38e3439acc61a4cccde272a5aa3dfc3291e82c7967db9bc040e2336f2bc4b1a7

Analysis

max time kernel
145s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FireDaemonPro.4.0.6/FireDaemon-Pro-x64-4.0.68.exe
Size

32.9MB
MD5

1fb7bc200e2015fd749605e8cc9b70e1
SHA1

47860f259e5711b8235681849441a5a5fa698e67
SHA256

b76c6dbff614ff0375bd66789b2b5f694b3e6a9e082211331dfc3be47b1fe279
SHA512

f0cdc7b8b01b9b96a4d1f0c08ec231250a350dc411eefe67d0546d89cb1be5fa379a2d9e8aa46bb8864584a9114d5ca13f1e5836c2066cfb0b41eabed9c6e7c1
SSDEEP

786432:VnkiJzIqsDRVMP4zBmgkWALsEycCmudWiNIklf7S:VkiJzIq3P4zBmgkWVuC4KIR

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
17	3256	MSIEXEC.EXE
18	3256	MSIEXEC.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE

Executes dropped EXE 1 IoCs

pid	Process
4116	FireDaemon-Pro-x64-4.0.68.exe

Loads dropped DLL 1 IoCs

pid	Process
4928	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3256	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3256	MSIEXEC.EXE
Token: SeSecurityPrivilege	1236	msiexec.exe
Token: SeCreateTokenPrivilege	3256	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3256	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3256	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3256	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3256	MSIEXEC.EXE
Token: SeTcbPrivilege	3256	MSIEXEC.EXE
Token: SeSecurityPrivilege	3256	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3256	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3256	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3256	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3256	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3256	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3256	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3256	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3256	MSIEXEC.EXE
Token: SeBackupPrivilege	3256	MSIEXEC.EXE
Token: SeRestorePrivilege	3256	MSIEXEC.EXE
Token: SeShutdownPrivilege	3256	MSIEXEC.EXE
Token: SeDebugPrivilege	3256	MSIEXEC.EXE
Token: SeAuditPrivilege	3256	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3256	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3256	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3256	MSIEXEC.EXE
Token: SeUndockPrivilege	3256	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3256	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3256	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3256	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3256	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3256	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	3256	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3256	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3256	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3256	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3256	MSIEXEC.EXE
Token: SeTcbPrivilege	3256	MSIEXEC.EXE
Token: SeSecurityPrivilege	3256	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3256	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3256	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3256	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3256	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3256	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3256	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3256	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3256	MSIEXEC.EXE
Token: SeBackupPrivilege	3256	MSIEXEC.EXE
Token: SeRestorePrivilege	3256	MSIEXEC.EXE
Token: SeShutdownPrivilege	3256	MSIEXEC.EXE
Token: SeDebugPrivilege	3256	MSIEXEC.EXE
Token: SeAuditPrivilege	3256	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3256	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3256	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3256	MSIEXEC.EXE
Token: SeUndockPrivilege	3256	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3256	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3256	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3256	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3256	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3256	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	3256	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3256	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3256	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3256	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 4116	556	FireDaemon-Pro-x64-4.0.68.exe	83
PID 556 wrote to memory of 4116	556	FireDaemon-Pro-x64-4.0.68.exe	83
PID 556 wrote to memory of 4116	556	FireDaemon-Pro-x64-4.0.68.exe	83
PID 4116 wrote to memory of 3256	4116	FireDaemon-Pro-x64-4.0.68.exe	88
PID 4116 wrote to memory of 3256	4116	FireDaemon-Pro-x64-4.0.68.exe	88
PID 1236 wrote to memory of 4928	1236	msiexec.exe	92
PID 1236 wrote to memory of 4928	1236	msiexec.exe	92
PID 1236 wrote to memory of 4928	1236	msiexec.exe	92
PID 1236 wrote to memory of 1800	1236	msiexec.exe	95
PID 1236 wrote to memory of 1800	1236	msiexec.exe	95

C:\Users\Admin\AppData\Local\Temp\FireDaemonPro.4.0.6\FireDaemon-Pro-x64-4.0.68.exe
"C:\Users\Admin\AppData\Local\Temp\FireDaemonPro.4.0.6\FireDaemon-Pro-x64-4.0.68.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:556
- C:\Users\Admin\AppData\Local\Temp\{6C5A17C3-CEAE-4B27-A751-2666DDAF2902}\FireDaemon-Pro-x64-4.0.68.exe
  C:\Users\Admin\AppData\Local\Temp\{6C5A17C3-CEAE-4B27-A751-2666DDAF2902}\FireDaemon-Pro-x64-4.0.68.exe /q"C:\Users\Admin\AppData\Local\Temp\FireDaemonPro.4.0.6\FireDaemon-Pro-x64-4.0.68.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{6C5A17C3-CEAE-4B27-A751-2666DDAF2902}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\system32\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{6C5A17C3-CEAE-4B27-A751-2666DDAF2902}\FireDaemon-Pro-x64-4.0.68.msi" FULLPACKAGE=1 SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\FireDaemonPro.4.0.6" SETUPEXENAME="FireDaemon-Pro-x64-4.0.68.exe"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3256

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3C07F29E477A3A74DA445BFB13D13525 C
  2⤵
  - Loads dropped DLL
  PID:4928
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 9446E22B59EDFB0F7DAA786935950A67 C
  2⤵
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIC10E.tmp

Filesize
165KB

MD5
b4404fbe8e2dff187b143c88da903c82

SHA1
6c5117d6ac6a88401363c41403fffb7f96a3319d

SHA256
d64807070c6b57700ecaaef8d0fdf6637f348dc2dc6aa49db65ed578d054f906

SHA512
44e6c18bf7b7f431af17c44e8a1d6f1f89cabdf449b4f0937862a44583a237605ab3035937689409fbd063126a51b83e77ba334c01ddcf4cd5c17f33ec9e5c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC10E.tmp

Filesize
165KB

MD5
b4404fbe8e2dff187b143c88da903c82

SHA1
6c5117d6ac6a88401363c41403fffb7f96a3319d

SHA256
d64807070c6b57700ecaaef8d0fdf6637f348dc2dc6aa49db65ed578d054f906

SHA512
44e6c18bf7b7f431af17c44e8a1d6f1f89cabdf449b4f0937862a44583a237605ab3035937689409fbd063126a51b83e77ba334c01ddcf4cd5c17f33ec9e5c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\issA700.tmp

Filesize
2.5MB

MD5
73d623b13eddbb804e619ec9bf69ee2a

SHA1
587cf4cb7f8946d5d79e7dc8df1076beb14081d6

SHA256
cc9798f900a0c9b6b48c5c723b352a12987bb16efc950422c1be447ddd306db9

SHA512
5b93eb2457735d655745930d7fd9bd13ff47dd8ae3df6c17802c9c907b5a907b6a2c9743e857009d11166e2a15b0e2f9a052a69404abb2deaa34983424842382

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6C5A17C3-CEAE-4B27-A751-2666DDAF2902}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6C5A17C3-CEAE-4B27-A751-2666DDAF2902}\FireDaemon-Pro-x64-4.0.68.exe

Filesize
32.9MB

MD5
1fb7bc200e2015fd749605e8cc9b70e1

SHA1
47860f259e5711b8235681849441a5a5fa698e67

SHA256
b76c6dbff614ff0375bd66789b2b5f694b3e6a9e082211331dfc3be47b1fe279

SHA512
f0cdc7b8b01b9b96a4d1f0c08ec231250a350dc411eefe67d0546d89cb1be5fa379a2d9e8aa46bb8864584a9114d5ca13f1e5836c2066cfb0b41eabed9c6e7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6C5A17C3-CEAE-4B27-A751-2666DDAF2902}\FireDaemon-Pro-x64-4.0.68.exe

Filesize
32.9MB

MD5
1fb7bc200e2015fd749605e8cc9b70e1

SHA1
47860f259e5711b8235681849441a5a5fa698e67

SHA256
b76c6dbff614ff0375bd66789b2b5f694b3e6a9e082211331dfc3be47b1fe279

SHA512
f0cdc7b8b01b9b96a4d1f0c08ec231250a350dc411eefe67d0546d89cb1be5fa379a2d9e8aa46bb8864584a9114d5ca13f1e5836c2066cfb0b41eabed9c6e7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6C5A17C3-CEAE-4B27-A751-2666DDAF2902}\FireDaemon-Pro-x64-4.0.68.msi

Filesize
17.8MB

MD5
ccdb0d3d50f29796bdb214cca2a79680

SHA1
c2b26c3f4e2ddd8a71e12a03437889a7fba639cc

SHA256
0f6d1af7376780c8ccfc1df3625ca6620fce1372cee981542181e6979076cf19

SHA512
155b79fcea55c934eccab736f46601918cca91c25a0a9bc0588f0b240a3bf5d9dd1bc02ad8c577cf648aaf649e4da89ba670f45d62b256beb0d687e67532cadc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6C5A17C3-CEAE-4B27-A751-2666DDAF2902}\_ISMSIDEL.INI

Filesize
672B

MD5
c4aaaf0b99a9225ac387a37ec27a920c

SHA1
0c3943083a3e4c28393eb1c54f55239c460788e8

SHA256
61272241424274d602b3f8acae6b0740652ea24558f99c3794d31dd35dff1328

SHA512
668d2070c6d6ac115877b7aa7ae54d14fb56dd94d832adc5d757a758f7d6229075d1f3ee7951e7bb945b022e070ba0dc90e14ef64c6d2a9c83486baa542517e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6C5A17C3-CEAE-4B27-A751-2666DDAF2902}\_ISMSIDEL.INI

Filesize
672B

MD5
c4aaaf0b99a9225ac387a37ec27a920c

SHA1
0c3943083a3e4c28393eb1c54f55239c460788e8

SHA256
61272241424274d602b3f8acae6b0740652ea24558f99c3794d31dd35dff1328

SHA512
668d2070c6d6ac115877b7aa7ae54d14fb56dd94d832adc5d757a758f7d6229075d1f3ee7951e7bb945b022e070ba0dc90e14ef64c6d2a9c83486baa542517e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\~98F6.tmp

Filesize
5KB

MD5
732ba3e4def4bc8865c93bb178c3097c

SHA1
6b3cda78d589c0c691cb91d5dee39f59b8e50998

SHA256
dbeb2635aadb313cb5a1c607d5fe31734fd378c6e146f84fdf174a6798aace9d

SHA512
83474363f232ef7723ef72f50767444b788ee25c14b6f2f3df83502dc569dc94f6e9d44f24bfa572b90172dbd35a4e81673add6a9021ed9eb1af876dcce07ce9

Download Submit