c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62

Analysis

max time kernel
29s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-05-2023 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe
Size

14.3MB
MD5

6b18d556858c5d6f9a6f24ad34acbfa7
SHA1

9015815f63bf28af142191851203b6dae5247ce8
SHA256

c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62
SHA512

357455521cabc3f36b0506f0d2f0ab0f796c43f98ff828b083cd2a079b32e5b20e18ab6268cb72c9491d3ee1680c67a2cba9bac8d4b1176daabe4958d235747a
SSDEEP

393216:LzgwSim90TADBA0mj8lucjI59sy07siIg61wPnRBB:LUaA9A1jYD7siIg6SPR/

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
596	MsiExec.exe
596	MsiExec.exe
596	MsiExec.exe
596	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	584	msiexec.exe
Token: SeTakeOwnershipPrivilege	584	msiexec.exe
Token: SeSecurityPrivilege	584	msiexec.exe
Token: SeCreateTokenPrivilege	1952	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1952	msiexec.exe
Token: SeLockMemoryPrivilege	1952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1952	msiexec.exe
Token: SeMachineAccountPrivilege	1952	msiexec.exe
Token: SeTcbPrivilege	1952	msiexec.exe
Token: SeSecurityPrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeLoadDriverPrivilege	1952	msiexec.exe
Token: SeSystemProfilePrivilege	1952	msiexec.exe
Token: SeSystemtimePrivilege	1952	msiexec.exe
Token: SeProfSingleProcessPrivilege	1952	msiexec.exe
Token: SeIncBasePriorityPrivilege	1952	msiexec.exe
Token: SeCreatePagefilePrivilege	1952	msiexec.exe
Token: SeCreatePermanentPrivilege	1952	msiexec.exe
Token: SeBackupPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeShutdownPrivilege	1952	msiexec.exe
Token: SeDebugPrivilege	1952	msiexec.exe
Token: SeAuditPrivilege	1952	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1952	msiexec.exe
Token: SeChangeNotifyPrivilege	1952	msiexec.exe
Token: SeRemoteShutdownPrivilege	1952	msiexec.exe
Token: SeUndockPrivilege	1952	msiexec.exe
Token: SeSyncAgentPrivilege	1952	msiexec.exe
Token: SeEnableDelegationPrivilege	1952	msiexec.exe
Token: SeManageVolumePrivilege	1952	msiexec.exe
Token: SeImpersonatePrivilege	1952	msiexec.exe
Token: SeCreateGlobalPrivilege	1952	msiexec.exe
Token: SeCreateTokenPrivilege	1952	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1952	msiexec.exe
Token: SeLockMemoryPrivilege	1952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1952	msiexec.exe
Token: SeMachineAccountPrivilege	1952	msiexec.exe
Token: SeTcbPrivilege	1952	msiexec.exe
Token: SeSecurityPrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeLoadDriverPrivilege	1952	msiexec.exe
Token: SeSystemProfilePrivilege	1952	msiexec.exe
Token: SeSystemtimePrivilege	1952	msiexec.exe
Token: SeProfSingleProcessPrivilege	1952	msiexec.exe
Token: SeIncBasePriorityPrivilege	1952	msiexec.exe
Token: SeCreatePagefilePrivilege	1952	msiexec.exe
Token: SeCreatePermanentPrivilege	1952	msiexec.exe
Token: SeBackupPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeShutdownPrivilege	1952	msiexec.exe
Token: SeDebugPrivilege	1952	msiexec.exe
Token: SeAuditPrivilege	1952	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1952	msiexec.exe
Token: SeChangeNotifyPrivilege	1952	msiexec.exe
Token: SeRemoteShutdownPrivilege	1952	msiexec.exe
Token: SeUndockPrivilege	1952	msiexec.exe
Token: SeSyncAgentPrivilege	1952	msiexec.exe
Token: SeEnableDelegationPrivilege	1952	msiexec.exe
Token: SeManageVolumePrivilege	1952	msiexec.exe
Token: SeImpersonatePrivilege	1952	msiexec.exe
Token: SeCreateGlobalPrivilege	1952	msiexec.exe
Token: SeCreateTokenPrivilege	1952	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1300	c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe
1952	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1952	1300	c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe	26
PID 1300 wrote to memory of 1952	1300	c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe	26
PID 1300 wrote to memory of 1952	1300	c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe	26
PID 1300 wrote to memory of 1952	1300	c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe	26
PID 1300 wrote to memory of 1952	1300	c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe	26
PID 1300 wrote to memory of 1952	1300	c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe	26
PID 1300 wrote to memory of 1952	1300	c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe	26
PID 584 wrote to memory of 596	584	msiexec.exe	28
PID 584 wrote to memory of 596	584	msiexec.exe	28
PID 584 wrote to memory of 596	584	msiexec.exe	28
PID 584 wrote to memory of 596	584	msiexec.exe	28
PID 584 wrote to memory of 596	584	msiexec.exe	28
PID 584 wrote to memory of 596	584	msiexec.exe	28
PID 584 wrote to memory of 596	584	msiexec.exe	28

C:\Users\Admin\AppData\Local\Temp\c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe
"C:\Users\Admin\AppData\Local\Temp\c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\HB\Reflow Soldering OS 3.6.0\install\setup.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1952

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 27D0DFD043A752155629E9B224DD515E C
  2⤵
  - Loads dropped DLL
  PID:596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI5FFC.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI61A2.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI629D.tmp

Filesize
287KB

MD5
30ee500e69f06a463f668522fc789945

SHA1
c67a201b59ca2388e8ef060de287a678f1fae705

SHA256
849131d9b648070461d0fa90cbf094e3c149643ceab43d0c834b82f48a2ef277

SHA512
87a0b5aa28a426a156041f050ac9abce2d25efc70570a829fce3831827dc2a426ca5a85acf672519c3c88b463dcdfa9f20ccef46f0eb07e8d04c4e0d9673246d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI631A.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI631A.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Roaming\HB\Reflow Soldering OS 3.6.0\install\setup.msi

Filesize
942KB

MD5
e3d2372b29f6bb613bea4c57c03dc48d

SHA1
141f50c9ec4c77e889a52e0363ab0c407667992e

SHA256
292ef57407b4a8ad2fd7207795dbf565e61b6ad9ffef6d15da8e8d76b71e1c1c

SHA512
71bb49670f5fe53165facca1e292438e542ed41ee660080e81d202dd792a79d2f3df5aec4f73a2807fe7d044ce1df097cd41589fb839612b21d8caf1a33f0432

Download Submit
\Users\Admin\AppData\Local\Temp\MSI5FFC.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
\Users\Admin\AppData\Local\Temp\MSI61A2.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
\Users\Admin\AppData\Local\Temp\MSI629D.tmp

Filesize
287KB

MD5
30ee500e69f06a463f668522fc789945

SHA1
c67a201b59ca2388e8ef060de287a678f1fae705

SHA256
849131d9b648070461d0fa90cbf094e3c149643ceab43d0c834b82f48a2ef277

SHA512
87a0b5aa28a426a156041f050ac9abce2d25efc70570a829fce3831827dc2a426ca5a85acf672519c3c88b463dcdfa9f20ccef46f0eb07e8d04c4e0d9673246d

Download Submit
\Users\Admin\AppData\Local\Temp\MSI631A.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
memory/1300-54-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1300-73-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download