960303bb043e5932f1dd3a6c8ebb27dc230fb19b3dffb8b38664aaaaf04d29ad

Analysis

max time kernel
180s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

960303bb043e5932f1dd3a6c8ebb27dc230fb19b3dffb8b38664aaaaf04d29ad.exe
Size

172KB
MD5

d7559483ddac2acdbb224a3bc7df56b9
SHA1

8f65c686d12be97e752e12b5bcfba4631807900e
SHA256

960303bb043e5932f1dd3a6c8ebb27dc230fb19b3dffb8b38664aaaaf04d29ad
SHA512

918e136e9e619d2848d4d80e05393e6fd53ebaec46d47937e9a5f2eed0dcff97ce94fc19847a8ad35f837aecaca84b67867ec60a2d6b6a74103ce2cbf780005c
SSDEEP

3072:5SnQdXqN78kfQmbuHBBahMjDPFwWsIJAdmzcfnsb:cQXg73fQmbuHDaWPF1GfO

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
220	inl592A.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	960303bb043e5932f1dd3a6c8ebb27dc230fb19b3dffb8b38664aaaaf04d29ad.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e585aff.msi	msiexec.exe
File created	C:\Windows\Installer\e585afc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e585afc.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2123BA58-6264-4F55-B0DD-3E81A1CD8D45}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5FBF.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1124	msiexec.exe
1124	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1272	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1272	msiexec.exe
Token: SeSecurityPrivilege	1124	msiexec.exe
Token: SeCreateTokenPrivilege	1272	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1272	msiexec.exe
Token: SeLockMemoryPrivilege	1272	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1272	msiexec.exe
Token: SeMachineAccountPrivilege	1272	msiexec.exe
Token: SeTcbPrivilege	1272	msiexec.exe
Token: SeSecurityPrivilege	1272	msiexec.exe
Token: SeTakeOwnershipPrivilege	1272	msiexec.exe
Token: SeLoadDriverPrivilege	1272	msiexec.exe
Token: SeSystemProfilePrivilege	1272	msiexec.exe
Token: SeSystemtimePrivilege	1272	msiexec.exe
Token: SeProfSingleProcessPrivilege	1272	msiexec.exe
Token: SeIncBasePriorityPrivilege	1272	msiexec.exe
Token: SeCreatePagefilePrivilege	1272	msiexec.exe
Token: SeCreatePermanentPrivilege	1272	msiexec.exe
Token: SeBackupPrivilege	1272	msiexec.exe
Token: SeRestorePrivilege	1272	msiexec.exe
Token: SeShutdownPrivilege	1272	msiexec.exe
Token: SeDebugPrivilege	1272	msiexec.exe
Token: SeAuditPrivilege	1272	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1272	msiexec.exe
Token: SeChangeNotifyPrivilege	1272	msiexec.exe
Token: SeRemoteShutdownPrivilege	1272	msiexec.exe
Token: SeUndockPrivilege	1272	msiexec.exe
Token: SeSyncAgentPrivilege	1272	msiexec.exe
Token: SeEnableDelegationPrivilege	1272	msiexec.exe
Token: SeManageVolumePrivilege	1272	msiexec.exe
Token: SeImpersonatePrivilege	1272	msiexec.exe
Token: SeCreateGlobalPrivilege	1272	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeIncBasePriorityPrivilege	4476	960303bb043e5932f1dd3a6c8ebb27dc230fb19b3dffb8b38664aaaaf04d29ad.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 1272	4476	960303bb043e5932f1dd3a6c8ebb27dc230fb19b3dffb8b38664aaaaf04d29ad.exe	81
PID 4476 wrote to memory of 1272	4476	960303bb043e5932f1dd3a6c8ebb27dc230fb19b3dffb8b38664aaaaf04d29ad.exe	81
PID 4476 wrote to memory of 1272	4476	960303bb043e5932f1dd3a6c8ebb27dc230fb19b3dffb8b38664aaaaf04d29ad.exe	81
PID 4476 wrote to memory of 1840	4476	960303bb043e5932f1dd3a6c8ebb27dc230fb19b3dffb8b38664aaaaf04d29ad.exe	83
PID 4476 wrote to memory of 1840	4476	960303bb043e5932f1dd3a6c8ebb27dc230fb19b3dffb8b38664aaaaf04d29ad.exe	83
PID 4476 wrote to memory of 1840	4476	960303bb043e5932f1dd3a6c8ebb27dc230fb19b3dffb8b38664aaaaf04d29ad.exe	83
PID 4476 wrote to memory of 1836	4476	960303bb043e5932f1dd3a6c8ebb27dc230fb19b3dffb8b38664aaaaf04d29ad.exe	85
PID 4476 wrote to memory of 1836	4476	960303bb043e5932f1dd3a6c8ebb27dc230fb19b3dffb8b38664aaaaf04d29ad.exe	85
PID 4476 wrote to memory of 1836	4476	960303bb043e5932f1dd3a6c8ebb27dc230fb19b3dffb8b38664aaaaf04d29ad.exe	85
PID 1840 wrote to memory of 220	1840	cmd.exe	88
PID 1840 wrote to memory of 220	1840	cmd.exe	88
PID 1840 wrote to memory of 220	1840	cmd.exe	88
PID 1124 wrote to memory of 3756	1124	msiexec.exe	89
PID 1124 wrote to memory of 3756	1124	msiexec.exe	89
PID 1124 wrote to memory of 3756	1124	msiexec.exe	89

C:\Users\Admin\AppData\Local\Temp\960303bb043e5932f1dd3a6c8ebb27dc230fb19b3dffb8b38664aaaaf04d29ad.exe
"C:\Users\Admin\AppData\Local\Temp\960303bb043e5932f1dd3a6c8ebb27dc230fb19b3dffb8b38664aaaaf04d29ad.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INS55D~1.INI /quiet
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\inl592A.tmp
    C:\Users\Admin\AppData\Local\Temp\inl592A.tmp cdf1912.tmp
    3⤵
    - Executes dropped EXE
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\960303~1.EXE > nul
  2⤵
  PID:1836

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 66BA7DA69CD14F2ADA863850EC78EF68
  2⤵
  PID:3756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INS55D~1.INI

Filesize
66KB

MD5
3b9b5ed99029fcef5b63c910c42469c0

SHA1
c21c85637796a69273fae931e639ab0b411e86d0

SHA256
0355ca313db93a8d260ab39e4940b8de21dfae130237b3a0163cf868cac42ce3

SHA512
fc5edc1d8eeb77b29fb76ba948dabf5f00bcfaf6893826bbfa78770c2d31f574320cbb7cb4ac649b24b4a21568632f28fc9d3c3098048800c2fef69e3369f44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
768B

MD5
d20d9eda31a2d0300e4589df7f352370

SHA1
79b46d2dbb489914cfedafdbc90e62951471b48e

SHA256
d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

SHA512
d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl592A.tmp

Filesize
57.2MB

MD5
38baa10e2d34fe1b133386719df985bf

SHA1
ea3da7fe2add99b8f207822cf6369a12e654a72b

SHA256
dfd527f583329ff2a5cde893f8947852829bfb2a9d98cd04d76039f80f4f1261

SHA512
65c23f5495083b332f24b910eefb42fa2233e15d42b9290622593a8ed627a485dc2ef138d4c2ef9d38bbcac7e122f198d24e16da6eb49743ec46317da360c284

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl592A.tmp

Filesize
57.2MB

MD5
38baa10e2d34fe1b133386719df985bf

SHA1
ea3da7fe2add99b8f207822cf6369a12e654a72b

SHA256
dfd527f583329ff2a5cde893f8947852829bfb2a9d98cd04d76039f80f4f1261

SHA512
65c23f5495083b332f24b910eefb42fa2233e15d42b9290622593a8ed627a485dc2ef138d4c2ef9d38bbcac7e122f198d24e16da6eb49743ec46317da360c284

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
748303948bb3f7307683e5104784391a

SHA1
b3582cbdeff8aa20f8a0fac493c45a94c29cd008

SHA256
c0f7b14cedf133c4413ec33fa4c8cb927eec29beb14af0a52b86f16f89cab2c0

SHA512
2a03f36bd9fc7a94267e421b8874feabb858e71d6262b10b9144f26a73a993c87e411a50b521b2241dc7f601d84f0d13010761b2669199569372430be489b3af

Download Submit
memory/4476-132-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4476-137-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download