608cd17a58f8a5dc7d36d0335bb1681f90d186d98f6e60f16c7dbd06032cd634

Analysis

max time kernel
159s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HASPUserSetup.exe
Size

19.0MB
MD5

39beb5eaba98600a284347e80d6629a1
SHA1

c7a5dac40eadb24f368034c6d6e563bb5dbdebc9
SHA256

608cd17a58f8a5dc7d36d0335bb1681f90d186d98f6e60f16c7dbd06032cd634
SHA512

884c664e206e9e129eff49723e16c886089c3d682a4d1f2a4ca2bb1edb44d6b0907a993fc8aa4d400c27520f675e4cc3da773a64bedfc8a04ab55b66d23d8731
SSDEEP

393216:+HDLH8mZ05JPkXseZ4AVZMXiDIHXTU6I8sApwG5sXYO33AIwL:+HP8mC59HT+KSDIHj/NsAmG5BOZwL

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE

Loads dropped DLL 1 IoCs

pid	Process
848	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4328	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4328	MSIEXEC.EXE
Token: SeSecurityPrivilege	2528	msiexec.exe
Token: SeCreateTokenPrivilege	4328	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4328	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4328	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4328	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4328	MSIEXEC.EXE
Token: SeTcbPrivilege	4328	MSIEXEC.EXE
Token: SeSecurityPrivilege	4328	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4328	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4328	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4328	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4328	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4328	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4328	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4328	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4328	MSIEXEC.EXE
Token: SeBackupPrivilege	4328	MSIEXEC.EXE
Token: SeRestorePrivilege	4328	MSIEXEC.EXE
Token: SeShutdownPrivilege	4328	MSIEXEC.EXE
Token: SeDebugPrivilege	4328	MSIEXEC.EXE
Token: SeAuditPrivilege	4328	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4328	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4328	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4328	MSIEXEC.EXE
Token: SeUndockPrivilege	4328	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4328	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4328	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4328	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4328	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4328	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	4328	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4328	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4328	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4328	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4328	MSIEXEC.EXE
Token: SeTcbPrivilege	4328	MSIEXEC.EXE
Token: SeSecurityPrivilege	4328	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4328	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4328	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4328	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4328	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4328	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4328	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4328	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4328	MSIEXEC.EXE
Token: SeBackupPrivilege	4328	MSIEXEC.EXE
Token: SeRestorePrivilege	4328	MSIEXEC.EXE
Token: SeShutdownPrivilege	4328	MSIEXEC.EXE
Token: SeDebugPrivilege	4328	MSIEXEC.EXE
Token: SeAuditPrivilege	4328	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4328	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4328	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4328	MSIEXEC.EXE
Token: SeUndockPrivilege	4328	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4328	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4328	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4328	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4328	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4328	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	4328	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4328	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4328	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4328	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 4328	3648	HASPUserSetup.exe	89
PID 3648 wrote to memory of 4328	3648	HASPUserSetup.exe	89
PID 3648 wrote to memory of 4328	3648	HASPUserSetup.exe	89
PID 2528 wrote to memory of 848	2528	msiexec.exe	92
PID 2528 wrote to memory of 848	2528	msiexec.exe	92
PID 2528 wrote to memory of 848	2528	msiexec.exe	92

C:\Users\Admin\AppData\Local\Temp\HASPUserSetup.exe
"C:\Users\Admin\AppData\Local\Temp\HASPUserSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{5140F0F2-3D4E-49A2-A776-01C833F0D513}\HASP_Setup.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="HASPUserSetup.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4328

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DCB2C91A1F83C4005D8C51612DFB32C4 C
  2⤵
  - Loads dropped DLL
  PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSICCE0.tmp

Filesize
151KB

MD5
147b7f7427d9ffe61ea784c3b5e245c8

SHA1
2ccf676aa59561f0f30fcd04d5df48831054cb3e

SHA256
68653956ea7674ec9e8e643b573c9c8fbee00b7d07d4fc89fb0e233844c68683

SHA512
7a63e0d33d462fb73b6ec57ef2b1c4a21d873694e4d5e37f86b34fb33392d760d4c1d2aea313246a2618e2dd4537afcfc8006daebf8c1abc26435bc462d2b53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICCE0.tmp

Filesize
151KB

MD5
147b7f7427d9ffe61ea784c3b5e245c8

SHA1
2ccf676aa59561f0f30fcd04d5df48831054cb3e

SHA256
68653956ea7674ec9e8e643b573c9c8fbee00b7d07d4fc89fb0e233844c68683

SHA512
7a63e0d33d462fb73b6ec57ef2b1c4a21d873694e4d5e37f86b34fb33392d760d4c1d2aea313246a2618e2dd4537afcfc8006daebf8c1abc26435bc462d2b53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5140F0F2-3D4E-49A2-A776-01C833F0D513}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5140F0F2-3D4E-49A2-A776-01C833F0D513}\HASP_Setup.msi

Filesize
18.3MB

MD5
e7ab407658d08137e5dee122738caeb0

SHA1
85b7f50b4de96f9bec6a930fbac678a89157c68d

SHA256
d490b0ae609b80f714cd47d6af22ac2ad84cf958f8db1114dcc369e9ec899088

SHA512
617e2ece6fe0dc8aaed2e6510e7f604c53c1dc8b3002cb7d805079b8e0cf66a2c1b0785271625a88a37c4496d52b96e48ea23364581625c0dfc3526344e34394

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3F27.tmp

Filesize
4KB

MD5
19d74741efbdce498bf67920e30dd9a4

SHA1
3c92af5831687a33c9f76cb8a31df4ae50da7b51

SHA256
4be9416becc97e1339e15800e3faf17ded37a4cc39264b20c24fe07c9eb9cdbe

SHA512
f56941f8d0029a6ed7eb85a9b8e44e9bd58ff6e0703ddfadea780d9edb17650bb8b211136054592ac434858e174267fe6dc76683fe629aa50a1e6db4bbe91d1c

Download Submit