666cd195137e722b8cf2d1ffdf6bbf7d78181d2e535a08e27a8e874219e7a1f3

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup_SmartRFProgr_1.12.7.exe
Size

24.3MB
MD5

56d2e3c7b1bf5d8bccea74258d220789
SHA1

f84dcebf15eadee49116192a76a71bf2986147e8
SHA256

666cd195137e722b8cf2d1ffdf6bbf7d78181d2e535a08e27a8e874219e7a1f3
SHA512

e9e2f076f6772670dd962a3bd7fae95488a1b58fa80d1f05e9b16786f2822f8a250164d18888576f4eacaaf7534895b947fedacbd150f678d8e5255c5afc345e
SSDEEP

393216:E4A9AL9NTfkKMxnSJhnXB5e8p+Hivv3HQpFdKwOYYn69OCcu9o1XGcm507aO:wm9NjkKM8Jhnbe8pP3OOiAt5Gcm5i

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4904	MsiExec.exe
4904	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	820	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	820	MSIEXEC.EXE
Token: SeSecurityPrivilege	4000	msiexec.exe
Token: SeCreateTokenPrivilege	820	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	820	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	820	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	820	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	820	MSIEXEC.EXE
Token: SeTcbPrivilege	820	MSIEXEC.EXE
Token: SeSecurityPrivilege	820	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	820	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	820	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	820	MSIEXEC.EXE
Token: SeSystemtimePrivilege	820	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	820	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	820	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	820	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	820	MSIEXEC.EXE
Token: SeBackupPrivilege	820	MSIEXEC.EXE
Token: SeRestorePrivilege	820	MSIEXEC.EXE
Token: SeShutdownPrivilege	820	MSIEXEC.EXE
Token: SeDebugPrivilege	820	MSIEXEC.EXE
Token: SeAuditPrivilege	820	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	820	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	820	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	820	MSIEXEC.EXE
Token: SeUndockPrivilege	820	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	820	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	820	MSIEXEC.EXE
Token: SeManageVolumePrivilege	820	MSIEXEC.EXE
Token: SeImpersonatePrivilege	820	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	820	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	820	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	820	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	820	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	820	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	820	MSIEXEC.EXE
Token: SeTcbPrivilege	820	MSIEXEC.EXE
Token: SeSecurityPrivilege	820	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	820	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	820	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	820	MSIEXEC.EXE
Token: SeSystemtimePrivilege	820	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	820	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	820	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	820	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	820	MSIEXEC.EXE
Token: SeBackupPrivilege	820	MSIEXEC.EXE
Token: SeRestorePrivilege	820	MSIEXEC.EXE
Token: SeShutdownPrivilege	820	MSIEXEC.EXE
Token: SeDebugPrivilege	820	MSIEXEC.EXE
Token: SeAuditPrivilege	820	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	820	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	820	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	820	MSIEXEC.EXE
Token: SeUndockPrivilege	820	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	820	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	820	MSIEXEC.EXE
Token: SeManageVolumePrivilege	820	MSIEXEC.EXE
Token: SeImpersonatePrivilege	820	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	820	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	820	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	820	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	820	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4252	Setup_SmartRFProgr_1.12.7.exe
820	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 820	4252	Setup_SmartRFProgr_1.12.7.exe	85
PID 4252 wrote to memory of 820	4252	Setup_SmartRFProgr_1.12.7.exe	85
PID 4252 wrote to memory of 820	4252	Setup_SmartRFProgr_1.12.7.exe	85
PID 4000 wrote to memory of 4904	4000	msiexec.exe	90
PID 4000 wrote to memory of 4904	4000	msiexec.exe	90
PID 4000 wrote to memory of 4904	4000	msiexec.exe	90

C:\Users\Admin\AppData\Local\Temp\Setup_SmartRFProgr_1.12.7.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_SmartRFProgr_1.12.7.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{2115B788-C803-47DF-9517-5DDC304FCF2A}\Setup_SmartRFProgr.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Setup_SmartRFProgr_1.12.7.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:820

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E51AABDD8C0CA22F823D262E40D58829 C
  2⤵
  - Loads dropped DLL
  PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI723D.tmp

Filesize
57KB

MD5
90ed4938fd712e3ac49dfdff0ff63cc0

SHA1
f3ae0ec59bd8fcb578310942bbf17c047d4895c9

SHA256
9d3eee64d97e0b082a2ab26f997b29fd6f16bb49a70b711fdc241fca079c788b

SHA512
c35ae7a402a01155a9aca294ee88a4029eeb2c560c25a33acb3e35d7060f8fa02d6bc0289b6cf44ed4e516cbd21a7c7b0843172d2686dc3a7270f40be08e0f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI723D.tmp

Filesize
57KB

MD5
90ed4938fd712e3ac49dfdff0ff63cc0

SHA1
f3ae0ec59bd8fcb578310942bbf17c047d4895c9

SHA256
9d3eee64d97e0b082a2ab26f997b29fd6f16bb49a70b711fdc241fca079c788b

SHA512
c35ae7a402a01155a9aca294ee88a4029eeb2c560c25a33acb3e35d7060f8fa02d6bc0289b6cf44ed4e516cbd21a7c7b0843172d2686dc3a7270f40be08e0f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7348.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7348.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iss6061.tmp

Filesize
1.3MB

MD5
7164079be63794315ed16d0c175da36f

SHA1
f94e0ae5676ec7f088dc4e14910d4820bc143066

SHA256
65f1d4e50720bc6583015f9656a30ce97b429565d27c5ce1616709623912504c

SHA512
1abab91a345a3113cce570aea222eaa94e2b8081290b7f3ce9a875c972ad2bb4323de28e3c851f4d062dfc005815b2459a0017509ed40d5b5014d41fff74a066

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2115B788-C803-47DF-9517-5DDC304FCF2A}\0x0409.ini

Filesize
20KB

MD5
36affbd6ff77d1515cfc1c5e998fbaf9

SHA1
950d00ecc2e7fd2c48897814029e8eedf6397838

SHA256
fccc7f79d29318d8ae78850c262bac762c28858709a6e6cf3b62bcd2729a61e3

SHA512
2f29de86d486db783872581a43a834e5064d1488bc3f085ddc5a3287eb9ee8a4ce93d66f7b4965cafb3c4f06b38d4b0fcfdc0fcb1f99d61331a808e5d6011808

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2115B788-C803-47DF-9517-5DDC304FCF2A}\Setup_SmartRFProgr.msi

Filesize
22.8MB

MD5
49d2373b91b4e8cc77f4849414aca92c

SHA1
86ddfc1d4bd86b751674a2f98567e538deef35ce

SHA256
3ca1a7f8207faea7cc11c353612b00c10e8683c2acc7ad6ae758d67af010b0da

SHA512
ea4fa8b828fb0c3bc9c772779f2956a75c9ad94dee5f6a7386f7d26d6f053731dbda671e645b03cf659316e761476d1284d1ccbfdf1bc150f6469eb0ef644a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3EFA.tmp

Filesize
2KB

MD5
e873e338d0544d2d01c321add7667c45

SHA1
7379b97a20355f1a0f25b3a9e74b77d7b49038cf

SHA256
3e0c8a89f6db6380d98e286554fcd63ea81a381e3ca2d7204c0f3a18ead35a28

SHA512
d570dc897616def7a70d4245045af8c82a357658614cad18ea10afb1248e33bf08b78bd014586fe668aa44e55740c569abf601f247b6099ab5dde9f3815208af

Download Submit