Overview
overview
7Static
static
3Installer(...up.exe
windows7-x64
7Installer(...up.exe
windows10-2004-x64
7Surveillan...em.msi
windows7-x64
7Surveillan...em.msi
windows10-2004-x64
7Surveillan...al.pdf
windows7-x64
1Surveillan...al.pdf
windows10-2004-x64
1Surveillan...up.exe
windows7-x64
7Surveillan...up.exe
windows10-2004-x64
7Analysis
-
max time kernel
46s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
08-10-2023 01:13
Static task
static1
Behavioral task
behavioral1
Sample
Installer(1.5)_2005-09-27/setup.exe
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral2
Sample
Installer(1.5)_2005-09-27/setup.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Surveillance System(1.1.00052)_2005-09-28/Surveillance System.msi
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral4
Sample
Surveillance System(1.1.00052)_2005-09-28/Surveillance System.msi
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Surveillance System(1.1.00052)_2005-09-28/UserManual.pdf
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral6
Sample
Surveillance System(1.1.00052)_2005-09-28/UserManual.pdf
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Surveillance System(1.1.00052)_2005-09-28/setup.exe
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral8
Sample
Surveillance System(1.1.00052)_2005-09-28/setup.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
General
-
Target
Surveillance System(1.1.00052)_2005-09-28/Surveillance System.msi
-
Size
841KB
-
MD5
8471e53a5fc2661f4cd0a9d6151eead9
-
SHA1
575886d0310d4d00c90ff937b30e1dd0ca87b228
-
SHA256
47a90f403618ab2e7c67898af3bc8abf6a8cd8a210b5c48e28b844e63bef0ad5
-
SHA512
cdd5eda0ab639494e10cf8be9c00401b761e5fa3f8177bbf8487c3c109ca5a11fe3b4cf764508b25f779751fc5b081855c6e564bee2137739633657ecf01bca1
-
SSDEEP
6144:+QC/riBt6iJhfKGGn+QAXUvcHXJqEW+T0yEgZdYUsUt7tYxasUfed:iTiBAiJhfu+QkWcKk0odFt5BsUU
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2868 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2216 msiexec.exe Token: SeIncreaseQuotaPrivilege 2216 msiexec.exe Token: SeRestorePrivilege 2404 msiexec.exe Token: SeTakeOwnershipPrivilege 2404 msiexec.exe Token: SeSecurityPrivilege 2404 msiexec.exe Token: SeCreateTokenPrivilege 2216 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2216 msiexec.exe Token: SeLockMemoryPrivilege 2216 msiexec.exe Token: SeIncreaseQuotaPrivilege 2216 msiexec.exe Token: SeMachineAccountPrivilege 2216 msiexec.exe Token: SeTcbPrivilege 2216 msiexec.exe Token: SeSecurityPrivilege 2216 msiexec.exe Token: SeTakeOwnershipPrivilege 2216 msiexec.exe Token: SeLoadDriverPrivilege 2216 msiexec.exe Token: SeSystemProfilePrivilege 2216 msiexec.exe Token: SeSystemtimePrivilege 2216 msiexec.exe Token: SeProfSingleProcessPrivilege 2216 msiexec.exe Token: SeIncBasePriorityPrivilege 2216 msiexec.exe Token: SeCreatePagefilePrivilege 2216 msiexec.exe Token: SeCreatePermanentPrivilege 2216 msiexec.exe Token: SeBackupPrivilege 2216 msiexec.exe Token: SeRestorePrivilege 2216 msiexec.exe Token: SeShutdownPrivilege 2216 msiexec.exe Token: SeDebugPrivilege 2216 msiexec.exe Token: SeAuditPrivilege 2216 msiexec.exe Token: SeSystemEnvironmentPrivilege 2216 msiexec.exe Token: SeChangeNotifyPrivilege 2216 msiexec.exe Token: SeRemoteShutdownPrivilege 2216 msiexec.exe Token: SeUndockPrivilege 2216 msiexec.exe Token: SeSyncAgentPrivilege 2216 msiexec.exe Token: SeEnableDelegationPrivilege 2216 msiexec.exe Token: SeManageVolumePrivilege 2216 msiexec.exe Token: SeImpersonatePrivilege 2216 msiexec.exe Token: SeCreateGlobalPrivilege 2216 msiexec.exe Token: SeCreateTokenPrivilege 2216 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2216 msiexec.exe Token: SeLockMemoryPrivilege 2216 msiexec.exe Token: SeIncreaseQuotaPrivilege 2216 msiexec.exe Token: SeMachineAccountPrivilege 2216 msiexec.exe Token: SeTcbPrivilege 2216 msiexec.exe Token: SeSecurityPrivilege 2216 msiexec.exe Token: SeTakeOwnershipPrivilege 2216 msiexec.exe Token: SeLoadDriverPrivilege 2216 msiexec.exe Token: SeSystemProfilePrivilege 2216 msiexec.exe Token: SeSystemtimePrivilege 2216 msiexec.exe Token: SeProfSingleProcessPrivilege 2216 msiexec.exe Token: SeIncBasePriorityPrivilege 2216 msiexec.exe Token: SeCreatePagefilePrivilege 2216 msiexec.exe Token: SeCreatePermanentPrivilege 2216 msiexec.exe Token: SeBackupPrivilege 2216 msiexec.exe Token: SeRestorePrivilege 2216 msiexec.exe Token: SeShutdownPrivilege 2216 msiexec.exe Token: SeDebugPrivilege 2216 msiexec.exe Token: SeAuditPrivilege 2216 msiexec.exe Token: SeSystemEnvironmentPrivilege 2216 msiexec.exe Token: SeChangeNotifyPrivilege 2216 msiexec.exe Token: SeRemoteShutdownPrivilege 2216 msiexec.exe Token: SeUndockPrivilege 2216 msiexec.exe Token: SeSyncAgentPrivilege 2216 msiexec.exe Token: SeEnableDelegationPrivilege 2216 msiexec.exe Token: SeManageVolumePrivilege 2216 msiexec.exe Token: SeImpersonatePrivilege 2216 msiexec.exe Token: SeCreateGlobalPrivilege 2216 msiexec.exe Token: SeCreateTokenPrivilege 2216 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2216 msiexec.exe 2216 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2404 wrote to memory of 2868 2404 msiexec.exe 31 PID 2404 wrote to memory of 2868 2404 msiexec.exe 31 PID 2404 wrote to memory of 2868 2404 msiexec.exe 31 PID 2404 wrote to memory of 2868 2404 msiexec.exe 31 PID 2404 wrote to memory of 2868 2404 msiexec.exe 31 PID 2404 wrote to memory of 2868 2404 msiexec.exe 31 PID 2404 wrote to memory of 2868 2404 msiexec.exe 31
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Surveillance System(1.1.00052)_2005-09-28\Surveillance System.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2216
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7DFCC0B1AA5986C2B2DEDB120FE77105 C2⤵
- Loads dropped DLL
PID:2868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5e460051d690b8f6e40aeb45c70982c61
SHA194fb74bb1aadbda29538079cf13f1626123f6a4b
SHA2562cd0a82fdb3ea5e1021aafa71452ec9b03cc0976ea967fa88f0aba19dd2cb8db
SHA51281ff8c6cf6b90558afaa7d03e4a7281ec9575f610509a8f0bade0ff3375ae03863a9661d60dc4b062195414ecefa1445d5d7f1a7e857b6b2e0bf939bcef3f1c4
-
Filesize
100KB
MD5e460051d690b8f6e40aeb45c70982c61
SHA194fb74bb1aadbda29538079cf13f1626123f6a4b
SHA2562cd0a82fdb3ea5e1021aafa71452ec9b03cc0976ea967fa88f0aba19dd2cb8db
SHA51281ff8c6cf6b90558afaa7d03e4a7281ec9575f610509a8f0bade0ff3375ae03863a9661d60dc4b062195414ecefa1445d5d7f1a7e857b6b2e0bf939bcef3f1c4