6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6

General

Target

PatchCleaner_1.4.2.0.exe
Size

1.3MB
MD5

70d0bd7633d10c492839272c97b2544e
SHA1

4da0e8c2fe1f06b13985d700fe15686a1015c3bb
SHA256

6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6
SHA512

99d43ed2060eb6371a54f73af407fe4cc7644a93e5f856419ad0cb8769b2664139cb9097ff4be4b8dbb93f2c5da4fc90bc48eeac6fe0b3df5f8bc12428b5b5b2
SSDEEP

24576:91OYdaPtyx5f3bpaOZpBr8Mok3CwAvCJYNsO7z7YHgEzmvDjvANu29N:91Os1gOpBrRokSwAqJY73Sz2Qv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation setup.exe
Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

4416 setup.exe
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

3876 MsiExec.exe
3876 MsiExec.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	setup.exe

pid	process
4416	setup.exe

pid	process
3876	MsiExec.exe
3876	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2648	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2648	msiexec.exe
Token: SeSecurityPrivilege	4952	msiexec.exe
Token: SeCreateTokenPrivilege	2648	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2648	msiexec.exe
Token: SeLockMemoryPrivilege	2648	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2648	msiexec.exe
Token: SeMachineAccountPrivilege	2648	msiexec.exe
Token: SeTcbPrivilege	2648	msiexec.exe
Token: SeSecurityPrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeLoadDriverPrivilege	2648	msiexec.exe
Token: SeSystemProfilePrivilege	2648	msiexec.exe
Token: SeSystemtimePrivilege	2648	msiexec.exe
Token: SeProfSingleProcessPrivilege	2648	msiexec.exe
Token: SeIncBasePriorityPrivilege	2648	msiexec.exe
Token: SeCreatePagefilePrivilege	2648	msiexec.exe
Token: SeCreatePermanentPrivilege	2648	msiexec.exe
Token: SeBackupPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeShutdownPrivilege	2648	msiexec.exe
Token: SeDebugPrivilege	2648	msiexec.exe
Token: SeAuditPrivilege	2648	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2648	msiexec.exe
Token: SeChangeNotifyPrivilege	2648	msiexec.exe
Token: SeRemoteShutdownPrivilege	2648	msiexec.exe
Token: SeUndockPrivilege	2648	msiexec.exe
Token: SeSyncAgentPrivilege	2648	msiexec.exe
Token: SeEnableDelegationPrivilege	2648	msiexec.exe
Token: SeManageVolumePrivilege	2648	msiexec.exe
Token: SeImpersonatePrivilege	2648	msiexec.exe
Token: SeCreateGlobalPrivilege	2648	msiexec.exe
Token: SeCreateTokenPrivilege	2648	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2648	msiexec.exe
Token: SeLockMemoryPrivilege	2648	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2648	msiexec.exe
Token: SeMachineAccountPrivilege	2648	msiexec.exe
Token: SeTcbPrivilege	2648	msiexec.exe
Token: SeSecurityPrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeLoadDriverPrivilege	2648	msiexec.exe
Token: SeSystemProfilePrivilege	2648	msiexec.exe
Token: SeSystemtimePrivilege	2648	msiexec.exe
Token: SeProfSingleProcessPrivilege	2648	msiexec.exe
Token: SeIncBasePriorityPrivilege	2648	msiexec.exe
Token: SeCreatePagefilePrivilege	2648	msiexec.exe
Token: SeCreatePermanentPrivilege	2648	msiexec.exe
Token: SeBackupPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeShutdownPrivilege	2648	msiexec.exe
Token: SeDebugPrivilege	2648	msiexec.exe
Token: SeAuditPrivilege	2648	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2648	msiexec.exe
Token: SeChangeNotifyPrivilege	2648	msiexec.exe
Token: SeRemoteShutdownPrivilege	2648	msiexec.exe
Token: SeUndockPrivilege	2648	msiexec.exe
Token: SeSyncAgentPrivilege	2648	msiexec.exe
Token: SeEnableDelegationPrivilege	2648	msiexec.exe
Token: SeManageVolumePrivilege	2648	msiexec.exe
Token: SeImpersonatePrivilege	2648	msiexec.exe
Token: SeCreateGlobalPrivilege	2648	msiexec.exe
Token: SeCreateTokenPrivilege	2648	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2648	msiexec.exe
Token: SeLockMemoryPrivilege	2648	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2648 msiexec.exe

pid	process
2648	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

PatchCleaner_1.4.2.0.exesetup.exemsiexec.exe

description	pid	process	target process
PID 4112 wrote to memory of 4416	4112	PatchCleaner_1.4.2.0.exe	setup.exe
PID 4112 wrote to memory of 4416	4112	PatchCleaner_1.4.2.0.exe	setup.exe
PID 4112 wrote to memory of 4416	4112	PatchCleaner_1.4.2.0.exe	setup.exe
PID 4416 wrote to memory of 2648	4416	setup.exe	msiexec.exe
PID 4416 wrote to memory of 2648	4416	setup.exe	msiexec.exe
PID 4416 wrote to memory of 2648	4416	setup.exe	msiexec.exe
PID 4952 wrote to memory of 3876	4952	msiexec.exe	MsiExec.exe
PID 4952 wrote to memory of 3876	4952	msiexec.exe	MsiExec.exe
PID 4952 wrote to memory of 3876	4952	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\PatchCleaner_1.4.2.0.exe
"C:\Users\Admin\AppData\Local\Temp\PatchCleaner_1.4.2.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\7zS9EA6.tmp\setup.exe
  .\setup.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\7zS9EA6.tmp\PatchCleaner.msi"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DD44E17A596AA1C67ED3CB36E1D385AB C
  2⤵
  - Loads dropped DLL
  PID:3876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS9EA6.tmp\PatchCleaner.msi

Filesize
2.0MB

MD5
ca19dc264e480db621d11429e08ca62b

SHA1
732fa43146301e30c7dfbb700081691ddb4e28c7

SHA256
c43f57c1aff7a3571fb89a6467247417bdf5b5ae2cd3ab60ce444490bc4df164

SHA512
af419f36fa581d6fb1cbfb6f598283c1a9a4e3315e19d227cb4806e3de7b929b400913ca3f09e5c3c58646907b363ebf2cf282610d54ac507a3d66eaf71b1a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9EA6.tmp\setup.exe

Filesize
772KB

MD5
fb3fdbb47f9b738a64f8a874247ad219

SHA1
2103c9ffd7f5af42f5e0e3a929ff59f61b9e4eab

SHA256
e1c84c55cd245d0b487cfc816676c13729c53cb8f0462d955dd6a39219053c62

SHA512
bd82b76fa95730cfa2fd3e833a9b1a65f5c27b0d348d26e245c57f15d34a3ff2988cf19625d0351cd0fa7f56bca372085092394397f7d3a19d5ad6cae428a57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9EA6.tmp\setup.exe

Filesize
772KB

MD5
fb3fdbb47f9b738a64f8a874247ad219

SHA1
2103c9ffd7f5af42f5e0e3a929ff59f61b9e4eab

SHA256
e1c84c55cd245d0b487cfc816676c13729c53cb8f0462d955dd6a39219053c62

SHA512
bd82b76fa95730cfa2fd3e833a9b1a65f5c27b0d348d26e245c57f15d34a3ff2988cf19625d0351cd0fa7f56bca372085092394397f7d3a19d5ad6cae428a57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA983.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA983.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAA6F.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAA6F.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads