Analysis
-
max time kernel
117s -
max time network
43s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
05-08-2021 14:51
Static task
static1
Behavioral task
behavioral1
Sample
GovILCardSignSetup.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
GovILCardSignSetup.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
GovILCardSignSetup.exe
-
Size
1.7MB
-
MD5
e802022f5ef47ef19e34fd83eb35a118
-
SHA1
3af2b49724fbb85b9387cf6765e695ad0ed156a6
-
SHA256
662465eb6766f2084ca2756ac99e598623c368ae072a46d7810f7caaad4ca68f
-
SHA512
6d3493303b37e79b8e0e8dd291f6b765c8b581119e0a636b748df1feb5a6c3dc3a96b6cf84ccd5f0122db74b6eb6212dbd21a8b53d8e02caa60a8d7f78cb43ce
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1288 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: MSIEXEC.EXE File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1288 MsiExec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1672 MSIEXEC.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1672 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 1672 MSIEXEC.EXE Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe Token: SeSecurityPrivilege 1064 msiexec.exe Token: SeCreateTokenPrivilege 1672 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 1672 MSIEXEC.EXE Token: SeLockMemoryPrivilege 1672 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 1672 MSIEXEC.EXE Token: SeMachineAccountPrivilege 1672 MSIEXEC.EXE Token: SeTcbPrivilege 1672 MSIEXEC.EXE Token: SeSecurityPrivilege 1672 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 1672 MSIEXEC.EXE Token: SeLoadDriverPrivilege 1672 MSIEXEC.EXE Token: SeSystemProfilePrivilege 1672 MSIEXEC.EXE Token: SeSystemtimePrivilege 1672 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 1672 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 1672 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 1672 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 1672 MSIEXEC.EXE Token: SeBackupPrivilege 1672 MSIEXEC.EXE Token: SeRestorePrivilege 1672 MSIEXEC.EXE Token: SeShutdownPrivilege 1672 MSIEXEC.EXE Token: SeDebugPrivilege 1672 MSIEXEC.EXE Token: SeAuditPrivilege 1672 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 1672 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 1672 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 1672 MSIEXEC.EXE Token: SeUndockPrivilege 1672 MSIEXEC.EXE Token: SeSyncAgentPrivilege 1672 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 1672 MSIEXEC.EXE Token: SeManageVolumePrivilege 1672 MSIEXEC.EXE Token: SeImpersonatePrivilege 1672 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 1672 MSIEXEC.EXE Token: SeCreateTokenPrivilege 1672 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 1672 MSIEXEC.EXE Token: SeLockMemoryPrivilege 1672 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 1672 MSIEXEC.EXE Token: SeMachineAccountPrivilege 1672 MSIEXEC.EXE Token: SeTcbPrivilege 1672 MSIEXEC.EXE Token: SeSecurityPrivilege 1672 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 1672 MSIEXEC.EXE Token: SeLoadDriverPrivilege 1672 MSIEXEC.EXE Token: SeSystemProfilePrivilege 1672 MSIEXEC.EXE Token: SeSystemtimePrivilege 1672 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 1672 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 1672 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 1672 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 1672 MSIEXEC.EXE Token: SeBackupPrivilege 1672 MSIEXEC.EXE Token: SeRestorePrivilege 1672 MSIEXEC.EXE Token: SeShutdownPrivilege 1672 MSIEXEC.EXE Token: SeDebugPrivilege 1672 MSIEXEC.EXE Token: SeAuditPrivilege 1672 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 1672 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 1672 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 1672 MSIEXEC.EXE Token: SeUndockPrivilege 1672 MSIEXEC.EXE Token: SeSyncAgentPrivilege 1672 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 1672 MSIEXEC.EXE Token: SeManageVolumePrivilege 1672 MSIEXEC.EXE Token: SeImpersonatePrivilege 1672 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 1672 MSIEXEC.EXE Token: SeCreateTokenPrivilege 1672 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1672 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1644 wrote to memory of 1672 1644 GovILCardSignSetup.exe 29 PID 1644 wrote to memory of 1672 1644 GovILCardSignSetup.exe 29 PID 1644 wrote to memory of 1672 1644 GovILCardSignSetup.exe 29 PID 1644 wrote to memory of 1672 1644 GovILCardSignSetup.exe 29 PID 1644 wrote to memory of 1672 1644 GovILCardSignSetup.exe 29 PID 1644 wrote to memory of 1672 1644 GovILCardSignSetup.exe 29 PID 1644 wrote to memory of 1672 1644 GovILCardSignSetup.exe 29 PID 1064 wrote to memory of 1288 1064 msiexec.exe 31 PID 1064 wrote to memory of 1288 1064 msiexec.exe 31 PID 1064 wrote to memory of 1288 1064 msiexec.exe 31 PID 1064 wrote to memory of 1288 1064 msiexec.exe 31 PID 1064 wrote to memory of 1288 1064 msiexec.exe 31 PID 1064 wrote to memory of 1288 1064 msiexec.exe 31 PID 1064 wrote to memory of 1288 1064 msiexec.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\GovILCardSignSetup.exe"C:\Users\Admin\AppData\Local\Temp\GovILCardSignSetup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{82450758-26C8-4189-903F-90EB98A934EA}\GovFormsCardSign.msi" TRANSFORMS="C:\Users\Admin\AppData\Local\Downloaded Installations\{82450758-26C8-4189-903F-90EB98A934EA}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="GovILCardSignSetup.exe"2⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1672
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A7034EFCDBA0C36E86A7C18571CED7A1 C2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1288
-