c375e04aa8ec047a0ddbca2b0ab87735a1773bf0d7e003fb988b0cb768cb6697

Analysis

max time kernel
162s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 14:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

916KB
MD5

fc6b2fd7d6de1ada94e6363efc129a02
SHA1

3dd9613b9d5fbcb23f816ab0a141d6b90a53040a
SHA256

443a6f0d2163fb7a298d06a2bfaf56a06c2d86a2b5aa8598af908eeb1e74e449
SHA512

74f9748f8a7369f6b3306b2e42c11b1eb8741918c825d6d3b4a3981a593435886a23dd4acac314033e36450e08f61c64f58efa691c214a337263760bd2ccd316
SSDEEP

24576:hyqSGF69OZbNp8ar4i4vaiCSbfmY/FzeoS1OwETpbLz48H:AqSC694b8xiKaiCEfmY/FzeoS1O7TFp

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	3820	MsiExec.exe

Loads dropped DLL 2 IoCs

pid	Process
2100	Setup.exe
3820	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5076	msiexec.exe
Token: SeSecurityPrivilege	4772	msiexec.exe
Token: SeCreateTokenPrivilege	5076	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5076	msiexec.exe
Token: SeLockMemoryPrivilege	5076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5076	msiexec.exe
Token: SeMachineAccountPrivilege	5076	msiexec.exe
Token: SeTcbPrivilege	5076	msiexec.exe
Token: SeSecurityPrivilege	5076	msiexec.exe
Token: SeTakeOwnershipPrivilege	5076	msiexec.exe
Token: SeLoadDriverPrivilege	5076	msiexec.exe
Token: SeSystemProfilePrivilege	5076	msiexec.exe
Token: SeSystemtimePrivilege	5076	msiexec.exe
Token: SeProfSingleProcessPrivilege	5076	msiexec.exe
Token: SeIncBasePriorityPrivilege	5076	msiexec.exe
Token: SeCreatePagefilePrivilege	5076	msiexec.exe
Token: SeCreatePermanentPrivilege	5076	msiexec.exe
Token: SeBackupPrivilege	5076	msiexec.exe
Token: SeRestorePrivilege	5076	msiexec.exe
Token: SeShutdownPrivilege	5076	msiexec.exe
Token: SeDebugPrivilege	5076	msiexec.exe
Token: SeAuditPrivilege	5076	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5076	msiexec.exe
Token: SeChangeNotifyPrivilege	5076	msiexec.exe
Token: SeRemoteShutdownPrivilege	5076	msiexec.exe
Token: SeUndockPrivilege	5076	msiexec.exe
Token: SeSyncAgentPrivilege	5076	msiexec.exe
Token: SeEnableDelegationPrivilege	5076	msiexec.exe
Token: SeManageVolumePrivilege	5076	msiexec.exe
Token: SeImpersonatePrivilege	5076	msiexec.exe
Token: SeCreateGlobalPrivilege	5076	msiexec.exe
Token: SeCreateTokenPrivilege	5076	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5076	msiexec.exe
Token: SeLockMemoryPrivilege	5076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5076	msiexec.exe
Token: SeMachineAccountPrivilege	5076	msiexec.exe
Token: SeTcbPrivilege	5076	msiexec.exe
Token: SeSecurityPrivilege	5076	msiexec.exe
Token: SeTakeOwnershipPrivilege	5076	msiexec.exe
Token: SeLoadDriverPrivilege	5076	msiexec.exe
Token: SeSystemProfilePrivilege	5076	msiexec.exe
Token: SeSystemtimePrivilege	5076	msiexec.exe
Token: SeProfSingleProcessPrivilege	5076	msiexec.exe
Token: SeIncBasePriorityPrivilege	5076	msiexec.exe
Token: SeCreatePagefilePrivilege	5076	msiexec.exe
Token: SeCreatePermanentPrivilege	5076	msiexec.exe
Token: SeBackupPrivilege	5076	msiexec.exe
Token: SeRestorePrivilege	5076	msiexec.exe
Token: SeShutdownPrivilege	5076	msiexec.exe
Token: SeDebugPrivilege	5076	msiexec.exe
Token: SeAuditPrivilege	5076	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5076	msiexec.exe
Token: SeChangeNotifyPrivilege	5076	msiexec.exe
Token: SeRemoteShutdownPrivilege	5076	msiexec.exe
Token: SeUndockPrivilege	5076	msiexec.exe
Token: SeSyncAgentPrivilege	5076	msiexec.exe
Token: SeEnableDelegationPrivilege	5076	msiexec.exe
Token: SeManageVolumePrivilege	5076	msiexec.exe
Token: SeImpersonatePrivilege	5076	msiexec.exe
Token: SeCreateGlobalPrivilege	5076	msiexec.exe
Token: SeCreateTokenPrivilege	5076	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5076	msiexec.exe
Token: SeLockMemoryPrivilege	5076	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2100	Setup.exe
5076	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 5076	2100	Setup.exe	79
PID 2100 wrote to memory of 5076	2100	Setup.exe	79
PID 4772 wrote to memory of 3820	4772	msiexec.exe	82
PID 4772 wrote to memory of 3820	4772	msiexec.exe	82
PID 4772 wrote to memory of 3820	4772	msiexec.exe	82

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\Wocarson\Office Genuine Advantage Validation 2.0.48.0 Cracked V3\install\E88B731\Setup.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Setup.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5076

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 752FB848AC0BCD56751CF0942DECE182 C
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI6CB4.tmp

Filesize
31KB

MD5
18cb11a87f2650cbe65e3cbef1f1dc50

SHA1
4b0cf677532b0e8ee1cde366f1ea2d0820663e37

SHA256
bb5b6e79993ae68f4a7e349cd75dc764748eb15239f58e1b198a2df035aea86b

SHA512
966076f27e446ac965dc7e2017bcb158976395b21ef1555615e65d606e61a900d5b8fb902c7e9111fc97ebd4f0f746248de793a0167788aa50ba173d8dcb8092

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6CB4.tmp

Filesize
31KB

MD5
18cb11a87f2650cbe65e3cbef1f1dc50

SHA1
4b0cf677532b0e8ee1cde366f1ea2d0820663e37

SHA256
bb5b6e79993ae68f4a7e349cd75dc764748eb15239f58e1b198a2df035aea86b

SHA512
966076f27e446ac965dc7e2017bcb158976395b21ef1555615e65d606e61a900d5b8fb902c7e9111fc97ebd4f0f746248de793a0167788aa50ba173d8dcb8092

Download Submit
C:\Users\Admin\AppData\Roaming\Wocarson\Office Genuine Advantage Validation 2.0.48.0 Cracked V3\install\E88B731\Setup.msi

Filesize
443KB

MD5
c0035744239a65e2c98b7cc31a2dc57b

SHA1
f193112d176316a966c102c24667385a18c4869e

SHA256
b5a21afaa0809c3b3004db7fcc7fad72d86c49e00a953586830e983715fff0fe

SHA512
98e3633d1a2111f31258175df3e1215a7a4a698d5bdd13c07a56f15af634e8dabc241f213665d4b44b5eddd5cd0b53d3a7e7481fb439641f22f4171b8c8e944c

Download Submit
C:\Users\Admin\AppData\Roaming\Wocarson\Office Genuine Advantage Validation 2.0.48.0 Cracked V3\install\decoder.dll

Filesize
105KB

MD5
88d4c233541d05a7185c900cf2502e5f

SHA1
d1abfdd36a5781315af5acf483c7046b0fe3ac4b

SHA256
64956f9ce347e30b527bb6a2ab2662533f879d6bad64477edea779647e316156

SHA512
f9ed71fb783ea68f954fd2e59ac47452c446c81f7ccd1180fe808caf3b5831cf4ed8273e05fdeb6a528d00a897f7652ede583ba1358181a126f8caceae9f93fd

Download Submit