Analysis
-
max time kernel
112s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2023, 01:22
Static task
static1
Behavioral task
behavioral1
Sample
ChatGPT4 V2.msi
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
ChatGPT4 V2.msi
Resource
win10v2004-20230621-en
General
-
Target
ChatGPT4 V2.msi
-
Size
1.3MB
-
MD5
0f77fb52cbe9489be260f739f4cbfce0
-
SHA1
28236b7b22ad00cfb14b7c04940a1dcb75262538
-
SHA256
5396c6c41584959beea2b5058c5e90d776d2908fbdfaeb08cda924c00b9bd9db
-
SHA512
d1debb3fb41df91b1e2173a6784b6be527713c2ca9228f0b22b07e2f4dbf95824652463d2ca767bd5f4d183667925aceabcbcaa5e048162fe60b7c2b33063b71
-
SSDEEP
24576:CHCSlEKSDB8pDESD30TidMgWZ5H1Wruyi4QX851wfM/3F:CHCZDB8pDESD30TimgS5VWha851wfM/1
Malware Config
Signatures
-
Loads dropped DLL 7 IoCs
pid Process 2292 MsiExec.exe 2292 MsiExec.exe 2292 MsiExec.exe 2292 MsiExec.exe 2292 MsiExec.exe 2292 MsiExec.exe 2292 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1764 msiexec.exe Token: SeIncreaseQuotaPrivilege 1764 msiexec.exe Token: SeSecurityPrivilege 5076 msiexec.exe Token: SeCreateTokenPrivilege 1764 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1764 msiexec.exe Token: SeLockMemoryPrivilege 1764 msiexec.exe Token: SeIncreaseQuotaPrivilege 1764 msiexec.exe Token: SeMachineAccountPrivilege 1764 msiexec.exe Token: SeTcbPrivilege 1764 msiexec.exe Token: SeSecurityPrivilege 1764 msiexec.exe Token: SeTakeOwnershipPrivilege 1764 msiexec.exe Token: SeLoadDriverPrivilege 1764 msiexec.exe Token: SeSystemProfilePrivilege 1764 msiexec.exe Token: SeSystemtimePrivilege 1764 msiexec.exe Token: SeProfSingleProcessPrivilege 1764 msiexec.exe Token: SeIncBasePriorityPrivilege 1764 msiexec.exe Token: SeCreatePagefilePrivilege 1764 msiexec.exe Token: SeCreatePermanentPrivilege 1764 msiexec.exe Token: SeBackupPrivilege 1764 msiexec.exe Token: SeRestorePrivilege 1764 msiexec.exe Token: SeShutdownPrivilege 1764 msiexec.exe Token: SeDebugPrivilege 1764 msiexec.exe Token: SeAuditPrivilege 1764 msiexec.exe Token: SeSystemEnvironmentPrivilege 1764 msiexec.exe Token: SeChangeNotifyPrivilege 1764 msiexec.exe Token: SeRemoteShutdownPrivilege 1764 msiexec.exe Token: SeUndockPrivilege 1764 msiexec.exe Token: SeSyncAgentPrivilege 1764 msiexec.exe Token: SeEnableDelegationPrivilege 1764 msiexec.exe Token: SeManageVolumePrivilege 1764 msiexec.exe Token: SeImpersonatePrivilege 1764 msiexec.exe Token: SeCreateGlobalPrivilege 1764 msiexec.exe Token: SeCreateTokenPrivilege 1764 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1764 msiexec.exe Token: SeLockMemoryPrivilege 1764 msiexec.exe Token: SeIncreaseQuotaPrivilege 1764 msiexec.exe Token: SeMachineAccountPrivilege 1764 msiexec.exe Token: SeTcbPrivilege 1764 msiexec.exe Token: SeSecurityPrivilege 1764 msiexec.exe Token: SeTakeOwnershipPrivilege 1764 msiexec.exe Token: SeLoadDriverPrivilege 1764 msiexec.exe Token: SeSystemProfilePrivilege 1764 msiexec.exe Token: SeSystemtimePrivilege 1764 msiexec.exe Token: SeProfSingleProcessPrivilege 1764 msiexec.exe Token: SeIncBasePriorityPrivilege 1764 msiexec.exe Token: SeCreatePagefilePrivilege 1764 msiexec.exe Token: SeCreatePermanentPrivilege 1764 msiexec.exe Token: SeBackupPrivilege 1764 msiexec.exe Token: SeRestorePrivilege 1764 msiexec.exe Token: SeShutdownPrivilege 1764 msiexec.exe Token: SeDebugPrivilege 1764 msiexec.exe Token: SeAuditPrivilege 1764 msiexec.exe Token: SeSystemEnvironmentPrivilege 1764 msiexec.exe Token: SeChangeNotifyPrivilege 1764 msiexec.exe Token: SeRemoteShutdownPrivilege 1764 msiexec.exe Token: SeUndockPrivilege 1764 msiexec.exe Token: SeSyncAgentPrivilege 1764 msiexec.exe Token: SeEnableDelegationPrivilege 1764 msiexec.exe Token: SeManageVolumePrivilege 1764 msiexec.exe Token: SeImpersonatePrivilege 1764 msiexec.exe Token: SeCreateGlobalPrivilege 1764 msiexec.exe Token: SeCreateTokenPrivilege 1764 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1764 msiexec.exe Token: SeLockMemoryPrivilege 1764 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1764 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5076 wrote to memory of 2292 5076 msiexec.exe 83 PID 5076 wrote to memory of 2292 5076 msiexec.exe 83 PID 5076 wrote to memory of 2292 5076 msiexec.exe 83
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\ChatGPT4 V2.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1764
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 21768CA4B32D46757AD22968761FB8F6 C2⤵
- Loads dropped DLL
PID:2292
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a