681259530b97b52a67ed4305560ca2a4dbdceed09f7a77a9f46c51921e2acd85

Analysis

max time kernel
48s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
14/09/2022, 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installation.bat
Size

427B
MD5

7679ad294e3b294ebfb6a2193370f268
SHA1

7a21710124758000145899c38ef4864541bda176
SHA256

fddc13cd1e11c17eec42a4c9fee527220ecd0ce3875031359ce07dda8bb44127
SHA512

e112c044b90682151606bf7fc47ca886ffd2f63413744a3baf10357ac846a91626fd997040d63a73d14f92f4e40c4709458dff0919db21683bcc1976a833fcb0

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1932	uninstall.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1168	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeShutdownPrivilege	1896	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1896	MSIEXEC.EXE
Token: SeRestorePrivilege	680	msiexec.exe
Token: SeTakeOwnershipPrivilege	680	msiexec.exe
Token: SeSecurityPrivilege	680	msiexec.exe
Token: SeCreateTokenPrivilege	1896	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1896	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1896	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1896	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1896	MSIEXEC.EXE
Token: SeTcbPrivilege	1896	MSIEXEC.EXE
Token: SeSecurityPrivilege	1896	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1896	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1896	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1896	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1896	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1896	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1896	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1896	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1896	MSIEXEC.EXE
Token: SeBackupPrivilege	1896	MSIEXEC.EXE
Token: SeRestorePrivilege	1896	MSIEXEC.EXE
Token: SeShutdownPrivilege	1896	MSIEXEC.EXE
Token: SeDebugPrivilege	1896	MSIEXEC.EXE
Token: SeAuditPrivilege	1896	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1896	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1896	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1896	MSIEXEC.EXE
Token: SeUndockPrivilege	1896	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1896	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1896	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1896	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1896	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1896	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1896	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1932	1364	cmd.exe	27
PID 1364 wrote to memory of 1932	1364	cmd.exe	27
PID 1364 wrote to memory of 1932	1364	cmd.exe	27
PID 1364 wrote to memory of 1932	1364	cmd.exe	27
PID 1364 wrote to memory of 1932	1364	cmd.exe	27
PID 1364 wrote to memory of 1932	1364	cmd.exe	27
PID 1364 wrote to memory of 1932	1364	cmd.exe	27
PID 1364 wrote to memory of 1168	1364	cmd.exe	28
PID 1364 wrote to memory of 1168	1364	cmd.exe	28
PID 1364 wrote to memory of 1168	1364	cmd.exe	28
PID 1932 wrote to memory of 1896	1932	uninstall.exe	29
PID 1932 wrote to memory of 1896	1932	uninstall.exe	29
PID 1932 wrote to memory of 1896	1932	uninstall.exe	29
PID 1932 wrote to memory of 1896	1932	uninstall.exe	29
PID 1932 wrote to memory of 1896	1932	uninstall.exe	29
PID 1932 wrote to memory of 1896	1932	uninstall.exe	29
PID 1932 wrote to memory of 1896	1932	uninstall.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\installation.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\dependencies\uninstall.exe
  dependencies/uninstall.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{91648971-5F6B-43AE-9872-0603D92020BE}\abbulkmailer_setup.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\dependencies" SETUPEXENAME="uninstall.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -windowstyle hidden -NoP -executionpolicy bypass -File "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\driver.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1168

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Downloaded Installations\{91648971-5F6B-43AE-9872-0603D92020BE}\abbulkmailer_setup.msi

Filesize
6.2MB

MD5
b0f1febb6745c875d2941336144fa2ed

SHA1
6cb858ca0022bad99189281c7d9c819d79d9a652

SHA256
a226b31420c4205e1cbb0d814cb9ba75461e31d19e9c0c9a834e88eb9dfc86ea

SHA512
52b32f39d50ae2836e62f62cb9af3372c1e2f609bcadcdfe9ffcd680c14dc41a2ced763e55678df59fafa58cf37c7286ba71c5ae13a0edfa677659ba2a9c78b5

Download Submit
memory/1168-57-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1168-58-0x000007FEF41A0000-0x000007FEF4BC3000-memory.dmp

Filesize
10.1MB

Download
memory/1168-59-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/1168-60-0x000007FEF3640000-0x000007FEF419D000-memory.dmp

Filesize
11.4MB

Download
memory/1168-61-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/1932-55-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download