4f0e2487db334d423312079607320b303bf2bd502b6a1a8b78d5744601fee7a6

Analysis

max time kernel
63s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2023, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PE-DESIGN 10.exe
Size

133.2MB
MD5

1eab43b9863a9e3203b8fb415294f7ae
SHA1

3f0921b2a8616420839b029d6cbb0544a0bbfe88
SHA256

4f0e2487db334d423312079607320b303bf2bd502b6a1a8b78d5744601fee7a6
SHA512

4cf29ad9d6c7f5f4cf3ac4a51d7682bc6404457df10be0406ddc57ea6f53b1c6bf69d2f27b210d6a2e853c4b95364534927ec5de9e36d096b8ab2f3f64d3e8c2
SSDEEP

3145728:jVfN29HxfR8Okgh02VcKk/CzGwNWkj1hcajz08//7:VN29RfR8ORfcKfXNWu1hFz0y/7

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
628	MsiExec.exe
628	MsiExec.exe
628	MsiExec.exe
628	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	PE-DESIGN 10.exe
File opened (read-only)	\??\Q:	PE-DESIGN 10.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	PE-DESIGN 10.exe
File opened (read-only)	\??\M:	PE-DESIGN 10.exe
File opened (read-only)	\??\O:	PE-DESIGN 10.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	PE-DESIGN 10.exe
File opened (read-only)	\??\L:	PE-DESIGN 10.exe
File opened (read-only)	\??\Z:	PE-DESIGN 10.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	PE-DESIGN 10.exe
File opened (read-only)	\??\T:	PE-DESIGN 10.exe
File opened (read-only)	\??\W:	PE-DESIGN 10.exe
File opened (read-only)	\??\I:	PE-DESIGN 10.exe
File opened (read-only)	\??\S:	PE-DESIGN 10.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	PE-DESIGN 10.exe
File opened (read-only)	\??\N:	PE-DESIGN 10.exe
File opened (read-only)	\??\Y:	PE-DESIGN 10.exe
File opened (read-only)	\??\U:	PE-DESIGN 10.exe
File opened (read-only)	\??\V:	PE-DESIGN 10.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	PE-DESIGN 10.exe
File opened (read-only)	\??\K:	PE-DESIGN 10.exe
File opened (read-only)	\??\R:	PE-DESIGN 10.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	PE-DESIGN 10.exe
File opened (read-only)	\??\X:	PE-DESIGN 10.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvcp110.dll	PE-DESIGN 10.exe
File opened for modification	C:\Windows\SysWOW64\msvcr110.dll	PE-DESIGN 10.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib110.dll	PE-DESIGN 10.exe
File opened for modification	C:\Windows\SysWOW64\mfcm110.dll	PE-DESIGN 10.exe
File opened for modification	C:\Windows\SysWOW64\mfc110u.dll	PE-DESIGN 10.exe
File opened for modification	C:\Windows\SysWOW64\mfc110.dll	PE-DESIGN 10.exe
File opened for modification	C:\Windows\SysWOW64\mfcm110u.dll	PE-DESIGN 10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3656	msiexec.exe
Token: SeCreateTokenPrivilege	2676	PE-DESIGN 10.exe
Token: SeAssignPrimaryTokenPrivilege	2676	PE-DESIGN 10.exe
Token: SeLockMemoryPrivilege	2676	PE-DESIGN 10.exe
Token: SeIncreaseQuotaPrivilege	2676	PE-DESIGN 10.exe
Token: SeMachineAccountPrivilege	2676	PE-DESIGN 10.exe
Token: SeTcbPrivilege	2676	PE-DESIGN 10.exe
Token: SeSecurityPrivilege	2676	PE-DESIGN 10.exe
Token: SeTakeOwnershipPrivilege	2676	PE-DESIGN 10.exe
Token: SeLoadDriverPrivilege	2676	PE-DESIGN 10.exe
Token: SeSystemProfilePrivilege	2676	PE-DESIGN 10.exe
Token: SeSystemtimePrivilege	2676	PE-DESIGN 10.exe
Token: SeProfSingleProcessPrivilege	2676	PE-DESIGN 10.exe
Token: SeIncBasePriorityPrivilege	2676	PE-DESIGN 10.exe
Token: SeCreatePagefilePrivilege	2676	PE-DESIGN 10.exe
Token: SeCreatePermanentPrivilege	2676	PE-DESIGN 10.exe
Token: SeBackupPrivilege	2676	PE-DESIGN 10.exe
Token: SeRestorePrivilege	2676	PE-DESIGN 10.exe
Token: SeShutdownPrivilege	2676	PE-DESIGN 10.exe
Token: SeDebugPrivilege	2676	PE-DESIGN 10.exe
Token: SeAuditPrivilege	2676	PE-DESIGN 10.exe
Token: SeSystemEnvironmentPrivilege	2676	PE-DESIGN 10.exe
Token: SeChangeNotifyPrivilege	2676	PE-DESIGN 10.exe
Token: SeRemoteShutdownPrivilege	2676	PE-DESIGN 10.exe
Token: SeUndockPrivilege	2676	PE-DESIGN 10.exe
Token: SeSyncAgentPrivilege	2676	PE-DESIGN 10.exe
Token: SeEnableDelegationPrivilege	2676	PE-DESIGN 10.exe
Token: SeManageVolumePrivilege	2676	PE-DESIGN 10.exe
Token: SeImpersonatePrivilege	2676	PE-DESIGN 10.exe
Token: SeCreateGlobalPrivilege	2676	PE-DESIGN 10.exe
Token: SeCreateTokenPrivilege	2676	PE-DESIGN 10.exe
Token: SeAssignPrimaryTokenPrivilege	2676	PE-DESIGN 10.exe
Token: SeLockMemoryPrivilege	2676	PE-DESIGN 10.exe
Token: SeIncreaseQuotaPrivilege	2676	PE-DESIGN 10.exe
Token: SeMachineAccountPrivilege	2676	PE-DESIGN 10.exe
Token: SeTcbPrivilege	2676	PE-DESIGN 10.exe
Token: SeSecurityPrivilege	2676	PE-DESIGN 10.exe
Token: SeTakeOwnershipPrivilege	2676	PE-DESIGN 10.exe
Token: SeLoadDriverPrivilege	2676	PE-DESIGN 10.exe
Token: SeSystemProfilePrivilege	2676	PE-DESIGN 10.exe
Token: SeSystemtimePrivilege	2676	PE-DESIGN 10.exe
Token: SeProfSingleProcessPrivilege	2676	PE-DESIGN 10.exe
Token: SeIncBasePriorityPrivilege	2676	PE-DESIGN 10.exe
Token: SeCreatePagefilePrivilege	2676	PE-DESIGN 10.exe
Token: SeCreatePermanentPrivilege	2676	PE-DESIGN 10.exe
Token: SeBackupPrivilege	2676	PE-DESIGN 10.exe
Token: SeRestorePrivilege	2676	PE-DESIGN 10.exe
Token: SeShutdownPrivilege	2676	PE-DESIGN 10.exe
Token: SeDebugPrivilege	2676	PE-DESIGN 10.exe
Token: SeAuditPrivilege	2676	PE-DESIGN 10.exe
Token: SeSystemEnvironmentPrivilege	2676	PE-DESIGN 10.exe
Token: SeChangeNotifyPrivilege	2676	PE-DESIGN 10.exe
Token: SeRemoteShutdownPrivilege	2676	PE-DESIGN 10.exe
Token: SeUndockPrivilege	2676	PE-DESIGN 10.exe
Token: SeSyncAgentPrivilege	2676	PE-DESIGN 10.exe
Token: SeEnableDelegationPrivilege	2676	PE-DESIGN 10.exe
Token: SeManageVolumePrivilege	2676	PE-DESIGN 10.exe
Token: SeImpersonatePrivilege	2676	PE-DESIGN 10.exe
Token: SeCreateGlobalPrivilege	2676	PE-DESIGN 10.exe
Token: SeCreateTokenPrivilege	2676	PE-DESIGN 10.exe
Token: SeAssignPrimaryTokenPrivilege	2676	PE-DESIGN 10.exe
Token: SeLockMemoryPrivilege	2676	PE-DESIGN 10.exe
Token: SeIncreaseQuotaPrivilege	2676	PE-DESIGN 10.exe
Token: SeMachineAccountPrivilege	2676	PE-DESIGN 10.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2676	PE-DESIGN 10.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 628	3656	msiexec.exe	85
PID 3656 wrote to memory of 628	3656	msiexec.exe	85
PID 3656 wrote to memory of 628	3656	msiexec.exe	85

C:\Users\Admin\AppData\Local\Temp\PE-DESIGN 10.exe
"C:\Users\Admin\AppData\Local\Temp\PE-DESIGN 10.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2676

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E27945CA3E631F81772326BB9D8C35EC C
  2⤵
  - Loads dropped DLL
  PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2676\background

Filesize
29KB

MD5
34363136d896a1de743489e2aff7d849

SHA1
2678a41eec6d6d7f3267347f5ea2f7ca770323bb

SHA256
ae4355bc29fc0b409605faf5c69664a97a44c914e855b474b24281d17b7dcb15

SHA512
2711c50013f9b763e2eb7eed136f120dbe71b45ed0669655b07393e75f4e704877e7af473133469a012fd13d6bc50f2f715e8244395061a0067a480778759448

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8DBF.tmp

Filesize
86KB

MD5
616d33d84937a1edde1bb431b8cd8fc0

SHA1
4a690e056a7808d10d0667351697fa43640aecb3

SHA256
494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

SHA512
daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8DBF.tmp

Filesize
86KB

MD5
616d33d84937a1edde1bb431b8cd8fc0

SHA1
4a690e056a7808d10d0667351697fa43640aecb3

SHA256
494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

SHA512
daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8EF8.tmp

Filesize
86KB

MD5
616d33d84937a1edde1bb431b8cd8fc0

SHA1
4a690e056a7808d10d0667351697fa43640aecb3

SHA256
494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

SHA512
daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8EF8.tmp

Filesize
86KB

MD5
616d33d84937a1edde1bb431b8cd8fc0

SHA1
4a690e056a7808d10d0667351697fa43640aecb3

SHA256
494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

SHA512
daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8F28.tmp

Filesize
86KB

MD5
616d33d84937a1edde1bb431b8cd8fc0

SHA1
4a690e056a7808d10d0667351697fa43640aecb3

SHA256
494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

SHA512
daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8F28.tmp

Filesize
86KB

MD5
616d33d84937a1edde1bb431b8cd8fc0

SHA1
4a690e056a7808d10d0667351697fa43640aecb3

SHA256
494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

SHA512
daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8F28.tmp

Filesize
86KB

MD5
616d33d84937a1edde1bb431b8cd8fc0

SHA1
4a690e056a7808d10d0667351697fa43640aecb3

SHA256
494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

SHA512
daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9033.tmp

Filesize
86KB

MD5
616d33d84937a1edde1bb431b8cd8fc0

SHA1
4a690e056a7808d10d0667351697fa43640aecb3

SHA256
494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

SHA512
daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9033.tmp

Filesize
86KB

MD5
616d33d84937a1edde1bb431b8cd8fc0

SHA1
4a690e056a7808d10d0667351697fa43640aecb3

SHA256
494939263cb5535d464a8cf49616e1fa69bc8de099aae4638b1609e32827bede

SHA512
daabdd78946d2c12124c680a31e8e7afd9184ceffdf2fd59d0c8067fe46ee80f53a843b93fd3be203a0fa74424e95d1509d8f1a75db3ea6239b19b3b78e720f6

Download Submit
C:\Users\Admin\AppData\Roaming\Brother Industries, Ltd\PE-DESIGN 10 10.20.0.0\install\PE-DESIGN 10.msi

Filesize
3.0MB

MD5
59120041a44e2bea892d231122f01286

SHA1
8a2a33b9091b375d9f21e1340584edbc5c58b144

SHA256
8b44c2d5bd17ef7b7c3664c64a5c869ff96a1db591d582ee3ebca7cbd4d4b5a6

SHA512
9f0223c5f0124afb98b801733f6160b0035168fa21b6f469ab5c12f15a5b5d05b3b47e76d2e6d4fc8cdb24e1dda48411acf64702d9d58af337de339cc47ab1e2

Download Submit