166b803a0c2e7330aa6af9d9fe3d3da14ed3863f2e701b5ec642bd8152b4f732

General

Target

166b803a0c2e7330aa6af9d9fe3d3da14ed3863f2e701b5ec642bd8152b4f732.exe
Size

7.1MB
MD5

286e46a3d228975e7436a77dc7bf36e6
SHA1

6477b94519931f17b18ff77f51801190af56569e
SHA256

166b803a0c2e7330aa6af9d9fe3d3da14ed3863f2e701b5ec642bd8152b4f732
SHA512

3be0afdb289675a1d5f4b2ae3a8692e1663478330c6441c69704d3dfa7bd19abe642cf18461790af605606ee91369d94f06a66f774b5113b19599eaa795bf54c
SSDEEP

196608:kI4KlKyPWtqnxaG2kmXj1w4LH6vR6Ossh4Yhrk:ZRohDzS4rIR6Oj4Yo

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	688	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	688	MSIEXEC.EXE
Token: SeRestorePrivilege	1528	msiexec.exe
Token: SeTakeOwnershipPrivilege	1528	msiexec.exe
Token: SeSecurityPrivilege	1528	msiexec.exe
Token: SeCreateTokenPrivilege	688	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	688	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	688	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	688	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	688	MSIEXEC.EXE
Token: SeTcbPrivilege	688	MSIEXEC.EXE
Token: SeSecurityPrivilege	688	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	688	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	688	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	688	MSIEXEC.EXE
Token: SeSystemtimePrivilege	688	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	688	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	688	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	688	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	688	MSIEXEC.EXE
Token: SeBackupPrivilege	688	MSIEXEC.EXE
Token: SeRestorePrivilege	688	MSIEXEC.EXE
Token: SeShutdownPrivilege	688	MSIEXEC.EXE
Token: SeDebugPrivilege	688	MSIEXEC.EXE
Token: SeAuditPrivilege	688	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	688	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	688	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	688	MSIEXEC.EXE
Token: SeUndockPrivilege	688	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	688	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	688	MSIEXEC.EXE
Token: SeManageVolumePrivilege	688	MSIEXEC.EXE
Token: SeImpersonatePrivilege	688	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	688	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
688	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 688	980	166b803a0c2e7330aa6af9d9fe3d3da14ed3863f2e701b5ec642bd8152b4f732.exe	28
PID 980 wrote to memory of 688	980	166b803a0c2e7330aa6af9d9fe3d3da14ed3863f2e701b5ec642bd8152b4f732.exe	28
PID 980 wrote to memory of 688	980	166b803a0c2e7330aa6af9d9fe3d3da14ed3863f2e701b5ec642bd8152b4f732.exe	28
PID 980 wrote to memory of 688	980	166b803a0c2e7330aa6af9d9fe3d3da14ed3863f2e701b5ec642bd8152b4f732.exe	28
PID 980 wrote to memory of 688	980	166b803a0c2e7330aa6af9d9fe3d3da14ed3863f2e701b5ec642bd8152b4f732.exe	28
PID 980 wrote to memory of 688	980	166b803a0c2e7330aa6af9d9fe3d3da14ed3863f2e701b5ec642bd8152b4f732.exe	28
PID 980 wrote to memory of 688	980	166b803a0c2e7330aa6af9d9fe3d3da14ed3863f2e701b5ec642bd8152b4f732.exe	28

C:\Users\Admin\AppData\Local\Temp\166b803a0c2e7330aa6af9d9fe3d3da14ed3863f2e701b5ec642bd8152b4f732.exe
"C:\Users\Admin\AppData\Local\Temp\166b803a0c2e7330aa6af9d9fe3d3da14ed3863f2e701b5ec642bd8152b4f732.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{236F2C6B-AD04-4CAE-B889-DA7FF49F79B1}\Digeus System Optimizer.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="166b803a0c2e7330aa6af9d9fe3d3da14ed3863f2e701b5ec642bd8152b4f732.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:688

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Downloaded Installations\{236F2C6B-AD04-4CAE-B889-DA7FF49F79B1}\Digeus System Optimizer.msi

Filesize
7.4MB

MD5
a04b5894075e2d574afd892070c23b09

SHA1
c631a9e1455a3c8a234e0ba902bb580c1e7dafd4

SHA256
059b525365b288a9dfc8a5820782bb5db8dd2488b9f7403727849ac969f50d81

SHA512
16f109f2dc1d72e7e34d50f6d9901eadf3ca28fc986396b2bd92712d86e7138e423033094660b999bcdc5295a17703e1ef268d78d17010e47cb9d333ba39651f

Download Submit
memory/980-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1528-58-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing