608cd17a58f8a5dc7d36d0335bb1681f90d186d98f6e60f16c7dbd06032cd634

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HASPUserSetup.exe
Size

19.0MB
MD5

39beb5eaba98600a284347e80d6629a1
SHA1

c7a5dac40eadb24f368034c6d6e563bb5dbdebc9
SHA256

608cd17a58f8a5dc7d36d0335bb1681f90d186d98f6e60f16c7dbd06032cd634
SHA512

884c664e206e9e129eff49723e16c886089c3d682a4d1f2a4ca2bb1edb44d6b0907a993fc8aa4d400c27520f675e4cc3da773a64bedfc8a04ab55b66d23d8731
SSDEEP

393216:+HDLH8mZ05JPkXseZ4AVZMXiDIHXTU6I8sApwG5sXYO33AIwL:+HP8mC59HT+KSDIHj/NsAmG5BOZwL

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE

Loads dropped DLL 1 IoCs

pid	Process
2964	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2652	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2652	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2652	MSIEXEC.EXE
Token: SeRestorePrivilege	2776	msiexec.exe
Token: SeTakeOwnershipPrivilege	2776	msiexec.exe
Token: SeSecurityPrivilege	2776	msiexec.exe
Token: SeCreateTokenPrivilege	2652	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2652	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2652	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2652	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2652	MSIEXEC.EXE
Token: SeTcbPrivilege	2652	MSIEXEC.EXE
Token: SeSecurityPrivilege	2652	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2652	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2652	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2652	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2652	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2652	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2652	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2652	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2652	MSIEXEC.EXE
Token: SeBackupPrivilege	2652	MSIEXEC.EXE
Token: SeRestorePrivilege	2652	MSIEXEC.EXE
Token: SeShutdownPrivilege	2652	MSIEXEC.EXE
Token: SeDebugPrivilege	2652	MSIEXEC.EXE
Token: SeAuditPrivilege	2652	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2652	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2652	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2652	MSIEXEC.EXE
Token: SeUndockPrivilege	2652	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2652	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2652	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2652	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2652	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2652	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2652	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2652	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2652	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2652	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2652	MSIEXEC.EXE
Token: SeTcbPrivilege	2652	MSIEXEC.EXE
Token: SeSecurityPrivilege	2652	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2652	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2652	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2652	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2652	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2652	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2652	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2652	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2652	MSIEXEC.EXE
Token: SeBackupPrivilege	2652	MSIEXEC.EXE
Token: SeRestorePrivilege	2652	MSIEXEC.EXE
Token: SeShutdownPrivilege	2652	MSIEXEC.EXE
Token: SeDebugPrivilege	2652	MSIEXEC.EXE
Token: SeAuditPrivilege	2652	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2652	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2652	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2652	MSIEXEC.EXE
Token: SeUndockPrivilege	2652	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2652	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2652	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2652	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2652	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2652	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2652	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2652	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2652	2224	HASPUserSetup.exe	28
PID 2224 wrote to memory of 2652	2224	HASPUserSetup.exe	28
PID 2224 wrote to memory of 2652	2224	HASPUserSetup.exe	28
PID 2224 wrote to memory of 2652	2224	HASPUserSetup.exe	28
PID 2224 wrote to memory of 2652	2224	HASPUserSetup.exe	28
PID 2224 wrote to memory of 2652	2224	HASPUserSetup.exe	28
PID 2224 wrote to memory of 2652	2224	HASPUserSetup.exe	28
PID 2776 wrote to memory of 2964	2776	msiexec.exe	30
PID 2776 wrote to memory of 2964	2776	msiexec.exe	30
PID 2776 wrote to memory of 2964	2776	msiexec.exe	30
PID 2776 wrote to memory of 2964	2776	msiexec.exe	30
PID 2776 wrote to memory of 2964	2776	msiexec.exe	30
PID 2776 wrote to memory of 2964	2776	msiexec.exe	30
PID 2776 wrote to memory of 2964	2776	msiexec.exe	30

C:\Users\Admin\AppData\Local\Temp\HASPUserSetup.exe
"C:\Users\Admin\AppData\Local\Temp\HASPUserSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{9AC744D4-38B1-488D-A5E1-BD914736F9FB}\HASP_Setup.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="HASPUserSetup.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2652

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C1B5317316EF386DC124D43EA26DBA7 C
  2⤵
  - Loads dropped DLL
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIA026.tmp

Filesize
151KB

MD5
147b7f7427d9ffe61ea784c3b5e245c8

SHA1
2ccf676aa59561f0f30fcd04d5df48831054cb3e

SHA256
68653956ea7674ec9e8e643b573c9c8fbee00b7d07d4fc89fb0e233844c68683

SHA512
7a63e0d33d462fb73b6ec57ef2b1c4a21d873694e4d5e37f86b34fb33392d760d4c1d2aea313246a2618e2dd4537afcfc8006daebf8c1abc26435bc462d2b53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9AC744D4-38B1-488D-A5E1-BD914736F9FB}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9AC744D4-38B1-488D-A5E1-BD914736F9FB}\HASP_Setup.msi

Filesize
18.3MB

MD5
e7ab407658d08137e5dee122738caeb0

SHA1
85b7f50b4de96f9bec6a930fbac678a89157c68d

SHA256
d490b0ae609b80f714cd47d6af22ac2ad84cf958f8db1114dcc369e9ec899088

SHA512
617e2ece6fe0dc8aaed2e6510e7f604c53c1dc8b3002cb7d805079b8e0cf66a2c1b0785271625a88a37c4496d52b96e48ea23364581625c0dfc3526344e34394

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8843.tmp

Filesize
4KB

MD5
19d74741efbdce498bf67920e30dd9a4

SHA1
3c92af5831687a33c9f76cb8a31df4ae50da7b51

SHA256
4be9416becc97e1339e15800e3faf17ded37a4cc39264b20c24fe07c9eb9cdbe

SHA512
f56941f8d0029a6ed7eb85a9b8e44e9bd58ff6e0703ddfadea780d9edb17650bb8b211136054592ac434858e174267fe6dc76683fe629aa50a1e6db4bbe91d1c

Download Submit
\Users\Admin\AppData\Local\Temp\MSIA026.tmp

Filesize
151KB

MD5
147b7f7427d9ffe61ea784c3b5e245c8

SHA1
2ccf676aa59561f0f30fcd04d5df48831054cb3e

SHA256
68653956ea7674ec9e8e643b573c9c8fbee00b7d07d4fc89fb0e233844c68683

SHA512
7a63e0d33d462fb73b6ec57ef2b1c4a21d873694e4d5e37f86b34fb33392d760d4c1d2aea313246a2618e2dd4537afcfc8006daebf8c1abc26435bc462d2b53c

Download Submit