41b60776b642d8d3b40c68f7af83aee59490016189f547f708506fd1dff46c4c

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/03/2023, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HWIDkey_Changer.exe
Size

3.1MB
MD5

e9354e124cd94c7de7c49ddd8a9fdc8e
SHA1

cc4c887b678592015d1a69ac1b42222a012f0b5d
SHA256

41b60776b642d8d3b40c68f7af83aee59490016189f547f708506fd1dff46c4c
SHA512

269066f35e5c9b89b3440458e82f7d718c01525d1d0cee6188e8c7d475b29932c27973aa96f3fd6036eb4d507ccdde9f52f96bc2cde0347b8f2a176574402cfa
SSDEEP

98304:2n0RraFH51QKghosKOhxBdNNvYbiVWKjG8OtDB:2ncm3Oj9NvqKjG8UB

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2024	HWIDkey_Changer.exe
2024	HWIDkey_Changer.exe
1744	MsiExec.exe
2024	HWIDkey_Changer.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	HWIDkey_Changer.exe
File opened (read-only)	\??\T:	HWIDkey_Changer.exe
File opened (read-only)	\??\U:	HWIDkey_Changer.exe
File opened (read-only)	\??\W:	HWIDkey_Changer.exe
File opened (read-only)	\??\Y:	HWIDkey_Changer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	HWIDkey_Changer.exe
File opened (read-only)	\??\I:	HWIDkey_Changer.exe
File opened (read-only)	\??\K:	HWIDkey_Changer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	HWIDkey_Changer.exe
File opened (read-only)	\??\O:	HWIDkey_Changer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	HWIDkey_Changer.exe
File opened (read-only)	\??\M:	HWIDkey_Changer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	HWIDkey_Changer.exe
File opened (read-only)	\??\V:	HWIDkey_Changer.exe
File opened (read-only)	\??\Z:	HWIDkey_Changer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	HWIDkey_Changer.exe
File opened (read-only)	\??\Q:	HWIDkey_Changer.exe
File opened (read-only)	\??\S:	HWIDkey_Changer.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	HWIDkey_Changer.exe
File opened (read-only)	\??\J:	HWIDkey_Changer.exe
File opened (read-only)	\??\P:	HWIDkey_Changer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	HWIDkey_Changer.exe
File opened (read-only)	\??\R:	HWIDkey_Changer.exe
File opened (read-only)	\??\X:	HWIDkey_Changer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\C__Users_Admin_AppData_Local_Temp_HWIDkey_Changer.exe.job	HWIDkey_Changer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeSecurityPrivilege	1748	msiexec.exe
Token: SeCreateTokenPrivilege	2024	HWIDkey_Changer.exe
Token: SeAssignPrimaryTokenPrivilege	2024	HWIDkey_Changer.exe
Token: SeLockMemoryPrivilege	2024	HWIDkey_Changer.exe
Token: SeIncreaseQuotaPrivilege	2024	HWIDkey_Changer.exe
Token: SeMachineAccountPrivilege	2024	HWIDkey_Changer.exe
Token: SeTcbPrivilege	2024	HWIDkey_Changer.exe
Token: SeSecurityPrivilege	2024	HWIDkey_Changer.exe
Token: SeTakeOwnershipPrivilege	2024	HWIDkey_Changer.exe
Token: SeLoadDriverPrivilege	2024	HWIDkey_Changer.exe
Token: SeSystemProfilePrivilege	2024	HWIDkey_Changer.exe
Token: SeSystemtimePrivilege	2024	HWIDkey_Changer.exe
Token: SeProfSingleProcessPrivilege	2024	HWIDkey_Changer.exe
Token: SeIncBasePriorityPrivilege	2024	HWIDkey_Changer.exe
