74bf074b7cadce06a8633ec33a91a19ff31dcf2e48cad17b71fe44795f355b60

Analysis

max time kernel
117s
max time network
131s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VIPAccessSetup.exe
Size

15.2MB
MD5

4c9eefdf645daec351e2dcc24f23ce11
SHA1

5b448eebcabc9208df32ef4ba7794a7c5e3e6b5e
SHA256

74bf074b7cadce06a8633ec33a91a19ff31dcf2e48cad17b71fe44795f355b60
SHA512

08fb706095ef2f29fbd1deff303608194a88c214f9f04b678dd4200c10cfee74f138827fc9f0e14a8208ac955409de80c2e58821d92ab4c57334a5808b4b63b1
SSDEEP

393216:Qk9ENNSNeklpkbUvwhg1y3QSJg+NXcBNaWEaVZu:b9kSNnQbICOy3QSJLtrUO

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2784	msiexec.exe
5	2784	msiexec.exe
7	2784	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2756	install.exe

Loads dropped DLL 4 IoCs

pid	Process
1684	VIPAccessSetup.exe
1684	VIPAccessSetup.exe
1684	VIPAccessSetup.exe
1684	VIPAccessSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2784	msiexec.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2784	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2784	msiexec.exe
Token: SeRestorePrivilege	312	msiexec.exe
Token: SeTakeOwnershipPrivilege	312	msiexec.exe
Token: SeSecurityPrivilege	312	msiexec.exe
Token: SeCreateTokenPrivilege	2784	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2784	msiexec.exe
Token: SeLockMemoryPrivilege	2784	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2784	msiexec.exe
Token: SeMachineAccountPrivilege	2784	msiexec.exe
Token: SeTcbPrivilege	2784	msiexec.exe
Token: SeSecurityPrivilege	2784	msiexec.exe
Token: SeTakeOwnershipPrivilege	2784	msiexec.exe
Token: SeLoadDriverPrivilege	2784	msiexec.exe
Token: SeSystemProfilePrivilege	2784	msiexec.exe
Token: SeSystemtimePrivilege	2784	msiexec.exe
Token: SeProfSingleProcessPrivilege	2784	msiexec.exe
Token: SeIncBasePriorityPrivilege	2784	msiexec.exe
Token: SeCreatePagefilePrivilege	2784	msiexec.exe
Token: SeCreatePermanentPrivilege	2784	msiexec.exe
Token: SeBackupPrivilege	2784	msiexec.exe
Token: SeRestorePrivilege	2784	msiexec.exe
Token: SeShutdownPrivilege	2784	msiexec.exe
Token: SeDebugPrivilege	2784	msiexec.exe
Token: SeAuditPrivilege	2784	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2784	msiexec.exe
Token: SeChangeNotifyPrivilege	2784	msiexec.exe
Token: SeRemoteShutdownPrivilege	2784	msiexec.exe
Token: SeUndockPrivilege	2784	msiexec.exe
Token: SeSyncAgentPrivilege	2784	msiexec.exe
Token: SeEnableDelegationPrivilege	2784	msiexec.exe
Token: SeManageVolumePrivilege	2784	msiexec.exe
Token: SeImpersonatePrivilege	2784	msiexec.exe
Token: SeCreateGlobalPrivilege	2784	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2784	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2756	1684	VIPAccessSetup.exe	28
PID 1684 wrote to memory of 2756	1684	VIPAccessSetup.exe	28
PID 1684 wrote to memory of 2756	1684	VIPAccessSetup.exe	28
PID 1684 wrote to memory of 2756	1684	VIPAccessSetup.exe	28
PID 1684 wrote to memory of 2756	1684	VIPAccessSetup.exe	28
PID 1684 wrote to memory of 2756	1684	VIPAccessSetup.exe	28
PID 1684 wrote to memory of 2756	1684	VIPAccessSetup.exe	28
PID 2756 wrote to memory of 2784	2756	install.exe	30
PID 2756 wrote to memory of 2784	2756	install.exe	30
PID 2756 wrote to memory of 2784	2756	install.exe	30
PID 2756 wrote to memory of 2784	2756	install.exe	30
PID 2756 wrote to memory of 2784	2756	install.exe	30
PID 2756 wrote to memory of 2784	2756	install.exe	30
PID 2756 wrote to memory of 2784	2756	install.exe	30

C:\Users\Admin\AppData\Local\Temp\VIPAccessSetup.exe
"C:\Users\Admin\AppData\Local\Temp\VIPAccessSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\VIPSetup.msi" TRANSFORMS=1033.mst /lv "C:\Users\Admin\AppData\Local\Temp\VIPSetup.log"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2784

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB56C.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\1033.mst

