Analysis
-
max time kernel
85s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2023, 14:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
AltInstaller.msi
Resource
win7-20230220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
AltInstaller.msi
Resource
win10v2004-20230220-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral3
Sample
setup.exe
Resource
win7-20230220-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral4
Sample
setup.exe
Resource
win10v2004-20230221-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
setup.exe
-
Size
780KB
-
MD5
e3d0c2a49f23dc150348dccc644e61b2
-
SHA1
0143c07dabe75b771367d38e345dbfd5d47e1d82
-
SHA256
d48ad2ccf063ce4606b04ffeb0468af44eec3fe0a42a969a51673547b22d8e58
-
SHA512
14fd7b78e10427b2669ea01c1bc19ba5f8d32439ddf514950e76aa2cbb0fc443d18d54229b6e7451081828275357e9425e82f1494b54e87d1b24c1b0f184fb34
-
SSDEEP
12288:cuGj5je69oqAmj5oMqKyKAuqOAP0wukeMb01JQntLOCHOYo0H:cXhe29AmjkKuukemHOYx
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation setup.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 4480 msiexec.exe Token: SeIncreaseQuotaPrivilege 4480 msiexec.exe Token: SeSecurityPrivilege 4604 msiexec.exe Token: SeCreateTokenPrivilege 4480 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4480 msiexec.exe Token: SeLockMemoryPrivilege 4480 msiexec.exe Token: SeIncreaseQuotaPrivilege 4480 msiexec.exe Token: SeMachineAccountPrivilege 4480 msiexec.exe Token: SeTcbPrivilege 4480 msiexec.exe Token: SeSecurityPrivilege 4480 msiexec.exe Token: SeTakeOwnershipPrivilege 4480 msiexec.exe Token: SeLoadDriverPrivilege 4480 msiexec.exe Token: SeSystemProfilePrivilege 4480 msiexec.exe Token: SeSystemtimePrivilege 4480 msiexec.exe Token: SeProfSingleProcessPrivilege 4480 msiexec.exe Token: SeIncBasePriorityPrivilege 4480 msiexec.exe Token: SeCreatePagefilePrivilege 4480 msiexec.exe Token: SeCreatePermanentPrivilege 4480 msiexec.exe Token: SeBackupPrivilege 4480 msiexec.exe Token: SeRestorePrivilege 4480 msiexec.exe Token: SeShutdownPrivilege 4480 msiexec.exe Token: SeDebugPrivilege 4480 msiexec.exe Token: SeAuditPrivilege 4480 msiexec.exe Token: SeSystemEnvironmentPrivilege 4480 msiexec.exe Token: SeChangeNotifyPrivilege 4480 msiexec.exe Token: SeRemoteShutdownPrivilege 4480 msiexec.exe Token: SeUndockPrivilege 4480 msiexec.exe Token: SeSyncAgentPrivilege 4480 msiexec.exe Token: SeEnableDelegationPrivilege 4480 msiexec.exe Token: SeManageVolumePrivilege 4480 msiexec.exe Token: SeImpersonatePrivilege 4480 msiexec.exe Token: SeCreateGlobalPrivilege 4480 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4480 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3036 wrote to memory of 4480 3036 setup.exe 83 PID 3036 wrote to memory of 4480 3036 setup.exe 83 PID 3036 wrote to memory of 4480 3036 setup.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\AltInstaller.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4480
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4604