681259530b97b52a67ed4305560ca2a4dbdceed09f7a77a9f46c51921e2acd85

General

Target

installation.bat
Size

427B
MD5

7679ad294e3b294ebfb6a2193370f268
SHA1

7a21710124758000145899c38ef4864541bda176
SHA256

fddc13cd1e11c17eec42a4c9fee527220ecd0ce3875031359ce07dda8bb44127
SHA512

e112c044b90682151606bf7fc47ca886ffd2f63413744a3baf10357ac846a91626fd997040d63a73d14f92f4e40c4709458dff0919db21683bcc1976a833fcb0

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2688	powershell.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeShutdownPrivilege	260	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	260	MSIEXEC.EXE
Token: SeSecurityPrivilege	224	msiexec.exe
Token: SeCreateTokenPrivilege	260	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	260	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	260	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	260	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	260	MSIEXEC.EXE
Token: SeTcbPrivilege	260	MSIEXEC.EXE
Token: SeSecurityPrivilege	260	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	260	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	260	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	260	MSIEXEC.EXE
Token: SeSystemtimePrivilege	260	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	260	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	260	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	260	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	260	MSIEXEC.EXE
Token: SeBackupPrivilege	260	MSIEXEC.EXE
Token: SeRestorePrivilege	260	MSIEXEC.EXE
Token: SeShutdownPrivilege	260	MSIEXEC.EXE
Token: SeDebugPrivilege	260	MSIEXEC.EXE
Token: SeAuditPrivilege	260	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	260	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	260	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	260	MSIEXEC.EXE
Token: SeUndockPrivilege	260	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	260	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	260	MSIEXEC.EXE
Token: SeManageVolumePrivilege	260	MSIEXEC.EXE
Token: SeImpersonatePrivilege	260	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	260	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
260	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 1868	4244	cmd.exe	79
PID 4244 wrote to memory of 1868	4244	cmd.exe	79
PID 4244 wrote to memory of 1868	4244	cmd.exe	79
PID 4244 wrote to memory of 2688	4244	cmd.exe	80
PID 4244 wrote to memory of 2688	4244	cmd.exe	80
PID 1868 wrote to memory of 260	1868	uninstall.exe	85
PID 1868 wrote to memory of 260	1868	uninstall.exe	85
PID 1868 wrote to memory of 260	1868	uninstall.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\installation.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\dependencies\uninstall.exe
  dependencies/uninstall.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{91648971-5F6B-43AE-9872-0603D92020BE}\abbulkmailer_setup.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\dependencies" SETUPEXENAME="uninstall.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -windowstyle hidden -NoP -executionpolicy bypass -File "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\driver.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Downloaded Installations\{91648971-5F6B-43AE-9872-0603D92020BE}\abbulkmailer_setup.msi

Filesize
6.2MB

MD5
b0f1febb6745c875d2941336144fa2ed

SHA1
6cb858ca0022bad99189281c7d9c819d79d9a652

SHA256
a226b31420c4205e1cbb0d814cb9ba75461e31d19e9c0c9a834e88eb9dfc86ea

SHA512
52b32f39d50ae2836e62f62cb9af3372c1e2f609bcadcdfe9ffcd680c14dc41a2ced763e55678df59fafa58cf37c7286ba71c5ae13a0edfa677659ba2a9c78b5

Download Submit
memory/2688-134-0x0000018EEB6E0000-0x0000018EEB702000-memory.dmp

Filesize
136KB

Download
memory/2688-135-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing