6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6

Analysis

max time kernel
81s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2023, 15:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

WindowsInstallerDirPatchCleaner_1.4.2.0.exe
Size

1.3MB
MD5

70d0bd7633d10c492839272c97b2544e
SHA1

4da0e8c2fe1f06b13985d700fe15686a1015c3bb
SHA256

6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6
SHA512

99d43ed2060eb6371a54f73af407fe4cc7644a93e5f856419ad0cb8769b2664139cb9097ff4be4b8dbb93f2c5da4fc90bc48eeac6fe0b3df5f8bc12428b5b5b2
SSDEEP

24576:91OYdaPtyx5f3bpaOZpBr8Mok3CwAvCJYNsO7z7YHgEzmvDjvANu29N:91Os1gOpBrRokSwAqJY73Sz2Qv

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	4252	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 1 IoCs

pid	Process
5108	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
3296	MsiExec.exe
3296	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4252	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4252	msiexec.exe
Token: SeSecurityPrivilege	404	msiexec.exe
Token: SeCreateTokenPrivilege	4252	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4252	msiexec.exe
Token: SeLockMemoryPrivilege	4252	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4252	msiexec.exe
Token: SeMachineAccountPrivilege	4252	msiexec.exe
Token: SeTcbPrivilege	4252	msiexec.exe
Token: SeSecurityPrivilege	4252	msiexec.exe
Token: SeTakeOwnershipPrivilege	4252	msiexec.exe
Token: SeLoadDriverPrivilege	4252	msiexec.exe
Token: SeSystemProfilePrivilege	4252	msiexec.exe
Token: SeSystemtimePrivilege	4252	msiexec.exe
Token: SeProfSingleProcessPrivilege	4252	msiexec.exe
Token: SeIncBasePriorityPrivilege	4252	msiexec.exe
Token: SeCreatePagefilePrivilege	4252	msiexec.exe
Token: SeCreatePermanentPrivilege	4252	msiexec.exe
Token: SeBackupPrivilege	4252	msiexec.exe
Token: SeRestorePrivilege	4252	msiexec.exe
Token: SeShutdownPrivilege	4252	msiexec.exe
Token: SeDebugPrivilege	4252	msiexec.exe
Token: SeAuditPrivilege	4252	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4252	msiexec.exe
Token: SeChangeNotifyPrivilege	4252	msiexec.exe
Token: SeRemoteShutdownPrivilege	4252	msiexec.exe
Token: SeUndockPrivilege	4252	msiexec.exe
Token: SeSyncAgentPrivilege	4252	msiexec.exe
Token: SeEnableDelegationPrivilege	4252	msiexec.exe
Token: SeManageVolumePrivilege	4252	msiexec.exe
Token: SeImpersonatePrivilege	4252	msiexec.exe
Token: SeCreateGlobalPrivilege	4252	msiexec.exe
Token: SeCreateTokenPrivilege	4252	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4252	msiexec.exe
Token: SeLockMemoryPrivilege	4252	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4252	msiexec.exe
Token: SeMachineAccountPrivilege	4252	msiexec.exe
Token: SeTcbPrivilege	4252	msiexec.exe
Token: SeSecurityPrivilege	4252	msiexec.exe
Token: SeTakeOwnershipPrivilege	4252	msiexec.exe
Token: SeLoadDriverPrivilege	4252	msiexec.exe
Token: SeSystemProfilePrivilege	4252	msiexec.exe
Token: SeSystemtimePrivilege	4252	msiexec.exe
Token: SeProfSingleProcessPrivilege	4252	msiexec.exe
Token: SeIncBasePriorityPrivilege	4252	msiexec.exe
Token: SeCreatePagefilePrivilege	4252	msiexec.exe
Token: SeCreatePermanentPrivilege	4252	msiexec.exe
Token: SeBackupPrivilege	4252	msiexec.exe
Token: SeRestorePrivilege	4252	msiexec.exe
Token: SeShutdownPrivilege	4252	msiexec.exe
Token: SeDebugPrivilege	4252	msiexec.exe
Token: SeAuditPrivilege	4252	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4252	msiexec.exe
Token: SeChangeNotifyPrivilege	4252	msiexec.exe
Token: SeRemoteShutdownPrivilege	4252	msiexec.exe
Token: SeUndockPrivilege	4252	msiexec.exe
Token: SeSyncAgentPrivilege	4252	msiexec.exe
Token: SeEnableDelegationPrivilege	4252	msiexec.exe
Token: SeManageVolumePrivilege	4252	msiexec.exe
Token: SeImpersonatePrivilege	4252	msiexec.exe
Token: SeCreateGlobalPrivilege	4252	msiexec.exe
Token: SeCreateTokenPrivilege	4252	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4252	msiexec.exe
Token: SeLockMemoryPrivilege	4252	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4252	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 5108	4560	WindowsInstallerDirPatchCleaner_1.4.2.0.exe	83
PID 4560 wrote to memory of 5108	4560	WindowsInstallerDirPatchCleaner_1.4.2.0.exe	83
PID 4560 wrote to memory of 5108	4560	WindowsInstallerDirPatchCleaner_1.4.2.0.exe	83
PID 5108 wrote to memory of 4252	5108	setup.exe	84
PID 5108 wrote to memory of 4252	5108	setup.exe	84
PID 5108 wrote to memory of 4252	5108	setup.exe	84
PID 404 wrote to memory of 3296	404	msiexec.exe	87
PID 404 wrote to memory of 3296	404	msiexec.exe	87
PID 404 wrote to memory of 3296	404	msiexec.exe	87