Token: SeCreatePagefilePrivilege	2024	HWIDkey_Changer.exe
Token: SeCreatePermanentPrivilege	2024	HWIDkey_Changer.exe
Token: SeBackupPrivilege	2024	HWIDkey_Changer.exe
Token: SeRestorePrivilege	2024	HWIDkey_Changer.exe
Token: SeShutdownPrivilege	2024	HWIDkey_Changer.exe
Token: SeDebugPrivilege	2024	HWIDkey_Changer.exe
Token: SeAuditPrivilege	2024	HWIDkey_Changer.exe
Token: SeSystemEnvironmentPrivilege	2024	HWIDkey_Changer.exe
Token: SeChangeNotifyPrivilege	2024	HWIDkey_Changer.exe
Token: SeRemoteShutdownPrivilege	2024	HWIDkey_Changer.exe
Token: SeUndockPrivilege	2024	HWIDkey_Changer.exe
Token: SeSyncAgentPrivilege	2024	HWIDkey_Changer.exe
Token: SeEnableDelegationPrivilege	2024	HWIDkey_Changer.exe
Token: SeManageVolumePrivilege	2024	HWIDkey_Changer.exe
Token: SeImpersonatePrivilege	2024	HWIDkey_Changer.exe
Token: SeCreateGlobalPrivilege	2024	HWIDkey_Changer.exe
Token: SeCreateTokenPrivilege	2024	HWIDkey_Changer.exe
Token: SeAssignPrimaryTokenPrivilege	2024	HWIDkey_Changer.exe
Token: SeLockMemoryPrivilege	2024	HWIDkey_Changer.exe
Token: SeIncreaseQuotaPrivilege	2024	HWIDkey_Changer.exe
Token: SeMachineAccountPrivilege	2024	HWIDkey_Changer.exe
Token: SeTcbPrivilege	2024	HWIDkey_Changer.exe
Token: SeSecurityPrivilege	2024	HWIDkey_Changer.exe
Token: SeTakeOwnershipPrivilege	2024	HWIDkey_Changer.exe
Token: SeLoadDriverPrivilege	2024	HWIDkey_Changer.exe
Token: SeSystemProfilePrivilege	2024	HWIDkey_Changer.exe
Token: SeSystemtimePrivilege	2024	HWIDkey_Changer.exe
Token: SeProfSingleProcessPrivilege	2024	HWIDkey_Changer.exe
Token: SeIncBasePriorityPrivilege	2024	HWIDkey_Changer.exe
Token: SeCreatePagefilePrivilege	2024	HWIDkey_Changer.exe
Token: SeCreatePermanentPrivilege	2024	HWIDkey_Changer.exe
Token: SeBackupPrivilege	2024	HWIDkey_Changer.exe
Token: SeRestorePrivilege	2024	HWIDkey_Changer.exe
Token: SeShutdownPrivilege	2024	HWIDkey_Changer.exe
Token: SeDebugPrivilege	2024	HWIDkey_Changer.exe
Token: SeAuditPrivilege	2024	HWIDkey_Changer.exe
Token: SeSystemEnvironmentPrivilege	2024	HWIDkey_Changer.exe
Token: SeChangeNotifyPrivilege	2024	HWIDkey_Changer.exe
Token: SeRemoteShutdownPrivilege	2024	HWIDkey_Changer.exe
Token: SeUndockPrivilege	2024	HWIDkey_Changer.exe
Token: SeSyncAgentPrivilege	2024	HWIDkey_Changer.exe
Token: SeEnableDelegationPrivilege	2024	HWIDkey_Changer.exe
Token: SeManageVolumePrivilege	2024	HWIDkey_Changer.exe
Token: SeImpersonatePrivilege	2024	HWIDkey_Changer.exe
Token: SeCreateGlobalPrivilege	2024	HWIDkey_Changer.exe
Token: SeCreateTokenPrivilege	2024	HWIDkey_Changer.exe
Token: SeAssignPrimaryTokenPrivilege	2024	HWIDkey_Changer.exe
Token: SeLockMemoryPrivilege	2024	HWIDkey_Changer.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1744	1748	msiexec.exe	27
PID 1748 wrote to memory of 1744	1748	msiexec.exe	27
PID 1748 wrote to memory of 1744	1748	msiexec.exe	27
PID 1748 wrote to memory of 1744	1748	msiexec.exe	27
PID 1748 wrote to memory of 1744	1748	msiexec.exe	27
PID 1748 wrote to memory of 1744	1748	msiexec.exe	27
PID 1748 wrote to memory of 1744	1748	msiexec.exe	27

C:\Users\Admin\AppData\Local\Temp\HWIDkey_Changer.exe
"C:\Users\Admin\AppData\Local\Temp\HWIDkey_Changer.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 03A54671D7748ED4865EC98652998C81 C
  2⤵
  - Loads dropped DLL
  PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5F7987E\HWIDkey_Changer.msi

Filesize
1.8MB

MD5
f765783a5af98642a16080b3599fe892

SHA1
83228f1c274bbafe56912df83af4ceb1c9528afe

SHA256
8ca367d6fe03f1e5ca9f1005b2cb2df8d062cbdb2dac2bb288c8a9abcd7c77d7

SHA512
26add12994ee9b915290d84df5d6eabe1018a01cc1dbc9ddabd35b1f0247089e958bc0b3fc977b40d18ece6ae9dc8b14bd003373168f06b094a8a0d4cea862ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI68B3.tmp

Filesize
373KB

MD5
f21b7303582dc0bf18fc734df1245043

SHA1
306de4746ec0fa5fd6f67127060640abb26f2a9e

SHA256
58e954de5dbec06179e7c749f321555520c8fcfbd9d3b05cc2b0110573a507d4

SHA512
0170f83e53e28ad09dcf00649aa7e4c3d9e8cead49b54971df594c60062f8f4ed5b3c18588942fc038337a1f2478fb039e213fbadb55fe5091fdaaf28d9911b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\decoder.dll

Filesize
182KB

MD5
dca95f4411a1c7eeb221c095c9ef8196

SHA1
b6e7053dd667cf6b75dc08bb9c1b5fb0db403377

SHA256
51e89bfa578fdcdcb324f5caa2c36c5cc8f1dbd73658bed39445c57c722b91f4

SHA512
c21351975426f072f8c2c601e0cc88d66813e855a8537cabaf5ab13e8416d36278253a64d84654bd44ca80a912fb48d35787834c63a8275d1265bd435a84a0e0

Download Submit
\Users\Admin\AppData\Local\Temp\MSI68B3.tmp

Filesize
373KB

MD5
f21b7303582dc0bf18fc734df1245043

SHA1
306de4746ec0fa5fd6f67127060640abb26f2a9e

SHA256
58e954de5dbec06179e7c749f321555520c8fcfbd9d3b05cc2b0110573a507d4

SHA512
0170f83e53e28ad09dcf00649aa7e4c3d9e8cead49b54971df594c60062f8f4ed5b3c18588942fc038337a1f2478fb039e213fbadb55fe5091fdaaf28d9911b4

Download Submit
\Users\Admin\AppData\Local\Temp\decoder.dll

Filesize
182KB

MD5
dca95f4411a1c7eeb221c095c9ef8196

SHA1
b6e7053dd667cf6b75dc08bb9c1b5fb0db403377

SHA256
51e89bfa578fdcdcb324f5caa2c36c5cc8f1dbd73658bed39445c57c722b91f4

SHA512
c21351975426f072f8c2c601e0cc88d66813e855a8537cabaf5ab13e8416d36278253a64d84654bd44ca80a912fb48d35787834c63a8275d1265bd435a84a0e0

Download Submit
\Users\Admin\AppData\Local\Temp\decoder.dll

Filesize
182KB

MD5
dca95f4411a1c7eeb221c095c9ef8196

SHA1
b6e7053dd667cf6b75dc08bb9c1b5fb0db403377

SHA256
51e89bfa578fdcdcb324f5caa2c36c5cc8f1dbd73658bed39445c57c722b91f4

SHA512
c21351975426f072f8c2c601e0cc88d66813e855a8537cabaf5ab13e8416d36278253a64d84654bd44ca80a912fb48d35787834c63a8275d1265bd435a84a0e0

Download Submit
\Users\Admin\AppData\Local\Temp\decoder.dll

Filesize
182KB

MD5
dca95f4411a1c7eeb221c095c9ef8196

SHA1
b6e7053dd667cf6b75dc08bb9c1b5fb0db403377

SHA256
51e89bfa578fdcdcb324f5caa2c36c5cc8f1dbd73658bed39445c57c722b91f4

SHA512
c21351975426f072f8c2c601e0cc88d66813e855a8537cabaf5ab13e8416d36278253a64d84654bd44ca80a912fb48d35787834c63a8275d1265bd435a84a0e0

Download Submit