Overview
overview
10Static
static
3__x64___se...ep.dll
windows10-2004-x64
1__x64___se...fm.dll
windows10-2004-x64
1__x64___se...sh.dll
windows10-2004-x64
1__x64___se...is.dll
windows10-2004-x64
1__x64___se...is.dll
windows10-2004-x64
1__x64___se...er.dll
windows10-2004-x64
1__x64___se...it.dll
windows10-2004-x64
1__x64___se...ui.dll
windows10-2004-x64
1__x64___se...el.dll
windows10-2004-x64
1__x64___se...nd.dll
windows10-2004-x64
1__x64___se...eg.dll
windows10-2004-x64
1__x64___se...vc.dll
windows10-2004-x64
1__x64___se...ip.dll
windows10-2004-x64
8__x64___se...or.dll
windows10-2004-x64
1__x64___se...um.dll
windows10-2004-x64
1__x64___se...ui.dll
windows10-2004-x64
1__x64___se...up.msi
windows7-x64
6__x64___se...up.msi
windows10-2004-x64
10__x64___se...PS.dll
windows10-2004-x64
1__x64___se...pi.dll
windows10-2004-x64
1__x64___se...vc.dll
windows10-2004-x64
1__x64___se...ge.dll
windows10-2004-x64
1Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 01:15
Static task
static1
Behavioral task
behavioral1
Sample
__x64___setup___x32__/TapiSysprep/TapiSysprep.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
__x64___setup___x32__/TapiSysprep/netprofm.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
__x64___setup___x32__/TapiSysprep/rpcnsh.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
__x64___setup___x32__/TapiSysprep/socialapis.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
__x64___setup___x32__/acledit/BluetoothApis.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
__x64___setup___x32__/acledit/DevDispItemProvider.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
__x64___setup___x32__/acledit/acledit.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
__x64___setup___x32__/acledit/printui.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
__x64___setup___x32__/dsreg/dcntel.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral10
Sample
__x64___setup___x32__/dsreg/dsound.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
__x64___setup___x32__/dsreg/dsreg.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral12
Sample
__x64___setup___x32__/dsreg/sensrsvc.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
__x64___setup___x32__/pcwum/AppxSip.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
__x64___setup___x32__/pcwum/asferror.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
__x64___setup___x32__/pcwum/pcwum.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
__x64___setup___x32__/pcwum/pdhui.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
__x64___setup___x32__/setup.msi
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
__x64___setup___x32__/setup.msi
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
__x64___setup___x32__/wcimage/SEMgrPS.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
__x64___setup___x32__/wcimage/SensorsApi.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral21
Sample
__x64___setup___x32__/wcimage/netprofmsvc.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral22
Sample
__x64___setup___x32__/wcimage/wcimage.dll
Resource
win10v2004-20240226-en
General
-
Target
__x64___setup___x32__/setup.msi
-
Size
24.5MB
-
MD5
0bd85ea206276e8e5d6ea143c5cb8330
-
SHA1
75079d986324ff1d4150bf00fd10ea73f43d0a76
-
SHA256
8bd23057abb6865b761ae9719ea6a66ce97d70225abab2d7b2ddce84e35ca602
-
SHA512
6ac02552c727394ed9036d5015f8a6652619f9fab7ac8e06ccf5bb301580143e4c24477722cfa8ac7e5082b298e3d8ee72b04a14fbe9ee454a120ba58baf0192
-
SSDEEP
786432:zDMcQi4FgSUZGaQ5MHnPa4lJQJU8P8uBsTaxsn:zDMQ4KMaQqvu04On
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 11 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\f7632c4.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI4158.tmp msiexec.exe File opened for modification C:\Windows\Installer\f7632c7.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI3778.tmp msiexec.exe File created C:\Windows\Installer\f7632c7.ipi msiexec.exe File created C:\Windows\Installer\f7632c9.msi msiexec.exe File created C:\Windows\Installer\f7632c4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI337F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3563.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI364E.tmp msiexec.exe -
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exepid process 2108 MsiExec.exe 2108 MsiExec.exe 2108 MsiExec.exe 2108 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exemsiexec.exepid process 2064 powershell.exe 1068 msiexec.exe 1068 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exepowershell.exedescription pid process Token: SeShutdownPrivilege 1096 msiexec.exe Token: SeIncreaseQuotaPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1068 msiexec.exe Token: SeTakeOwnershipPrivilege 1068 msiexec.exe Token: SeSecurityPrivilege 1068 msiexec.exe Token: SeCreateTokenPrivilege 1096 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1096 msiexec.exe Token: SeLockMemoryPrivilege 1096 msiexec.exe Token: SeIncreaseQuotaPrivilege 1096 msiexec.exe Token: SeMachineAccountPrivilege 1096 msiexec.exe Token: SeTcbPrivilege 1096 msiexec.exe Token: SeSecurityPrivilege 1096 msiexec.exe Token: SeTakeOwnershipPrivilege 1096 msiexec.exe Token: SeLoadDriverPrivilege 1096 msiexec.exe Token: SeSystemProfilePrivilege 1096 msiexec.exe Token: SeSystemtimePrivilege 1096 msiexec.exe Token: SeProfSingleProcessPrivilege 1096 msiexec.exe Token: SeIncBasePriorityPrivilege 1096 msiexec.exe Token: SeCreatePagefilePrivilege 1096 msiexec.exe Token: SeCreatePermanentPrivilege 1096 msiexec.exe Token: SeBackupPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1096 msiexec.exe Token: SeShutdownPrivilege 1096 msiexec.exe Token: SeDebugPrivilege 1096 msiexec.exe Token: SeAuditPrivilege 1096 msiexec.exe Token: SeSystemEnvironmentPrivilege 1096 msiexec.exe Token: SeChangeNotifyPrivilege 1096 msiexec.exe Token: SeRemoteShutdownPrivilege 1096 msiexec.exe Token: SeUndockPrivilege 1096 msiexec.exe Token: SeSyncAgentPrivilege 1096 msiexec.exe Token: SeEnableDelegationPrivilege 1096 msiexec.exe Token: SeManageVolumePrivilege 1096 msiexec.exe Token: SeImpersonatePrivilege 1096 msiexec.exe Token: SeCreateGlobalPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1068 msiexec.exe Token: SeTakeOwnershipPrivilege 1068 msiexec.exe Token: SeRestorePrivilege 1068 msiexec.exe Token: SeTakeOwnershipPrivilege 1068 msiexec.exe Token: SeRestorePrivilege 1068 msiexec.exe Token: SeTakeOwnershipPrivilege 1068 msiexec.exe Token: SeRestorePrivilege 1068 msiexec.exe Token: SeTakeOwnershipPrivilege 1068 msiexec.exe Token: SeRestorePrivilege 1068 msiexec.exe Token: SeTakeOwnershipPrivilege 1068 msiexec.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeRestorePrivilege 1068 msiexec.exe Token: SeTakeOwnershipPrivilege 1068 msiexec.exe Token: SeRestorePrivilege 1068 msiexec.exe Token: SeTakeOwnershipPrivilege 1068 msiexec.exe Token: SeRestorePrivilege 1068 msiexec.exe Token: SeTakeOwnershipPrivilege 1068 msiexec.exe Token: SeRestorePrivilege 1068 msiexec.exe Token: SeTakeOwnershipPrivilege 1068 msiexec.exe Token: SeRestorePrivilege 1068 msiexec.exe Token: SeTakeOwnershipPrivilege 1068 msiexec.exe Token: SeRestorePrivilege 1068 msiexec.exe Token: SeTakeOwnershipPrivilege 1068 msiexec.exe Token: SeRestorePrivilege 1068 msiexec.exe Token: SeTakeOwnershipPrivilege 1068 msiexec.exe Token: SeRestorePrivilege 1068 msiexec.exe Token: SeTakeOwnershipPrivilege 1068 msiexec.exe Token: SeRestorePrivilege 1068 msiexec.exe Token: SeTakeOwnershipPrivilege 1068 msiexec.exe Token: SeRestorePrivilege 1068 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1096 msiexec.exe 1096 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exedescription pid process target process PID 1068 wrote to memory of 2108 1068 msiexec.exe MsiExec.exe PID 1068 wrote to memory of 2108 1068 msiexec.exe MsiExec.exe PID 1068 wrote to memory of 2108 1068 msiexec.exe MsiExec.exe PID 1068 wrote to memory of 2108 1068 msiexec.exe MsiExec.exe PID 1068 wrote to memory of 2108 1068 msiexec.exe MsiExec.exe PID 1068 wrote to memory of 2108 1068 msiexec.exe MsiExec.exe PID 1068 wrote to memory of 2108 1068 msiexec.exe MsiExec.exe PID 2108 wrote to memory of 2064 2108 MsiExec.exe powershell.exe PID 2108 wrote to memory of 2064 2108 MsiExec.exe powershell.exe PID 2108 wrote to memory of 2064 2108 MsiExec.exe powershell.exe PID 2108 wrote to memory of 2064 2108 MsiExec.exe powershell.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\__x64___setup___x32__\setup.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A3A03405AD1B1AA1530EDEDCDC00AD152⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss38CF.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi38CC.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr38CD.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr38CE.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f7632c8.rbsFilesize
21KB
MD5b950b6a0c62b786b2adc4b67ce33fe31
SHA176f3eeb5779ff2c0ec85a562b3f68f4ef15e6f2a
SHA256485f60121a30abe5d7290c18ea46e4805151b571126bae2d2d4041ed748ade00
SHA51235e84ecae7dc19ac66b7bf7f5bcd7f9c1a8d3b7317cb361a3c25afab820689b4ad53f6b6d46d51bd0e05f624e486d1b7bfb189c450441df7d31f2abe10678005
-
C:\Users\Admin\AppData\Local\Temp\msi38CC.txtFilesize
54B
MD59f5bffbb1f8f8340bf45e22a09517ee1
SHA1a5566c63b3681cd56e3b76ed528449ca33a36cc6
SHA2564ca8664da66ad8c90ce03725f92bf7571cf86a290a9ec4a073dad293a60836ef
SHA5128b1b1d13de5aee1748428ffe1ee6131a63e819df8dd42088b7d581ff957adb30e12ba3637e00fac7d7b5aa71a5e35ce09f52772d38f1c441adb19e5e2cd05423
-
C:\Users\Admin\AppData\Local\Temp\pss38CF.ps1Filesize
6KB
MD530c30ef2cb47e35101d13402b5661179
SHA125696b2aab86a9233f19017539e2dd83b2f75d4e
SHA25653094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458
-
C:\Users\Admin\AppData\Local\Temp\scr38CD.ps1Filesize
682B
MD5b32210f90a3fbfd1ef15caee45ebc871
SHA191deac74edcf1e6b4c3a81fa322ac76867075c62
SHA256c2aaabc2c09034d97d1ee67d912f25fe5f966539ea19624f062ece0a5aad606b
SHA5127b86aaa400b9f3b73720e99d1ae2f7ef3c4f23a7076b33545cdce6b34a003323fa05203193b1127f0bf25d718fe8d4f81ab282df04ba433dc1219e3f9ba4698b
-
C:\Windows\Installer\MSI3778.tmpFilesize
758KB
MD5fb4665320c9da54598321c59cc5ed623
SHA189e87b3cc569edd26b5805244cfacb2f9c892bc7
SHA2569fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59
SHA512b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf
-
C:\Windows\Installer\f7632c4.msiFilesize
24.5MB
MD50bd85ea206276e8e5d6ea143c5cb8330
SHA175079d986324ff1d4150bf00fd10ea73f43d0a76
SHA2568bd23057abb6865b761ae9719ea6a66ce97d70225abab2d7b2ddce84e35ca602
SHA5126ac02552c727394ed9036d5015f8a6652619f9fab7ac8e06ccf5bb301580143e4c24477722cfa8ac7e5082b298e3d8ee72b04a14fbe9ee454a120ba58baf0192
-
\Windows\Installer\MSI337F.tmpFilesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591