Analysis
-
max time kernel
77s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2023, 05:19
Static task
static1
Behavioral task
behavioral1
Sample
c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe
Resource
win10v2004-20230220-en
General
-
Target
c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe
-
Size
14.3MB
-
MD5
6b18d556858c5d6f9a6f24ad34acbfa7
-
SHA1
9015815f63bf28af142191851203b6dae5247ce8
-
SHA256
c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62
-
SHA512
357455521cabc3f36b0506f0d2f0ab0f796c43f98ff828b083cd2a079b32e5b20e18ab6268cb72c9491d3ee1680c67a2cba9bac8d4b1176daabe4958d235747a
-
SSDEEP
393216:LzgwSim90TADBA0mj8lucjI59sy07siIg61wPnRBB:LUaA9A1jYD7siIg6SPR/
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 3148 MsiExec.exe 3148 MsiExec.exe 3148 MsiExec.exe 3148 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 952 msiexec.exe Token: SeIncreaseQuotaPrivilege 952 msiexec.exe Token: SeSecurityPrivilege 3016 msiexec.exe Token: SeCreateTokenPrivilege 952 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 952 msiexec.exe Token: SeLockMemoryPrivilege 952 msiexec.exe Token: SeIncreaseQuotaPrivilege 952 msiexec.exe Token: SeMachineAccountPrivilege 952 msiexec.exe Token: SeTcbPrivilege 952 msiexec.exe Token: SeSecurityPrivilege 952 msiexec.exe Token: SeTakeOwnershipPrivilege 952 msiexec.exe Token: SeLoadDriverPrivilege 952 msiexec.exe Token: SeSystemProfilePrivilege 952 msiexec.exe Token: SeSystemtimePrivilege 952 msiexec.exe Token: SeProfSingleProcessPrivilege 952 msiexec.exe Token: SeIncBasePriorityPrivilege 952 msiexec.exe Token: SeCreatePagefilePrivilege 952 msiexec.exe Token: SeCreatePermanentPrivilege 952 msiexec.exe Token: SeBackupPrivilege 952 msiexec.exe Token: SeRestorePrivilege 952 msiexec.exe Token: SeShutdownPrivilege 952 msiexec.exe Token: SeDebugPrivilege 952 msiexec.exe Token: SeAuditPrivilege 952 msiexec.exe Token: SeSystemEnvironmentPrivilege 952 msiexec.exe Token: SeChangeNotifyPrivilege 952 msiexec.exe Token: SeRemoteShutdownPrivilege 952 msiexec.exe Token: SeUndockPrivilege 952 msiexec.exe Token: SeSyncAgentPrivilege 952 msiexec.exe Token: SeEnableDelegationPrivilege 952 msiexec.exe Token: SeManageVolumePrivilege 952 msiexec.exe Token: SeImpersonatePrivilege 952 msiexec.exe Token: SeCreateGlobalPrivilege 952 msiexec.exe Token: SeCreateTokenPrivilege 952 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 952 msiexec.exe Token: SeLockMemoryPrivilege 952 msiexec.exe Token: SeIncreaseQuotaPrivilege 952 msiexec.exe Token: SeMachineAccountPrivilege 952 msiexec.exe Token: SeTcbPrivilege 952 msiexec.exe Token: SeSecurityPrivilege 952 msiexec.exe Token: SeTakeOwnershipPrivilege 952 msiexec.exe Token: SeLoadDriverPrivilege 952 msiexec.exe Token: SeSystemProfilePrivilege 952 msiexec.exe Token: SeSystemtimePrivilege 952 msiexec.exe Token: SeProfSingleProcessPrivilege 952 msiexec.exe Token: SeIncBasePriorityPrivilege 952 msiexec.exe Token: SeCreatePagefilePrivilege 952 msiexec.exe Token: SeCreatePermanentPrivilege 952 msiexec.exe Token: SeBackupPrivilege 952 msiexec.exe Token: SeRestorePrivilege 952 msiexec.exe Token: SeShutdownPrivilege 952 msiexec.exe Token: SeDebugPrivilege 952 msiexec.exe Token: SeAuditPrivilege 952 msiexec.exe Token: SeSystemEnvironmentPrivilege 952 msiexec.exe Token: SeChangeNotifyPrivilege 952 msiexec.exe Token: SeRemoteShutdownPrivilege 952 msiexec.exe Token: SeUndockPrivilege 952 msiexec.exe Token: SeSyncAgentPrivilege 952 msiexec.exe Token: SeEnableDelegationPrivilege 952 msiexec.exe Token: SeManageVolumePrivilege 952 msiexec.exe Token: SeImpersonatePrivilege 952 msiexec.exe Token: SeCreateGlobalPrivilege 952 msiexec.exe Token: SeCreateTokenPrivilege 952 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 952 msiexec.exe Token: SeLockMemoryPrivilege 952 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4248 c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe 952 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4248 wrote to memory of 952 4248 c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe 84 PID 4248 wrote to memory of 952 4248 c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe 84 PID 3016 wrote to memory of 3148 3016 msiexec.exe 87 PID 3016 wrote to memory of 3148 3016 msiexec.exe 87 PID 3016 wrote to memory of 3148 3016 msiexec.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe"C:\Users\Admin\AppData\Local\Temp\c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\system32\msiexec.exe/i "C:\Users\Admin\AppData\Roaming\HB\Reflow Soldering OS 3.6.0\install\setup.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\c543ab8aec819ddd0f5e2c2c590cb43d3352bfe2cba50e6e1910da026c4c7b62.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:952
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A6702E3603B780C1B88728B381228F47 C2⤵
- Loads dropped DLL
PID:3148
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD59a4968fe67c177850163deafec64d0a6
SHA115b3f837c4f066cface8b3535a88523d20e5ca5c
SHA256441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab
SHA512256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f
-
Filesize
79KB
MD59a4968fe67c177850163deafec64d0a6
SHA115b3f837c4f066cface8b3535a88523d20e5ca5c
SHA256441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab
SHA512256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f
-
Filesize
79KB
MD59a4968fe67c177850163deafec64d0a6
SHA115b3f837c4f066cface8b3535a88523d20e5ca5c
SHA256441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab
SHA512256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f
-
Filesize
79KB
MD59a4968fe67c177850163deafec64d0a6
SHA115b3f837c4f066cface8b3535a88523d20e5ca5c
SHA256441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab
SHA512256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f
-
Filesize
287KB
MD530ee500e69f06a463f668522fc789945
SHA1c67a201b59ca2388e8ef060de287a678f1fae705
SHA256849131d9b648070461d0fa90cbf094e3c149643ceab43d0c834b82f48a2ef277
SHA51287a0b5aa28a426a156041f050ac9abce2d25efc70570a829fce3831827dc2a426ca5a85acf672519c3c88b463dcdfa9f20ccef46f0eb07e8d04c4e0d9673246d
-
Filesize
287KB
MD530ee500e69f06a463f668522fc789945
SHA1c67a201b59ca2388e8ef060de287a678f1fae705
SHA256849131d9b648070461d0fa90cbf094e3c149643ceab43d0c834b82f48a2ef277
SHA51287a0b5aa28a426a156041f050ac9abce2d25efc70570a829fce3831827dc2a426ca5a85acf672519c3c88b463dcdfa9f20ccef46f0eb07e8d04c4e0d9673246d
-
Filesize
79KB
MD59a4968fe67c177850163deafec64d0a6
SHA115b3f837c4f066cface8b3535a88523d20e5ca5c
SHA256441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab
SHA512256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f
-
Filesize
79KB
MD59a4968fe67c177850163deafec64d0a6
SHA115b3f837c4f066cface8b3535a88523d20e5ca5c
SHA256441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab
SHA512256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f
-
Filesize
79KB
MD59a4968fe67c177850163deafec64d0a6
SHA115b3f837c4f066cface8b3535a88523d20e5ca5c
SHA256441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab
SHA512256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f
-
Filesize
942KB
MD5e3d2372b29f6bb613bea4c57c03dc48d
SHA1141f50c9ec4c77e889a52e0363ab0c407667992e
SHA256292ef57407b4a8ad2fd7207795dbf565e61b6ad9ffef6d15da8e8d76b71e1c1c
SHA51271bb49670f5fe53165facca1e292438e542ed41ee660080e81d202dd792a79d2f3df5aec4f73a2807fe7d044ce1df097cd41589fb839612b21d8caf1a33f0432