb495ad
SHA256b34819e94ccceab4006afde60438a1059c09914db563b3c486348ad8b03772e3
SHA512db3f049768ab92a5df7fb761a6215a16b815986fcbf78a2882644c5eb8ffcb2f3fe98c42ec10c3bf11a113705d60f22cd3ae77ac1b254de6e157d0d13e4a2207
-
C:\Users\Admin\AppData\Local\Temp\JavaLauncher.logFilesize
3KB
MD50074575066943ea1bcc85321e49e4049
SHA190791984351480950320f31b035ab17fbce02e5f
SHA256369c152268d4075a533407860505c9d029805ac2629b84aa84d0aefbe04e2c1e
SHA5126de3400ba0a38d5d6869add3217d9ace983f0acb3d5ace5fc9519b28598f58399d6eb1e900f39451a2d754720a717e2f6e632d48d8824f8afe792d21dca14dc3
-
C:\Users\Admin\AppData\Local\Temp\JavaLauncher.logFilesize
4KB
MD54cecfd7fef407cf2482bff15beed8e4b
SHA1d99b44dc282f9458eab50d9c2b2b6d10c70c9026
SHA25613c8534c523aa4f912ca22b329f18b1df248c743505074d000ec59e2e650e547
SHA512e66d880727011e2cf7683738e2a88c2fc1abe966ac0d13db00f88e8c0c59a724db802a689ca19f9cfc644c49e97571eeea0ebe725edb02dd44e6e8135fb33e58
-
C:\Users\Admin\AppData\Local\Temp\MSIB6DC.tmpFilesize
894KB
MD5d849eed8fef39365cb0987f2c3d1c26f
SHA125ad42230ba2d0f163649f560ec09250d60f263c
SHA2569ffced196504a78813600ad96108f45ed4667c13dc0ea545b0444d923b871650
SHA5128b418c1f71c6d9b8c922d1634258132a0cc280ff90272b042cbfcea67c8576bb8db38a595fe27d65e90275d9e5d52c8dd5bbdff52e71c5d5f7e576685352184b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_soc2mfzr.gvy.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
309KB
MD530913a952586800916d6a591c05069f1
SHA12b76940dc107bf7a093c60fa45fa5514f5c02bea
SHA256d227f2f58a898f27ed47818fc83d4851659146491cc30228e368ebc762b58e8c
SHA51271f0cd94bc59d7d6ed61711ecc7527d03d527e3073e9861445d118caf4443aa0f76849006661634926a3e7cba32508b0e6d0b4516cddb43791f77b99951320d3
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
313KB
MD5d85baccf3add1c404f8d30ba284c5fe4
SHA1a3183d1f96742058503a3ada2953f36c97272834
SHA25675e72823c8e8bd2e6af57a3e7a3dcc481412ff3bbc2a67ab2a368233aeb32825
SHA51234a8b7a9311ba03142cf87ac97df7ff32ca77b3bb6f3557a384785dcfda1bb865cbe1d16e04988275648c91c0021595c65f752ae2a5baeb0fa025dd720da4b57
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
314KB
MD5ae46cafe672175bd3afbe8b7429de45e
SHA188b9af10c737e698cbcdfadc29c38c2fc1a94a84
SHA25697ed9a8db17275b9d2104d02a9da3d6f3bc63226d1011f2c547039676f813e4f
SHA5124c4e196cf16dd46a8688f2877ec88b1d3b25d925dbf8c2b0b83e8e4a2e092ce49558c8db1502e7fe60e367a960dc48d007dc7e5749d6f80fa5450b47ca9db4c3
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
296KB
MD55179c3d3e17d3d3975f24b06dd0d8ea3
SHA178aa176a93556d30a55d4471fdb518c26543a832
SHA2563c05bc2cac7afc497531dc1cb068d947e6af1a496a5a931b787d7a8a76d46b36
SHA51292a8a969a39db7559cd6ba46e80f6e3d39328ed6c05f16dbbb7097713822d45eec42d21ba09233996573f2a8c617c38f13ceba65656e59a4e0dcf57466826ef5
-
C:\Users\Admin\AppData\Local\Temp\jusched.logFilesize
302KB
MD58daec50c08a0be5d3fa75b54e6e5cfe8
SHA1a9a2b7568f1c4ffe6ba1448333bd18e3514a0ca5
SHA256c6ddffc17613426f7d783af8b241a7f6df5b66d4fd6a613867d6ade68b719515
SHA5128ec4d50b97f2522fbe0e0986125e4adee623196ebee44d9ac04a9890278acb7cd58ec9a6ab9656c9884d3d76b559ee5739f5ddaa49829571ddf6a0b32d3ee157
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.7MB
MD5632d49aeee73014f9b3750c48335dab7
SHA11d6d680f2ded524095b8cfdbfe8c54aa4cc37639
SHA2564b4f6b573be265ef4752c101429fe3366e45c9ea9c01c36a456db8a1b377670d
SHA512847926ea2260e8db554699a898109fc27a9d1cfbcb8261c578e125ad98d07447cf343d1c5a5e0dd546c5d437433cb09a19c69b738ee4903a649cb6549d431c7f
-
\??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{11936229-61f0-4fb3-b5d1-323cc8dbb547}_OnDiskSnapshotPropFilesize
6KB
MD5937dddee0e58d38d5ecef9b71e97a78d
SHA1cec08947553e57e3673d1327309b1d8746998bf4
SHA2562c752915bed704e8e87f4898e15fe86638b30b5e5584c05dbbf82df87f4509a8
SHA51271a537f3087aa5712e91ca458d559454d96600a16a527e60054c3432c868da8d746e195e2bc538af6f9ace07d01dd5c4752f2b2e55bafa989cb25dd1347bc720
-
memory/3136-127-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmpFilesize
10.8MB
-
memory/3136-126-0x00007FFFF3A33000-0x00007FFFF3A35000-memory.dmpFilesize
8KB
-
memory/3136-99-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmpFilesize
10.8MB
-
memory/3136-0-0x00007FFFF3A33000-0x00007FFFF3A35000-memory.dmpFilesize
8KB
-
memory/3136-12-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmpFilesize
10.8MB
-
memory/3136-11-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmpFilesize
10.8MB
-
memory/3136-3-0x000001C37D6F0000-0x000001C37D712000-memory.dmpFilesize
136KB
-
memory/3136-955-0x00007FFFF3A30000-0x00007FFFF44F1000-memory.dmpFilesize
10.8MB