245fc232d64b68f2290e3d176ca8cbf456d4428043a8169ffc46f32d75a21e99

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows_IPTV_Player_3.0.exe
Size

41.8MB
MD5

70a6738a4fb2228b516517f51d7a92f5
SHA1

fa2d7d1dcccc3e2acb96416871b77bef63fac0eb
SHA256

245fc232d64b68f2290e3d176ca8cbf456d4428043a8169ffc46f32d75a21e99
SHA512

f978561ebe4ccc499f0655a61085b5b07d33348c7fb8dfe65350d3c9fc9a392b187cf5ed18a55fa3bdcda83c2e9792c449c1895055039e736ac11df5114ea171
SSDEEP

786432:+rJaol/xkzHXsueDqId3ORKkSEwslxHSJe5DeXdIocS9f4g/G3aRua5k00zFe+:+NjZyhePd3AwsTSJyeXdH9zbRh5k04

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3240	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\I:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\O:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\S:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\X:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\K:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\Q:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\H:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\J:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\R:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\V:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\N:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\T:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\U:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\P:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\W:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\Y:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\Z:	Windows_IPTV_Player_3.0.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4452	msiexec.exe
Token: SeCreateTokenPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeAssignPrimaryTokenPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeLockMemoryPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeIncreaseQuotaPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeMachineAccountPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeTcbPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeSecurityPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeTakeOwnershipPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeLoadDriverPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeSystemProfilePrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeSystemtimePrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeProfSingleProcessPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeIncBasePriorityPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeCreatePagefilePrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeCreatePermanentPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeBackupPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeRestorePrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeShutdownPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeDebugPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeAuditPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeSystemEnvironmentPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeChangeNotifyPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeRemoteShutdownPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeUndockPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeSyncAgentPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeEnableDelegationPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeManageVolumePrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeImpersonatePrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeCreateGlobalPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeCreateTokenPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeAssignPrimaryTokenPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeLockMemoryPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeIncreaseQuotaPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeMachineAccountPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeTcbPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeSecurityPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeTakeOwnershipPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeLoadDriverPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeSystemProfilePrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeSystemtimePrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeProfSingleProcessPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeIncBasePriorityPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeCreatePagefilePrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeCreatePermanentPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeBackupPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeRestorePrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeShutdownPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeDebugPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeAuditPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeSystemEnvironmentPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeChangeNotifyPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeRemoteShutdownPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeUndockPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeSyncAgentPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeEnableDelegationPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeManageVolumePrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeImpersonatePrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeCreateGlobalPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeCreateTokenPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeAssignPrimaryTokenPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeLockMemoryPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeIncreaseQuotaPrivilege	1964	Windows_IPTV_Player_3.0.exe
Token: SeMachineAccountPrivilege	1964	Windows_IPTV_Player_3.0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1964	Windows_IPTV_Player_3.0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 3240	4452	msiexec.exe	84
PID 4452 wrote to memory of 3240	4452	msiexec.exe	84
PID 4452 wrote to memory of 3240	4452	msiexec.exe	84

C:\Users\Admin\AppData\Local\Temp\Windows_IPTV_Player_3.0.exe
"C:\Users\Admin\AppData\Local\Temp\Windows_IPTV_Player_3.0.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1964

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 78E532E051DBC8D1637AC6203A8AFD43 C
  2⤵
  - Loads dropped DLL
  PID:3240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1964\dialog

Filesize
11KB

MD5
553df955cb4b2e7be5cef99cb8ec9254

SHA1
370c2f61e886e53d8faf9537040daaafed330137

SHA256
f1fcb09df932aef09b24eea796286ceaedcbceccd4d8f4536345163c4d3d9ff7

SHA512
d31d4fc9080c794901b9fa3d3aec998a1b274f4c11c02362b30d2fbaf013b877198b08bb6d96fda68c7e9e329740090609a7d65249bc7e6209ace24fcfe3c34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9560.tmp

Filesize
349KB

MD5
09979fe43e7417c747ca0f71d811b5c1

SHA1
4765260722982446ccff12d6613de845177ccc98

SHA256
d3ab8b009c45ea39791a8179ec1ec8c649281d7af3c8e975991085a25d4757a9

SHA512
c150ff622aee88ddd849ca78b669bc469590110d01a393794c8c008c50f06d9b33f8d0c11106d6defba4750c7c93f2ff86a1fd524658161c9e5a93620a352282

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9560.tmp

Filesize
349KB

MD5
09979fe43e7417c747ca0f71d811b5c1

SHA1
4765260722982446ccff12d6613de845177ccc98

SHA256
d3ab8b009c45ea39791a8179ec1ec8c649281d7af3c8e975991085a25d4757a9

SHA512
c150ff622aee88ddd849ca78b669bc469590110d01a393794c8c008c50f06d9b33f8d0c11106d6defba4750c7c93f2ff86a1fd524658161c9e5a93620a352282

Download Submit
C:\Users\Admin\AppData\Roaming\Xtream Codes LTD\Windows IPTV Player 3.0.0.0\install\Windows IPTV Player.msi

Filesize
1.9MB

MD5
caf295da27d1225ac76de35b1ee7d5fd

SHA1
88578e7b89e538730f79b2879179795573d3450e

SHA256
a4b1b6ac1b3740ca501ffed4bda86c25250a82e5cb6e54ae0ba79992474983c8

SHA512
b2f845ed9840732690c0ef449767ca46aebe72ff09736e14e060bddf7b31d43e30a3a38e74167cb95f82342cb2621197624cac87c3ea29ac63deb95d90aba51a

Download Submit