Filesize
20KB

MD5
738b1c1da7f4c322c16bf9af507c4261

SHA1
98c2db1fe49b1da583d413fef5046d9b0b2f1cb3

SHA256
6cd35d4186e066775b2b99d9be49d8ac8e1eda66325871a61ecc42c28f62236c

SHA512
6caac39ac635991208f37e577cbdcf4157407f0d3e73ad35a9049498e2ebd6bf980f2e3fa90da41df03b8ccac7ef51b6d6bb1dbc8a8f3f48cbfa5782de7bc147

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\1040.mst

Filesize
108KB

MD5
8b1f7d2e166df7c5a594889b58405ed4

SHA1
14d32e5c1abce3f56a2183a84c88dc494b3539bd

SHA256
d956cd3de13084fa15c12f477740184ad12360d1f4d45c56540da70c6a90c996

SHA512
13ab59fa0dfe6046ca4accf17dec23b4cdce26cd35c64ee6d1228f5469dfb96a3861ee6e74ec27209dc30abc52e133c76ea117cab75d39f6f499e9cef3b7e1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\VIPSetup.msi

Filesize
3.5MB

MD5
5b3a137a191bd1aa572712b76518f04a

SHA1
d62897038a98d44ca2500b8831404ac1f0ab94c1

SHA256
4d5a93d3180384802e73ec56d693b695dfbdb16e0b764bb380bd33b788bead3f

SHA512
67826df3c57cea677a1911f7c0bc7eb721262142245ee70aa6ca5dcff0be0564799e83e11999c0549d21824dd35f273fc6c526486d4acbd577f3339076266421

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
502KB

MD5
0c1d13aed68a7cccab3fe21c15ba0152

SHA1
33384dac20bf94aff6507b0d32a33c1fd4103e3b

SHA256
8a269d55860f8b71dc0eaa2958b133e9fda9277d73f29e3bbbfc29e4fe8435a5

SHA512
bc10071360320ebb816cd32ac1af811f4c05cdedecad1b4e495c56c23a0b7c93c1e9af8e1127c3e652a0333cc833d23cf6a6e1c146f8a4f2a23007219539ea91

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
502KB

MD5
0c1d13aed68a7cccab3fe21c15ba0152

SHA1
33384dac20bf94aff6507b0d32a33c1fd4103e3b

SHA256
8a269d55860f8b71dc0eaa2958b133e9fda9277d73f29e3bbbfc29e4fe8435a5

SHA512
bc10071360320ebb816cd32ac1af811f4c05cdedecad1b4e495c56c23a0b7c93c1e9af8e1127c3e652a0333cc833d23cf6a6e1c146f8a4f2a23007219539ea91

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB5CD.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
502KB

MD5
0c1d13aed68a7cccab3fe21c15ba0152

SHA1
33384dac20bf94aff6507b0d32a33c1fd4103e3b

SHA256
8a269d55860f8b71dc0eaa2958b133e9fda9277d73f29e3bbbfc29e4fe8435a5

SHA512
bc10071360320ebb816cd32ac1af811f4c05cdedecad1b4e495c56c23a0b7c93c1e9af8e1127c3e652a0333cc833d23cf6a6e1c146f8a4f2a23007219539ea91

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
502KB

MD5
0c1d13aed68a7cccab3fe21c15ba0152

SHA1
33384dac20bf94aff6507b0d32a33c1fd4103e3b

SHA256
8a269d55860f8b71dc0eaa2958b133e9fda9277d73f29e3bbbfc29e4fe8435a5

SHA512
bc10071360320ebb816cd32ac1af811f4c05cdedecad1b4e495c56c23a0b7c93c1e9af8e1127c3e652a0333cc833d23cf6a6e1c146f8a4f2a23007219539ea91

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
502KB

MD5
0c1d13aed68a7cccab3fe21c15ba0152

SHA1
33384dac20bf94aff6507b0d32a33c1fd4103e3b

SHA256
8a269d55860f8b71dc0eaa2958b133e9fda9277d73f29e3bbbfc29e4fe8435a5

SHA512
bc10071360320ebb816cd32ac1af811f4c05cdedecad1b4e495c56c23a0b7c93c1e9af8e1127c3e652a0333cc833d23cf6a6e1c146f8a4f2a23007219539ea91

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
502KB

MD5
0c1d13aed68a7cccab3fe21c15ba0152

SHA1
33384dac20bf94aff6507b0d32a33c1fd4103e3b

SHA256
8a269d55860f8b71dc0eaa2958b133e9fda9277d73f29e3bbbfc29e4fe8435a5

SHA512
bc10071360320ebb816cd32ac1af811f4c05cdedecad1b4e495c56c23a0b7c93c1e9af8e1127c3e652a0333cc833d23cf6a6e1c146f8a4f2a23007219539ea91

Download Submit