780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68

General

Target

780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe
Size

4.5MB
MD5

676f06460225055beb9cfd630cb82d4f
SHA1

efd67664071988718eff21f0e016158411883559
SHA256

780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68
SHA512

4185f1841fe26796848df9944627940d39644036fedeff1b9f384f14af1fdb182298a7f1354a911e5a3f3f1120d8a12b21d9bb55806b90f963e306e9c22dff5a
SSDEEP

49152:M8xmqYob7jFZhKXnBdEFRT+fwXYrWphJE9xyjHvU1/VH9UsunMlOKmLLuHfaJ3di:MQmSFZIXBdEFV1MovqJunMlBfaX+X

Score

9^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\prkB09B.tmp	acprotect
\Users\Admin\AppData\Local\Temp\prkB09B.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\prkB09B.tmp	acprotect

Loads dropped DLL 2 IoCs

Processes:

780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exeMSIEXEC.EXE

pid process

2044 780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe
2000 MSIEXEC.EXE

pid	process
2044	780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe
2000	MSIEXEC.EXE

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

MSIEXEC.EXE

description	ioc	process
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE

Drops file in Windows directory 1 IoCs

Processes:

780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe

description	ioc	process
File created	C:\Windows\Downloaded Installations\{62A99DAA-2C72-4B46-BB9F-AAE851645DD9}\ÑéÖ¤Âë¿Ø¼þ v1.0.0.0.msi	780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

MSIEXEC.EXEmsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2000	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2000	MSIEXEC.EXE
Token: SeRestorePrivilege	664	msiexec.exe
Token: SeTakeOwnershipPrivilege	664	msiexec.exe
Token: SeSecurityPrivilege	664	msiexec.exe
Token: SeCreateTokenPrivilege	2000	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2000	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2000	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2000	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2000	MSIEXEC.EXE
Token: SeTcbPrivilege	2000	MSIEXEC.EXE
Token: SeSecurityPrivilege	2000	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2000	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2000	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2000	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2000	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2000	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2000	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2000	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2000	MSIEXEC.EXE
Token: SeBackupPrivilege	2000	MSIEXEC.EXE
Token: SeRestorePrivilege	2000	MSIEXEC.EXE
Token: SeShutdownPrivilege	2000	MSIEXEC.EXE
Token: SeDebugPrivilege	2000	MSIEXEC.EXE
Token: SeAuditPrivilege	2000	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2000	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2000	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2000	MSIEXEC.EXE
Token: SeUndockPrivilege	2000	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2000	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2000	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2000	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2000	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2000	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

MSIEXEC.EXE

pid process

2000 MSIEXEC.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe

pid process

2044 780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe

pid	process
2000	MSIEXEC.EXE

pid	process
2044	780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe

description	pid	process	target process
PID 2044 wrote to memory of 2000	2044	780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe	MSIEXEC.EXE
PID 2044 wrote to memory of 2000	2044	780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe	MSIEXEC.EXE
PID 2044 wrote to memory of 2000	2044	780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe	MSIEXEC.EXE
PID 2044 wrote to memory of 2000	2044	780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe	MSIEXEC.EXE
PID 2044 wrote to memory of 2000	2044	780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe	MSIEXEC.EXE
PID 2044 wrote to memory of 2000	2044	780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe	MSIEXEC.EXE
PID 2044 wrote to memory of 2000	2044	780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe	MSIEXEC.EXE

C:\Users\Admin\AppData\Local\Temp\780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe
"C:\Users\Admin\AppData\Local\Temp\780c1fa14891e580f7dc9bdbd681e3ebe5eeb84217d2694e1a4e4663376ded68.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\MSIEXEC.EXE
MSIEXEC.EXE /i "C:\Windows\Downloaded Installations\{62A99DAA-2C72-4B46-BB9F-AAE851645DD9}\ÑéÖ¤Âë¿Ø¼þ v1.0.0.0.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp"
2⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2000

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\prkB09B.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Windows\Downloaded Installations\{62A99DAA-2C72-4B46-BB9F-AAE851645DD9}\ÑéÖ¤Âë¿Ø¼þ v1.0.0.0.msi

Filesize
2.3MB

MD5
9e14a31ef2a4b24999bde15cf4c6ac9f

SHA1
13ede029a7fe7e7312c32e4569224b22e5f9ed98

SHA256
b223f77367a1e324951bebc0a5bf9372733e2d9227a56ac211b3d8c2e70776d2

SHA512
c065db591f9515e069a572a1ecc5c41a4ea93a1a60bda04f723191c3447349c174125c30edc060f1e254f8ca2c0d81197bc162174b7b65a8ec61408de9b3fc07

Download Submit
\Users\Admin\AppData\Local\Temp\prkB09B.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\prkB09B.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/664-65-0x000007FEFB971000-0x000007FEFB973000-memory.dmp

Filesize
8KB

Download
memory/2000-59-0x0000000000000000-mapping.dmp

Download
memory/2000-64-0x0000000000BF0000-0x0000000000C63000-memory.dmp

Filesize
460KB

Download
memory/2044-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/2044-56-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2044-57-0x00000000002E0000-0x0000000000353000-memory.dmp

Filesize
460KB

Download
memory/2044-58-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2044-66-0x00000000002E0000-0x0000000000353000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads