6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6

Analysis

max time kernel
137s
max time network
105s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15/06/2023, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PatchCleaner_1.4.2.0.exe
Size

1.3MB
MD5

70d0bd7633d10c492839272c97b2544e
SHA1

4da0e8c2fe1f06b13985d700fe15686a1015c3bb
SHA256

6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6
SHA512

99d43ed2060eb6371a54f73af407fe4cc7644a93e5f856419ad0cb8769b2664139cb9097ff4be4b8dbb93f2c5da4fc90bc48eeac6fe0b3df5f8bc12428b5b5b2
SSDEEP

24576:91OYdaPtyx5f3bpaOZpBr8Mok3CwAvCJYNsO7z7YHgEzmvDjvANu29N:91Os1gOpBrRokSwAqJY73Sz2Qv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1672	setup.exe

Loads dropped DLL 5 IoCs

pid	Process
1216	PatchCleaner_1.4.2.0.exe
1672	setup.exe
1672	setup.exe
1524	MsiExec.exe
1524	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1152	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1152	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeSecurityPrivilege	1140	msiexec.exe
Token: SeCreateTokenPrivilege	1152	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1152	msiexec.exe
Token: SeLockMemoryPrivilege	1152	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1152	msiexec.exe
Token: SeMachineAccountPrivilege	1152	msiexec.exe
Token: SeTcbPrivilege	1152	msiexec.exe
Token: SeSecurityPrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeLoadDriverPrivilege	1152	msiexec.exe
Token: SeSystemProfilePrivilege	1152	msiexec.exe
Token: SeSystemtimePrivilege	1152	msiexec.exe
Token: SeProfSingleProcessPrivilege	1152	msiexec.exe
Token: SeIncBasePriorityPrivilege	1152	msiexec.exe
Token: SeCreatePagefilePrivilege	1152	msiexec.exe
Token: SeCreatePermanentPrivilege	1152	msiexec.exe
Token: SeBackupPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeShutdownPrivilege	1152	msiexec.exe
Token: SeDebugPrivilege	1152	msiexec.exe
Token: SeAuditPrivilege	1152	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1152	msiexec.exe
Token: SeChangeNotifyPrivilege	1152	msiexec.exe
Token: SeRemoteShutdownPrivilege	1152	msiexec.exe
Token: SeUndockPrivilege	1152	msiexec.exe
Token: SeSyncAgentPrivilege	1152	msiexec.exe
Token: SeEnableDelegationPrivilege	1152	msiexec.exe
Token: SeManageVolumePrivilege	1152	msiexec.exe
Token: SeImpersonatePrivilege	1152	msiexec.exe
Token: SeCreateGlobalPrivilege	1152	msiexec.exe
Token: SeCreateTokenPrivilege	1152	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1152	msiexec.exe
Token: SeLockMemoryPrivilege	1152	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1152	msiexec.exe
Token: SeMachineAccountPrivilege	1152	msiexec.exe
Token: SeTcbPrivilege	1152	msiexec.exe
Token: SeSecurityPrivilege	1152	msiexec.exe
Token: SeTakeOwnershipPrivilege	1152	msiexec.exe
Token: SeLoadDriverPrivilege	1152	msiexec.exe
Token: SeSystemProfilePrivilege	1152	msiexec.exe
Token: SeSystemtimePrivilege	1152	msiexec.exe
Token: SeProfSingleProcessPrivilege	1152	msiexec.exe
Token: SeIncBasePriorityPrivilege	1152	msiexec.exe
Token: SeCreatePagefilePrivilege	1152	msiexec.exe
Token: SeCreatePermanentPrivilege	1152	msiexec.exe
Token: SeBackupPrivilege	1152	msiexec.exe
Token: SeRestorePrivilege	1152	msiexec.exe
Token: SeShutdownPrivilege	1152	msiexec.exe
Token: SeDebugPrivilege	1152	msiexec.exe
Token: SeAuditPrivilege	1152	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1152	msiexec.exe
Token: SeChangeNotifyPrivilege	1152	msiexec.exe
Token: SeRemoteShutdownPrivilege	1152	msiexec.exe
Token: SeUndockPrivilege	1152	msiexec.exe
Token: SeSyncAgentPrivilege	1152	msiexec.exe
Token: SeEnableDelegationPrivilege	1152	msiexec.exe
Token: SeManageVolumePrivilege	1152	msiexec.exe
Token: SeImpersonatePrivilege	1152	msiexec.exe
Token: SeCreateGlobalPrivilege	1152	msiexec.exe
Token: SeCreateTokenPrivilege	1152	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1152	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 1672	1216	PatchCleaner_1.4.2.0.exe	28
PID 1216 wrote to memory of 1672	1216	PatchCleaner_1.4.2.0.exe	28
PID 1216 wrote to memory of 1672	1216	PatchCleaner_1.4.2.0.exe	28
PID 1216 wrote to memory of 1672	1216	PatchCleaner_1.4.2.0.exe	28
PID 1216 wrote to memory of 1672	1216	PatchCleaner_1.4.2.0.exe	28
PID 1216 wrote to memory of 1672	1216	PatchCleaner_1.4.2.0.exe	28
PID 1216 wrote to memory of 1672	1216	PatchCleaner_1.4.2.0.exe	28
PID 1672 wrote to memory of 1152	1672	setup.exe	29
PID 1672 wrote to memory of 1152	1672	setup.exe	29
PID 1672 wrote to memory of 1152	1672	setup.exe	29
PID 1672 wrote to memory of 1152	1672	setup.exe	29
PID 1672 wrote to memory of 1152	1672	setup.exe	29
PID 1672 wrote to memory of 1152	1672	setup.exe	29
PID 1672 wrote to memory of 1152	1672	setup.exe	29
PID 1140 wrote to memory of 1524	1140	msiexec.exe	31
PID 1140 wrote to memory of 1524	1140	msiexec.exe	31
PID 1140 wrote to memory of 1524	1140	msiexec.exe	31
PID 1140 wrote to memory of 1524	1140	msiexec.exe	31
PID 1140 wrote to memory of 1524	1140	msiexec.exe	31
PID 1140 wrote to memory of 1524	1140	msiexec.exe	31
PID 1140 wrote to memory of 1524	1140	msiexec.exe	31

C:\Users\Admin\AppData\Local\Temp\PatchCleaner_1.4.2.0.exe
"C:\Users\Admin\AppData\Local\Temp\PatchCleaner_1.4.2.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\7zS3322.tmp\setup.exe
  .\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\7zS3322.tmp\PatchCleaner.msi"
    3⤵
    - Enumerates connected drives
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1152

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86C0C1DD0FC0525E1281A05FFCE18CA3 C
  2⤵
  - Loads dropped DLL
  PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS3322.tmp\PatchCleaner.msi

Filesize
2.0MB

MD5
ca19dc264e480db621d11429e08ca62b

SHA1
732fa43146301e30c7dfbb700081691ddb4e28c7

SHA256
c43f57c1aff7a3571fb89a6467247417bdf5b5ae2cd3ab60ce444490bc4df164

SHA512
af419f36fa581d6fb1cbfb6f598283c1a9a4e3315e19d227cb4806e3de7b929b400913ca3f09e5c3c58646907b363ebf2cf282610d54ac507a3d66eaf71b1a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3322.tmp\setup.exe

Filesize
772KB

MD5
fb3fdbb47f9b738a64f8a874247ad219

SHA1
2103c9ffd7f5af42f5e0e3a929ff59f61b9e4eab

SHA256
e1c84c55cd245d0b487cfc816676c13729c53cb8f0462d955dd6a39219053c62

SHA512
bd82b76fa95730cfa2fd3e833a9b1a65f5c27b0d348d26e245c57f15d34a3ff2988cf19625d0351cd0fa7f56bca372085092394397f7d3a19d5ad6cae428a57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3322.tmp\setup.exe

Filesize
772KB

MD5
fb3fdbb47f9b738a64f8a874247ad219

SHA1
2103c9ffd7f5af42f5e0e3a929ff59f61b9e4eab

SHA256
e1c84c55cd245d0b487cfc816676c13729c53cb8f0462d955dd6a39219053c62

SHA512
bd82b76fa95730cfa2fd3e833a9b1a65f5c27b0d348d26e245c57f15d34a3ff2988cf19625d0351cd0fa7f56bca372085092394397f7d3a19d5ad6cae428a57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3DBF.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3EAA.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3322.tmp\setup.exe

Filesize
772KB

MD5
fb3fdbb47f9b738a64f8a874247ad219

SHA1
2103c9ffd7f5af42f5e0e3a929ff59f61b9e4eab

SHA256
e1c84c55cd245d0b487cfc816676c13729c53cb8f0462d955dd6a39219053c62

SHA512
bd82b76fa95730cfa2fd3e833a9b1a65f5c27b0d348d26e245c57f15d34a3ff2988cf19625d0351cd0fa7f56bca372085092394397f7d3a19d5ad6cae428a57c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3322.tmp\setup.exe

Filesize
772KB

MD5
fb3fdbb47f9b738a64f8a874247ad219

SHA1
2103c9ffd7f5af42f5e0e3a929ff59f61b9e4eab

SHA256
e1c84c55cd245d0b487cfc816676c13729c53cb8f0462d955dd6a39219053c62

SHA512
bd82b76fa95730cfa2fd3e833a9b1a65f5c27b0d348d26e245c57f15d34a3ff2988cf19625d0351cd0fa7f56bca372085092394397f7d3a19d5ad6cae428a57c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3322.tmp\setup.exe

Filesize
772KB

MD5
fb3fdbb47f9b738a64f8a874247ad219

SHA1
2103c9ffd7f5af42f5e0e3a929ff59f61b9e4eab

SHA256
e1c84c55cd245d0b487cfc816676c13729c53cb8f0462d955dd6a39219053c62

SHA512
bd82b76fa95730cfa2fd3e833a9b1a65f5c27b0d348d26e245c57f15d34a3ff2988cf19625d0351cd0fa7f56bca372085092394397f7d3a19d5ad6cae428a57c

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3DBF.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3EAA.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit