662465eb6766f2084ca2756ac99e598623c368ae072a46d7810f7caaad4ca68f

Analysis

max time kernel
11s
max time network
139s
platform
windows10_x64
resource
win10v20210410
submitted
05-08-2021 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GovILCardSignSetup.exe
Size

1.7MB
MD5

e802022f5ef47ef19e34fd83eb35a118
SHA1

3af2b49724fbb85b9387cf6765e695ad0ed156a6
SHA256

662465eb6766f2084ca2756ac99e598623c368ae072a46d7810f7caaad4ca68f
SHA512

6d3493303b37e79b8e0e8dd291f6b765c8b581119e0a636b748df1feb5a6c3dc3a96b6cf84ccd5f0122db74b6eb6212dbd21a8b53d8e02caa60a8d7f78cb43ce

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3896	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3896	MsiExec.exe
3896	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	208	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	208	MSIEXEC.EXE
Token: SeSecurityPrivilege	3964	msiexec.exe
Token: SeCreateTokenPrivilege	208	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	208	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	208	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	208	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	208	MSIEXEC.EXE
Token: SeTcbPrivilege	208	MSIEXEC.EXE
Token: SeSecurityPrivilege	208	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	208	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	208	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	208	MSIEXEC.EXE
Token: SeSystemtimePrivilege	208	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	208	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	208	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	208	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	208	MSIEXEC.EXE
Token: SeBackupPrivilege	208	MSIEXEC.EXE
Token: SeRestorePrivilege	208	MSIEXEC.EXE
Token: SeShutdownPrivilege	208	MSIEXEC.EXE
Token: SeDebugPrivilege	208	MSIEXEC.EXE
Token: SeAuditPrivilege	208	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	208	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	208	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	208	MSIEXEC.EXE
Token: SeUndockPrivilege	208	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	208	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	208	MSIEXEC.EXE
Token: SeManageVolumePrivilege	208	MSIEXEC.EXE
Token: SeImpersonatePrivilege	208	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	208	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	208	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	208	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	208	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	208	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	208	MSIEXEC.EXE
Token: SeTcbPrivilege	208	MSIEXEC.EXE
Token: SeSecurityPrivilege	208	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	208	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	208	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	208	MSIEXEC.EXE
Token: SeSystemtimePrivilege	208	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	208	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	208	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	208	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	208	MSIEXEC.EXE
Token: SeBackupPrivilege	208	MSIEXEC.EXE
Token: SeRestorePrivilege	208	MSIEXEC.EXE
Token: SeShutdownPrivilege	208	MSIEXEC.EXE
Token: SeDebugPrivilege	208	MSIEXEC.EXE
Token: SeAuditPrivilege	208	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	208	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	208	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	208	MSIEXEC.EXE
Token: SeUndockPrivilege	208	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	208	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	208	MSIEXEC.EXE
Token: SeManageVolumePrivilege	208	MSIEXEC.EXE
Token: SeImpersonatePrivilege	208	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	208	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	208	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	208	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	208	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
208	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 208	3876	GovILCardSignSetup.exe	78
PID 3876 wrote to memory of 208	3876	GovILCardSignSetup.exe	78
PID 3876 wrote to memory of 208	3876	GovILCardSignSetup.exe	78
PID 3964 wrote to memory of 3896	3964	msiexec.exe	81
PID 3964 wrote to memory of 3896	3964	msiexec.exe	81
PID 3964 wrote to memory of 3896	3964	msiexec.exe	81

C:\Users\Admin\AppData\Local\Temp\GovILCardSignSetup.exe
"C:\Users\Admin\AppData\Local\Temp\GovILCardSignSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{82450758-26C8-4189-903F-90EB98A934EA}\GovFormsCardSign.msi" TRANSFORMS="C:\Users\Admin\AppData\Local\Downloaded Installations\{82450758-26C8-4189-903F-90EB98A934EA}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="GovILCardSignSetup.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:208

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C9977B85B251E794D81BB70013E84385 C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads