13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3

Analysis

max time kernel
79s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2022, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Size

14.7MB
MD5

8267ce209d00f7fb4478787fbb87a605
SHA1

f82dbb92a8b5faa58b837b719f19a80751bfd10f
SHA256

13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3
SHA512

526df21d4569fde2b74291bcf35f95f2c357ca74ffa84b1ec25a4ddb4f0fcecfe55739209523ff9fdc87697ceb11720ad2ed77b1114c2d7b2f247cd7c6b643c7
SSDEEP

393216:6fxTV1VpgZ8BgkpeXBQNIkFiTpQiSUK728:6z1HhgkIXBQhtUKq8

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1976	MsiExec.exe
1976	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\O:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\V:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\X:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\Z:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\F:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\N:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\Q:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\S:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\U:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\W:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\B:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\L:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\R:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\G:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\I:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\M:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\Y:	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
File opened (read-only)	\??\G:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	632	msiexec.exe
Token: SeCreateTokenPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeAssignPrimaryTokenPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeLockMemoryPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeIncreaseQuotaPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeMachineAccountPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeTcbPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeSecurityPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeTakeOwnershipPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeLoadDriverPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeSystemProfilePrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeSystemtimePrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeProfSingleProcessPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeIncBasePriorityPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeCreatePagefilePrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeCreatePermanentPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeBackupPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeRestorePrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeShutdownPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeDebugPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeAuditPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeSystemEnvironmentPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeChangeNotifyPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeRemoteShutdownPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeUndockPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeSyncAgentPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeEnableDelegationPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeManageVolumePrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeImpersonatePrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeCreateGlobalPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeCreateTokenPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeAssignPrimaryTokenPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeLockMemoryPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeIncreaseQuotaPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeMachineAccountPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeTcbPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeSecurityPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeTakeOwnershipPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeLoadDriverPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeSystemProfilePrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeSystemtimePrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeProfSingleProcessPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeIncBasePriorityPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeCreatePagefilePrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeCreatePermanentPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeBackupPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeRestorePrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeShutdownPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeDebugPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeAuditPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeSystemEnvironmentPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeChangeNotifyPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeRemoteShutdownPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeUndockPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeSyncAgentPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeEnableDelegationPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeManageVolumePrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeImpersonatePrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeCreateGlobalPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeCreateTokenPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeAssignPrimaryTokenPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeLockMemoryPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeIncreaseQuotaPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
Token: SeMachineAccountPrivilege	4824	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2276	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 4824	2276	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe	84
PID 2276 wrote to memory of 4824	2276	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe	84
PID 2276 wrote to memory of 4824	2276	13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe	84
PID 632 wrote to memory of 1976	632	msiexec.exe	87
PID 632 wrote to memory of 1976	632	msiexec.exe	87
PID 632 wrote to memory of 1976	632	msiexec.exe	87

C:\Users\Admin\AppData\Local\Temp\13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
"C:\Users\Admin\AppData\Local\Temp\13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe
  /i "C:\Users\Admin\AppData\Roaming\北京虹安翔宇信息科技有限公司\考勤终端\install\HRMS_SetUp.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\13d9e7cec4d4cb01528018c6f299a154133b28f2e43cd9c2ce45ad52ca57c4a3.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:4824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B70D34AE3ED9D4FB9E7CC9ADDF6A1E2C C
  2⤵
  - Loads dropped DLL
  PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI8050.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8050.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI833F.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI833F.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
C:\Users\Admin\AppData\Roaming\北京虹安翔宇信息科技有限公司\考勤终端\install\HRMS_SetUp.msi

Filesize
572KB

MD5
0033c56161de61c324dfbbb3f2f02e76

SHA1
25722ba2ab27c3ecd241193626511ef75e0e9d5d

SHA256
2b9dc37a21ccafe36fe374bc7cbb5b77cb09d7324443a84c4d6235f72f27d15c

SHA512
e5be12226c51968f1f36934c51cb7220a4a7bb8421922097cb1a365f74a7a5353ebe9772b372f0387035c3e9e8d2d10113653cf55d3f2082f9b0f9bd9783003f

Download Submit