c375e04aa8ec047a0ddbca2b0ab87735a1773bf0d7e003fb988b0cb768cb6697

Analysis

max time kernel
9s
max time network
36s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

916KB
MD5

fc6b2fd7d6de1ada94e6363efc129a02
SHA1

3dd9613b9d5fbcb23f816ab0a141d6b90a53040a
SHA256

443a6f0d2163fb7a298d06a2bfaf56a06c2d86a2b5aa8598af908eeb1e74e449
SHA512

74f9748f8a7369f6b3306b2e42c11b1eb8741918c825d6d3b4a3981a593435886a23dd4acac314033e36450e08f61c64f58efa691c214a337263760bd2ccd316
SSDEEP

24576:hyqSGF69OZbNp8ar4i4vaiCSbfmY/FzeoS1OwETpbLz48H:AqSC694b8xiKaiCEfmY/FzeoS1O7TFp

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1736	MsiExec.exe

Loads dropped DLL 2 IoCs

pid	Process
1276	Setup.exe
1736	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	856	msiexec.exe
Token: SeIncreaseQuotaPrivilege	856	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe
Token: SeTakeOwnershipPrivilege	520	msiexec.exe
Token: SeSecurityPrivilege	520	msiexec.exe
Token: SeCreateTokenPrivilege	856	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	856	msiexec.exe
Token: SeLockMemoryPrivilege	856	msiexec.exe
Token: SeIncreaseQuotaPrivilege	856	msiexec.exe
Token: SeMachineAccountPrivilege	856	msiexec.exe
Token: SeTcbPrivilege	856	msiexec.exe
Token: SeSecurityPrivilege	856	msiexec.exe
Token: SeTakeOwnershipPrivilege	856	msiexec.exe
Token: SeLoadDriverPrivilege	856	msiexec.exe
Token: SeSystemProfilePrivilege	856	msiexec.exe
Token: SeSystemtimePrivilege	856	msiexec.exe
Token: SeProfSingleProcessPrivilege	856	msiexec.exe
Token: SeIncBasePriorityPrivilege	856	msiexec.exe
Token: SeCreatePagefilePrivilege	856	msiexec.exe
Token: SeCreatePermanentPrivilege	856	msiexec.exe
Token: SeBackupPrivilege	856	msiexec.exe
Token: SeRestorePrivilege	856	msiexec.exe
Token: SeShutdownPrivilege	856	msiexec.exe
Token: SeDebugPrivilege	856	msiexec.exe
Token: SeAuditPrivilege	856	msiexec.exe
Token: SeSystemEnvironmentPrivilege	856	msiexec.exe
Token: SeChangeNotifyPrivilege	856	msiexec.exe
Token: SeRemoteShutdownPrivilege	856	msiexec.exe
Token: SeUndockPrivilege	856	msiexec.exe
Token: SeSyncAgentPrivilege	856	msiexec.exe
Token: SeEnableDelegationPrivilege	856	msiexec.exe
Token: SeManageVolumePrivilege	856	msiexec.exe
Token: SeImpersonatePrivilege	856	msiexec.exe
Token: SeCreateGlobalPrivilege	856	msiexec.exe
Token: SeCreateTokenPrivilege	856	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	856	msiexec.exe
Token: SeLockMemoryPrivilege	856	msiexec.exe
Token: SeIncreaseQuotaPrivilege	856	msiexec.exe
Token: SeMachineAccountPrivilege	856	msiexec.exe
Token: SeTcbPrivilege	856	msiexec.exe
Token: SeSecurityPrivilege	856	msiexec.exe
Token: SeTakeOwnershipPrivilege	856	msiexec.exe
Token: SeLoadDriverPrivilege	856	msiexec.exe
Token: SeSystemProfilePrivilege	856	msiexec.exe
Token: SeSystemtimePrivilege	856	msiexec.exe
Token: SeProfSingleProcessPrivilege	856	msiexec.exe
Token: SeIncBasePriorityPrivilege	856	msiexec.exe
Token: SeCreatePagefilePrivilege	856	msiexec.exe
Token: SeCreatePermanentPrivilege	856	msiexec.exe
Token: SeBackupPrivilege	856	msiexec.exe
Token: SeRestorePrivilege	856	msiexec.exe
Token: SeShutdownPrivilege	856	msiexec.exe
Token: SeDebugPrivilege	856	msiexec.exe
Token: SeAuditPrivilege	856	msiexec.exe
Token: SeSystemEnvironmentPrivilege	856	msiexec.exe
Token: SeChangeNotifyPrivilege	856	msiexec.exe
Token: SeRemoteShutdownPrivilege	856	msiexec.exe
Token: SeUndockPrivilege	856	msiexec.exe
Token: SeSyncAgentPrivilege	856	msiexec.exe
Token: SeEnableDelegationPrivilege	856	msiexec.exe
Token: SeManageVolumePrivilege	856	msiexec.exe
Token: SeImpersonatePrivilege	856	msiexec.exe
Token: SeCreateGlobalPrivilege	856	msiexec.exe
Token: SeCreateTokenPrivilege	856	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1276	Setup.exe
856	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 856	1276	Setup.exe	28
PID 1276 wrote to memory of 856	1276	Setup.exe	28
PID 1276 wrote to memory of 856	1276	Setup.exe	28
PID 1276 wrote to memory of 856	1276	Setup.exe	28
PID 1276 wrote to memory of 856	1276	Setup.exe	28
PID 1276 wrote to memory of 856	1276	Setup.exe	28
PID 1276 wrote to memory of 856	1276	Setup.exe	28
PID 520 wrote to memory of 1736	520	msiexec.exe	30
PID 520 wrote to memory of 1736	520	msiexec.exe	30
PID 520 wrote to memory of 1736	520	msiexec.exe	30
PID 520 wrote to memory of 1736	520	msiexec.exe	30
PID 520 wrote to memory of 1736	520	msiexec.exe	30
PID 520 wrote to memory of 1736	520	msiexec.exe	30
PID 520 wrote to memory of 1736	520	msiexec.exe	30

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\Wocarson\Office Genuine Advantage Validation 2.0.48.0 Cracked V3\install\E88B731\Setup.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Setup.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:856

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24C7B6C4DFD7B6FC3327E1B26E814FCB C
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI87E6.tmp

Filesize
31KB

MD5
18cb11a87f2650cbe65e3cbef1f1dc50

SHA1
4b0cf677532b0e8ee1cde366f1ea2d0820663e37

SHA256
bb5b6e79993ae68f4a7e349cd75dc764748eb15239f58e1b198a2df035aea86b

SHA512
966076f27e446ac965dc7e2017bcb158976395b21ef1555615e65d606e61a900d5b8fb902c7e9111fc97ebd4f0f746248de793a0167788aa50ba173d8dcb8092

Download Submit
C:\Users\Admin\AppData\Roaming\Wocarson\Office Genuine Advantage Validation 2.0.48.0 Cracked V3\install\E88B731\Setup.msi

Filesize
443KB

MD5
c0035744239a65e2c98b7cc31a2dc57b

SHA1
f193112d176316a966c102c24667385a18c4869e

SHA256
b5a21afaa0809c3b3004db7fcc7fad72d86c49e00a953586830e983715fff0fe

SHA512
98e3633d1a2111f31258175df3e1215a7a4a698d5bdd13c07a56f15af634e8dabc241f213665d4b44b5eddd5cd0b53d3a7e7481fb439641f22f4171b8c8e944c

Download Submit
\Users\Admin\AppData\Local\Temp\MSI87E6.tmp

Filesize
31KB

MD5
18cb11a87f2650cbe65e3cbef1f1dc50

SHA1
4b0cf677532b0e8ee1cde366f1ea2d0820663e37

SHA256
bb5b6e79993ae68f4a7e349cd75dc764748eb15239f58e1b198a2df035aea86b

SHA512
966076f27e446ac965dc7e2017bcb158976395b21ef1555615e65d606e61a900d5b8fb902c7e9111fc97ebd4f0f746248de793a0167788aa50ba173d8dcb8092

Download Submit
\Users\Admin\AppData\Roaming\Wocarson\Office Genuine Advantage Validation 2.0.48.0 Cracked V3\install\decoder.dll

Filesize
105KB

MD5
88d4c233541d05a7185c900cf2502e5f

SHA1
d1abfdd36a5781315af5acf483c7046b0fe3ac4b

SHA256
64956f9ce347e30b527bb6a2ab2662533f879d6bad64477edea779647e316156

SHA512
f9ed71fb783ea68f954fd2e59ac47452c446c81f7ccd1180fe808caf3b5831cf4ed8273e05fdeb6a528d00a897f7652ede583ba1358181a126f8caceae9f93fd

Download Submit
memory/856-58-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

Filesize
8KB

Download
memory/1276-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1276-55-0x0000000073E21000-0x0000000073E23000-memory.dmp

Filesize
8KB

Download