C:\Users\Admin\AppData\Local\Temp\WindowsInstallerDirPatchCleaner_1.4.2.0.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsInstallerDirPatchCleaner_1.4.2.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Local\Temp\7zSA08A.tmp\setup.exe
  .\setup.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\7zSA08A.tmp\PatchCleaner.msi"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8842B72169FDB675D9D815B0A3348530 C
  2⤵
  - Loads dropped DLL
  PID:3296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSA08A.tmp\PatchCleaner.msi

Filesize
2.0MB

MD5
ca19dc264e480db621d11429e08ca62b

SHA1
732fa43146301e30c7dfbb700081691ddb4e28c7

SHA256
c43f57c1aff7a3571fb89a6467247417bdf5b5ae2cd3ab60ce444490bc4df164

SHA512
af419f36fa581d6fb1cbfb6f598283c1a9a4e3315e19d227cb4806e3de7b929b400913ca3f09e5c3c58646907b363ebf2cf282610d54ac507a3d66eaf71b1a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA08A.tmp\setup.exe

Filesize
772KB

MD5
fb3fdbb47f9b738a64f8a874247ad219

SHA1
2103c9ffd7f5af42f5e0e3a929ff59f61b9e4eab

SHA256
e1c84c55cd245d0b487cfc816676c13729c53cb8f0462d955dd6a39219053c62

SHA512
bd82b76fa95730cfa2fd3e833a9b1a65f5c27b0d348d26e245c57f15d34a3ff2988cf19625d0351cd0fa7f56bca372085092394397f7d3a19d5ad6cae428a57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA08A.tmp\setup.exe

Filesize
772KB

MD5
fb3fdbb47f9b738a64f8a874247ad219

SHA1
2103c9ffd7f5af42f5e0e3a929ff59f61b9e4eab

SHA256
e1c84c55cd245d0b487cfc816676c13729c53cb8f0462d955dd6a39219053c62

SHA512
bd82b76fa95730cfa2fd3e833a9b1a65f5c27b0d348d26e245c57f15d34a3ff2988cf19625d0351cd0fa7f56bca372085092394397f7d3a19d5ad6cae428a57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAC04.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAC04.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIACFF.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIACFF.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads