Analysis
-
max time kernel
120s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2023, 08:53
Static task
static1
Behavioral task
behavioral1
Sample
M7R62016.exe
Resource
win7-20230220-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
M7R62016.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
M7R62016.exe
-
Size
95.3MB
-
MD5
dcfefe590234255e734e808a1fa8dfa3
-
SHA1
ed3e8bb085ee3d2266b316ed664f5ba62d3152aa
-
SHA256
ec7824fffd90a15939637d5543e97a6cd0ff83fe8c64265e53a9463fea3c7654
-
SHA512
62772aa95c335375464c204de705a35e4757d10ca2a5a73d708943fbe7ebac5c5cfea3d7492890585b5ea0d6f8690d3aece8eb7f858ce358a90ab70f02b4fd2e
-
SSDEEP
1572864:9NNZ4er9NQvtoLnZ8fAEKQoSXv9XAbFWFm9lmN9TXY5gvbD+sSfEKHfnPRR3ANN2:9zZFSFoLnZ8IEKQ5X1wbFWFm94nrbW8I
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 16 4940 msiexec.exe 17 4940 msiexec.exe 26 4940 msiexec.exe 27 4940 msiexec.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation M7R62016.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 4940 msiexec.exe Token: SeIncreaseQuotaPrivilege 4940 msiexec.exe Token: SeSecurityPrivilege 2600 msiexec.exe Token: SeCreateTokenPrivilege 4940 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4940 msiexec.exe Token: SeLockMemoryPrivilege 4940 msiexec.exe Token: SeIncreaseQuotaPrivilege 4940 msiexec.exe Token: SeMachineAccountPrivilege 4940 msiexec.exe Token: SeTcbPrivilege 4940 msiexec.exe Token: SeSecurityPrivilege 4940 msiexec.exe Token: SeTakeOwnershipPrivilege 4940 msiexec.exe Token: SeLoadDriverPrivilege 4940 msiexec.exe Token: SeSystemProfilePrivilege 4940 msiexec.exe Token: SeSystemtimePrivilege 4940 msiexec.exe Token: SeProfSingleProcessPrivilege 4940 msiexec.exe Token: SeIncBasePriorityPrivilege 4940 msiexec.exe Token: SeCreatePagefilePrivilege 4940 msiexec.exe Token: SeCreatePermanentPrivilege 4940 msiexec.exe Token: SeBackupPrivilege 4940 msiexec.exe Token: SeRestorePrivilege 4940 msiexec.exe Token: SeShutdownPrivilege 4940 msiexec.exe Token: SeDebugPrivilege 4940 msiexec.exe Token: SeAuditPrivilege 4940 msiexec.exe Token: SeSystemEnvironmentPrivilege 4940 msiexec.exe Token: SeChangeNotifyPrivilege 4940 msiexec.exe Token: SeRemoteShutdownPrivilege 4940 msiexec.exe Token: SeUndockPrivilege 4940 msiexec.exe Token: SeSyncAgentPrivilege 4940 msiexec.exe Token: SeEnableDelegationPrivilege 4940 msiexec.exe Token: SeManageVolumePrivilege 4940 msiexec.exe Token: SeImpersonatePrivilege 4940 msiexec.exe Token: SeCreateGlobalPrivilege 4940 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4940 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2840 wrote to memory of 4940 2840 M7R62016.exe 85 PID 2840 wrote to memory of 4940 2840 M7R62016.exe 85 PID 2840 wrote to memory of 4940 2840 M7R62016.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\M7R62016.exe"C:\Users\Admin\AppData\Local\Temp\M7R62016.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /l*v "C:\Users\Admin\AppData\Local\Perimeter81\Updates\install.log" /i "C:\Users\Admin\AppData\Local\Temp\Perimeter81Installer.msi"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4940
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600