a6c0803c46cc2a33c1f64be34b136744f9db4fa0cc475658260a70fd047494bc

Analysis

max time kernel
157s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fd06684c5caa52ec4e0c30a4264ac42c9413641be5bcf41e12c59ba9ff71c52.exe
Size

38.1MB
MD5

59bb39969aa1816dec666c56e575f4b6
SHA1

eb1d0ab9d021e567f421f5d865bdc5faff2d2de5
SHA256

8fd06684c5caa52ec4e0c30a4264ac42c9413641be5bcf41e12c59ba9ff71c52
SHA512

262322eaf414cd474e251a844a316309aff2a04833e1b3cc669a5a126dc9b9b8fdb87e98968758553f90985aa4095af0b01baa1b9378be98f44b06f55e8cb69b
SSDEEP

786432:8qbb/xq/LsrBbyyRUFLazR0GWGvpYazMUJ7msHv+SIBxS0GBZO3nha28K0Xa2:8+/xtlWyRUFLazBWYLzNrHvCXS0AZO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	8fd06684c5caa52ec4e0c30a4264ac42c9413641be5bcf41e12c59ba9ff71c52.exe

Loads dropped DLL 3 IoCs

pid	Process
4880	MsiExec.exe
4880	MsiExec.exe
4880	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISCC98E8B3FAAA4D09A813A44C9FA1A3EE_9_0_908_51.MSI	8fd06684c5caa52ec4e0c30a4264ac42c9413641be5bcf41e12c59ba9ff71c52.exe
File opened for modification	C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISCC98E8B3FAAA4D09A813A44C9FA1A3EE_9_0_908_51.MSI	8fd06684c5caa52ec4e0c30a4264ac42c9413641be5bcf41e12c59ba9ff71c52.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2556	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2556	msiexec.exe
Token: SeSecurityPrivilege	1220	msiexec.exe
Token: SeCreateTokenPrivilege	2556	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2556	msiexec.exe
Token: SeLockMemoryPrivilege	2556	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2556	msiexec.exe
Token: SeMachineAccountPrivilege	2556	msiexec.exe
Token: SeTcbPrivilege	2556	msiexec.exe
Token: SeSecurityPrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeLoadDriverPrivilege	2556	msiexec.exe
Token: SeSystemProfilePrivilege	2556	msiexec.exe
Token: SeSystemtimePrivilege	2556	msiexec.exe
Token: SeProfSingleProcessPrivilege	2556	msiexec.exe
Token: SeIncBasePriorityPrivilege	2556	msiexec.exe
Token: SeCreatePagefilePrivilege	2556	msiexec.exe
Token: SeCreatePermanentPrivilege	2556	msiexec.exe
Token: SeBackupPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeShutdownPrivilege	2556	msiexec.exe
Token: SeDebugPrivilege	2556	msiexec.exe
Token: SeAuditPrivilege	2556	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2556	msiexec.exe
Token: SeChangeNotifyPrivilege	2556	msiexec.exe
Token: SeRemoteShutdownPrivilege	2556	msiexec.exe
Token: SeUndockPrivilege	2556	msiexec.exe
Token: SeSyncAgentPrivilege	2556	msiexec.exe
Token: SeEnableDelegationPrivilege	2556	msiexec.exe
Token: SeManageVolumePrivilege	2556	msiexec.exe
Token: SeImpersonatePrivilege	2556	msiexec.exe
Token: SeCreateGlobalPrivilege	2556	msiexec.exe
Token: SeCreateTokenPrivilege	2556	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2556	msiexec.exe
Token: SeLockMemoryPrivilege	2556	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2556	msiexec.exe
Token: SeMachineAccountPrivilege	2556	msiexec.exe
Token: SeTcbPrivilege	2556	msiexec.exe
Token: SeSecurityPrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeLoadDriverPrivilege	2556	msiexec.exe
Token: SeSystemProfilePrivilege	2556	msiexec.exe
Token: SeSystemtimePrivilege	2556	msiexec.exe
Token: SeProfSingleProcessPrivilege	2556	msiexec.exe
Token: SeIncBasePriorityPrivilege	2556	msiexec.exe
Token: SeCreatePagefilePrivilege	2556	msiexec.exe
Token: SeCreatePermanentPrivilege	2556	msiexec.exe
Token: SeBackupPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeShutdownPrivilege	2556	msiexec.exe
Token: SeDebugPrivilege	2556	msiexec.exe
Token: SeAuditPrivilege	2556	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2556	msiexec.exe
Token: SeChangeNotifyPrivilege	2556	msiexec.exe
Token: SeRemoteShutdownPrivilege	2556	msiexec.exe
Token: SeUndockPrivilege	2556	msiexec.exe
Token: SeSyncAgentPrivilege	2556	msiexec.exe
Token: SeEnableDelegationPrivilege	2556	msiexec.exe
Token: SeManageVolumePrivilege	2556	msiexec.exe
Token: SeImpersonatePrivilege	2556	msiexec.exe
Token: SeCreateGlobalPrivilege	2556	msiexec.exe
Token: SeCreateTokenPrivilege	2556	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2556	msiexec.exe
Token: SeLockMemoryPrivilege	2556	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2556	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 2556	3916	8fd06684c5caa52ec4e0c30a4264ac42c9413641be5bcf41e12c59ba9ff71c52.exe	98
PID 3916 wrote to memory of 2556	3916	8fd06684c5caa52ec4e0c30a4264ac42c9413641be5bcf41e12c59ba9ff71c52.exe	98
PID 3916 wrote to memory of 2556	3916	8fd06684c5caa52ec4e0c30a4264ac42c9413641be5bcf41e12c59ba9ff71c52.exe	98
PID 1220 wrote to memory of 4880	1220	msiexec.exe	101
PID 1220 wrote to memory of 4880	1220	msiexec.exe	101
PID 1220 wrote to memory of 4880	1220	msiexec.exe	101

C:\Users\Admin\AppData\Local\Temp\8fd06684c5caa52ec4e0c30a4264ac42c9413641be5bcf41e12c59ba9ff71c52.exe
"C:\Users\Admin\AppData\Local\Temp\8fd06684c5caa52ec4e0c30a4264ac42c9413641be5bcf41e12c59ba9ff71c52.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISCC98E8B3FAAA4D09A813A44C9FA1A3EE_9_0_908_51.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\AppData\Local\Temp\8fd06684c5caa52ec4e0c30a4264ac42c9413641be5bcf41e12c59ba9ff71c52.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2556

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7A371B59E831CCA5CB2F88B08E143216 C
  2⤵
  - Loads dropped DLL
  PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Wise Installation Wizard\WISCC98E8B3FAAA4D09A813A44C9FA1A3EE_9_0_908_51.MSI

Filesize
36.4MB

MD5
b434fbb62a8c9008e862191d8e7975f5

SHA1
dd6fd8937ac3233c0a99272ed712429c2536a66d

SHA256
256c159c57be8d2158a1e87eaf959e629e1ea916e75eedbee1b29813e6f05c4b

SHA512
af2715cb74822fea1dbe6caf5d362a6283f1395e2a9bde8989f0b89d62363bf3815aff6d88529a8a756e12b6f21cea0b5ecaa5290b6e18f0a52710bc9a7b2be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6EBE.tmp

Filesize
160KB

MD5
d9d9718000704053e7325752829bd5c9

SHA1
b7096b33219a78752ad128aaacc468047ca7c5aa

SHA256
80caaefda1b2ceda08e27cdfa2a579a2ee9f225a3ed436447f402a67d9fa91c3

SHA512
6e48f7a7ab276e15ed8d9d0c1f20d68316fdd53030432fb32850387c0867e3876e712a3627129cd30fa1c64ea369b722694f2e4b8fc86fc8579355827603c691

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6EBE.tmp

Filesize
160KB

MD5
d9d9718000704053e7325752829bd5c9

SHA1
b7096b33219a78752ad128aaacc468047ca7c5aa

SHA256
80caaefda1b2ceda08e27cdfa2a579a2ee9f225a3ed436447f402a67d9fa91c3

SHA512
6e48f7a7ab276e15ed8d9d0c1f20d68316fdd53030432fb32850387c0867e3876e712a3627129cd30fa1c64ea369b722694f2e4b8fc86fc8579355827603c691

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6FB9.tmp

Filesize
8KB

MD5
53bfc64d0c686ad04e92ca884bcfacf6

SHA1
354489a29bb5164c32a1cb567855723e15e957b8

SHA256
84fd0ecbe013c9af8649b8de36807ad2f37d33cd85fb9ebd1b01b59f295a8051

SHA512
3374ea30f69106db3da1e324fd7bd794d100e750984dc0bb160f16f3561d3a8d1e237a363d0f06d88efdfbaa41c9f9550016632470df52e1b41ec31c01ce57b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6FB9.tmp

Filesize
8KB

MD5
53bfc64d0c686ad04e92ca884bcfacf6

SHA1
354489a29bb5164c32a1cb567855723e15e957b8

SHA256
84fd0ecbe013c9af8649b8de36807ad2f37d33cd85fb9ebd1b01b59f295a8051

SHA512
3374ea30f69106db3da1e324fd7bd794d100e750984dc0bb160f16f3561d3a8d1e237a363d0f06d88efdfbaa41c9f9550016632470df52e1b41ec31c01ce57b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7661.tmp

Filesize
160KB

MD5
d9d9718000704053e7325752829bd5c9

SHA1
b7096b33219a78752ad128aaacc468047ca7c5aa

SHA256
80caaefda1b2ceda08e27cdfa2a579a2ee9f225a3ed436447f402a67d9fa91c3

SHA512
6e48f7a7ab276e15ed8d9d0c1f20d68316fdd53030432fb32850387c0867e3876e712a3627129cd30fa1c64ea369b722694f2e4b8fc86fc8579355827603c691

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7661.tmp

Filesize
160KB

MD5
d9d9718000704053e7325752829bd5c9

SHA1
b7096b33219a78752ad128aaacc468047ca7c5aa

SHA256
80caaefda1b2ceda08e27cdfa2a579a2ee9f225a3ed436447f402a67d9fa91c3

SHA512
6e48f7a7ab276e15ed8d9d0c1f20d68316fdd53030432fb32850387c0867e3876e712a3627129cd30fa1c64ea369b722694f2e4b8fc86fc8579355827603c691

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads