Analysis
-
max time kernel
376s -
max time network
438s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
12/05/2023, 14:29
Static task
static1
Behavioral task
behavioral1
Sample
AltInstaller.msi
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
AltInstaller.msi
Resource
win10-20230220-en
Behavioral task
behavioral3
Sample
AltInstaller.msi
Resource
win10v2004-20230220-en
Behavioral task
behavioral4
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral5
Sample
setup.exe
Resource
win10-20230220-en
Behavioral task
behavioral6
Sample
setup.exe
Resource
win10v2004-20230220-en
General
-
Target
setup.exe
-
Size
780KB
-
MD5
e3d0c2a49f23dc150348dccc644e61b2
-
SHA1
0143c07dabe75b771367d38e345dbfd5d47e1d82
-
SHA256
d48ad2ccf063ce4606b04ffeb0468af44eec3fe0a42a969a51673547b22d8e58
-
SHA512
14fd7b78e10427b2669ea01c1bc19ba5f8d32439ddf514950e76aa2cbb0fc443d18d54229b6e7451081828275357e9425e82f1494b54e87d1b24c1b0f184fb34
-
SSDEEP
12288:cuGj5je69oqAmj5oMqKyKAuqOAP0wukeMb01JQntLOCHOYo0H:cXhe29AmjkKuukemHOYx
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 1196 msiexec.exe Token: SeIncreaseQuotaPrivilege 1196 msiexec.exe Token: SeSecurityPrivilege 1368 msiexec.exe Token: SeCreateTokenPrivilege 1196 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1196 msiexec.exe Token: SeLockMemoryPrivilege 1196 msiexec.exe Token: SeIncreaseQuotaPrivilege 1196 msiexec.exe Token: SeMachineAccountPrivilege 1196 msiexec.exe Token: SeTcbPrivilege 1196 msiexec.exe Token: SeSecurityPrivilege 1196 msiexec.exe Token: SeTakeOwnershipPrivilege 1196 msiexec.exe Token: SeLoadDriverPrivilege 1196 msiexec.exe Token: SeSystemProfilePrivilege 1196 msiexec.exe Token: SeSystemtimePrivilege 1196 msiexec.exe Token: SeProfSingleProcessPrivilege 1196 msiexec.exe Token: SeIncBasePriorityPrivilege 1196 msiexec.exe Token: SeCreatePagefilePrivilege 1196 msiexec.exe Token: SeCreatePermanentPrivilege 1196 msiexec.exe Token: SeBackupPrivilege 1196 msiexec.exe Token: SeRestorePrivilege 1196 msiexec.exe Token: SeShutdownPrivilege 1196 msiexec.exe Token: SeDebugPrivilege 1196 msiexec.exe Token: SeAuditPrivilege 1196 msiexec.exe Token: SeSystemEnvironmentPrivilege 1196 msiexec.exe Token: SeChangeNotifyPrivilege 1196 msiexec.exe Token: SeRemoteShutdownPrivilege 1196 msiexec.exe Token: SeUndockPrivilege 1196 msiexec.exe Token: SeSyncAgentPrivilege 1196 msiexec.exe Token: SeEnableDelegationPrivilege 1196 msiexec.exe Token: SeManageVolumePrivilege 1196 msiexec.exe Token: SeImpersonatePrivilege 1196 msiexec.exe Token: SeCreateGlobalPrivilege 1196 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1196 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4404 wrote to memory of 1196 4404 setup.exe 66 PID 4404 wrote to memory of 1196 4404 setup.exe 66 PID 4404 wrote to memory of 1196 4404 setup.exe 66
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\AltInstaller.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1196
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368