38e3439acc61a4cccde272a5aa3dfc3291e82c7967db9bc040e2336f2bc4b1a7

Analysis

max time kernel
150s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FireDaemonPro.4.0.6/FireDaemon-Pro-x86-4.0.68.exe
Size

31.7MB
MD5

820d7ee9fbab8a864df2d49944a158ba
SHA1

a0dbd4e2ed8124bf9003c428a2529365f2260ad4
SHA256

971df80e6831a2c4619b70f35b5c8ff99f1986fbcf5f447a374642540c4b1395
SHA512

8d006c17f645bca4769d3f9fb7776a49b8a63739f9303cdfb03c07aa2430d24426f0560c17f4b48094a42f32d8b209cfaee8ba2b2b16bd70e3888609d6d702b3
SSDEEP

786432:vgfbfssF3AfmtsvGP3CTVkw2zvcffiEngGVcYNmKyQ:vgf1mDvGP3EVGg2ZDQ

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
23	332	MSIEXEC.EXE
24	332	MSIEXEC.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4296	FireDaemon-Pro-x86-4.0.68.exe

Loads dropped DLL 1 IoCs

pid	Process
2980	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	332	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	332	MSIEXEC.EXE
Token: SeSecurityPrivilege	2796	msiexec.exe
Token: SeCreateTokenPrivilege	332	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	332	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	332	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	332	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	332	MSIEXEC.EXE
Token: SeTcbPrivilege	332	MSIEXEC.EXE
Token: SeSecurityPrivilege	332	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	332	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	332	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	332	MSIEXEC.EXE
Token: SeSystemtimePrivilege	332	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	332	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	332	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	332	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	332	MSIEXEC.EXE
Token: SeBackupPrivilege	332	MSIEXEC.EXE
Token: SeRestorePrivilege	332	MSIEXEC.EXE
Token: SeShutdownPrivilege	332	MSIEXEC.EXE
Token: SeDebugPrivilege	332	MSIEXEC.EXE
Token: SeAuditPrivilege	332	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	332	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	332	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	332	MSIEXEC.EXE
Token: SeUndockPrivilege	332	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	332	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	332	MSIEXEC.EXE
Token: SeManageVolumePrivilege	332	MSIEXEC.EXE
Token: SeImpersonatePrivilege	332	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	332	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	332	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	332	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	332	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	332	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	332	MSIEXEC.EXE
Token: SeTcbPrivilege	332	MSIEXEC.EXE
Token: SeSecurityPrivilege	332	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	332	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	332	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	332	MSIEXEC.EXE
Token: SeSystemtimePrivilege	332	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	332	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	332	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	332	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	332	MSIEXEC.EXE
Token: SeBackupPrivilege	332	MSIEXEC.EXE
Token: SeRestorePrivilege	332	MSIEXEC.EXE
Token: SeShutdownPrivilege	332	MSIEXEC.EXE
Token: SeDebugPrivilege	332	MSIEXEC.EXE
Token: SeAuditPrivilege	332	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	332	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	332	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	332	MSIEXEC.EXE
Token: SeUndockPrivilege	332	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	332	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	332	MSIEXEC.EXE
Token: SeManageVolumePrivilege	332	MSIEXEC.EXE
Token: SeImpersonatePrivilege	332	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	332	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	332	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	332	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	332	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
332	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 4296	3172	FireDaemon-Pro-x86-4.0.68.exe	83
PID 3172 wrote to memory of 4296	3172	FireDaemon-Pro-x86-4.0.68.exe	83
PID 3172 wrote to memory of 4296	3172	FireDaemon-Pro-x86-4.0.68.exe	83
PID 4296 wrote to memory of 332	4296	FireDaemon-Pro-x86-4.0.68.exe	85
PID 4296 wrote to memory of 332	4296	FireDaemon-Pro-x86-4.0.68.exe	85
PID 4296 wrote to memory of 332	4296	FireDaemon-Pro-x86-4.0.68.exe	85
PID 2796 wrote to memory of 2980	2796	msiexec.exe	92
PID 2796 wrote to memory of 2980	2796	msiexec.exe	92
PID 2796 wrote to memory of 2980	2796	msiexec.exe	92

C:\Users\Admin\AppData\Local\Temp\FireDaemonPro.4.0.6\FireDaemon-Pro-x86-4.0.68.exe
"C:\Users\Admin\AppData\Local\Temp\FireDaemonPro.4.0.6\FireDaemon-Pro-x86-4.0.68.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\{2CAEE9DF-5DB5-4EA1-ABD7-567A8B322202}\FireDaemon-Pro-x86-4.0.68.exe
  C:\Users\Admin\AppData\Local\Temp\{2CAEE9DF-5DB5-4EA1-ABD7-567A8B322202}\FireDaemon-Pro-x86-4.0.68.exe /q"C:\Users\Admin\AppData\Local\Temp\FireDaemonPro.4.0.6\FireDaemon-Pro-x86-4.0.68.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{2CAEE9DF-5DB5-4EA1-ABD7-567A8B322202}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{2CAEE9DF-5DB5-4EA1-ABD7-567A8B322202}\FireDaemon-Pro-x86-4.0.68.msi" FULLPACKAGE=1 SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\FireDaemonPro.4.0.6" SETUPEXENAME="FireDaemon-Pro-x86-4.0.68.exe"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:332

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B6274EAF3BB39729F3FB161AC5973830 C
  2⤵
  - Loads dropped DLL
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI679E.tmp

Filesize
165KB

MD5
b4404fbe8e2dff187b143c88da903c82

SHA1
6c5117d6ac6a88401363c41403fffb7f96a3319d

SHA256
d64807070c6b57700ecaaef8d0fdf6637f348dc2dc6aa49db65ed578d054f906

SHA512
44e6c18bf7b7f431af17c44e8a1d6f1f89cabdf449b4f0937862a44583a237605ab3035937689409fbd063126a51b83e77ba334c01ddcf4cd5c17f33ec9e5c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI679E.tmp

Filesize
165KB

MD5
b4404fbe8e2dff187b143c88da903c82

SHA1
6c5117d6ac6a88401363c41403fffb7f96a3319d

SHA256
d64807070c6b57700ecaaef8d0fdf6637f348dc2dc6aa49db65ed578d054f906

SHA512
44e6c18bf7b7f431af17c44e8a1d6f1f89cabdf449b4f0937862a44583a237605ab3035937689409fbd063126a51b83e77ba334c01ddcf4cd5c17f33ec9e5c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\iss15D7.tmp

Filesize
2.5MB

MD5
35bf126dfeafd3c92b1288bd9e777c63

SHA1
3996e4594a715a9223f5aff2e8eaa1cdc99a0e6d

SHA256
68b7b7bc28d6613f4061feb7ce5c5b41152bf8c3cdee88ce9a9c601efbcffed8

SHA512
a1e92d47a9fd4650093a1c6e9de8242e6c830cd4718adbc78ca3fef69ed2772e1e25eacc02669a3e0bb4c0a4b0ae803c023ea91fed9a2325acfa8a3b85f6c39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2CAEE9DF-5DB5-4EA1-ABD7-567A8B322202}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2CAEE9DF-5DB5-4EA1-ABD7-567A8B322202}\FireDaemon-Pro-x86-4.0.68.exe

Filesize
31.7MB

MD5
820d7ee9fbab8a864df2d49944a158ba

SHA1
a0dbd4e2ed8124bf9003c428a2529365f2260ad4

SHA256
971df80e6831a2c4619b70f35b5c8ff99f1986fbcf5f447a374642540c4b1395

SHA512
8d006c17f645bca4769d3f9fb7776a49b8a63739f9303cdfb03c07aa2430d24426f0560c17f4b48094a42f32d8b209cfaee8ba2b2b16bd70e3888609d6d702b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2CAEE9DF-5DB5-4EA1-ABD7-567A8B322202}\FireDaemon-Pro-x86-4.0.68.exe

Filesize
31.7MB

MD5
820d7ee9fbab8a864df2d49944a158ba

SHA1
a0dbd4e2ed8124bf9003c428a2529365f2260ad4

SHA256
971df80e6831a2c4619b70f35b5c8ff99f1986fbcf5f447a374642540c4b1395

SHA512
8d006c17f645bca4769d3f9fb7776a49b8a63739f9303cdfb03c07aa2430d24426f0560c17f4b48094a42f32d8b209cfaee8ba2b2b16bd70e3888609d6d702b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2CAEE9DF-5DB5-4EA1-ABD7-567A8B322202}\FireDaemon-Pro-x86-4.0.68.msi

Filesize
18.0MB

MD5
df42d280a418c1381ba7e62836232b8f

SHA1
33eb4e5ae7764815a361c493b7b99dc7ae037430

SHA256
cae04ced4ea438d6ec0e674f4ff7e34fd6eb942f6efd4e1901eee0747f855074

SHA512
12c8efa4b26e414a8515c24d0dd860baeb950a581de1abd94fe26e8a2c89c2828fa22c3e7698bca255b42f02836cbc1956b385a15f43ccd7d7bc974c1d0fad8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2CAEE9DF-5DB5-4EA1-ABD7-567A8B322202}\_ISMSIDEL.INI

Filesize
672B

MD5
a45c7bc44d7ae37d5bf9acfe4034c85c

SHA1
ebeaa855a9c3bf64ebb4835ffa99c65c31bade9b

SHA256
6134374eab877f2c931aef4816e616ccf5c1adbd4c46d2d8bec76a452d687ec7

SHA512
dc50e052bc3b68854f94e5fffb3b0184993e76de9f5e58b194202c3ad4712218114928173e9cec68c0515f60f702ecddba82c8d5c199bcae78a8574af93cefb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2CAEE9DF-5DB5-4EA1-ABD7-567A8B322202}\_ISMSIDEL.INI

Filesize
672B

MD5
a45c7bc44d7ae37d5bf9acfe4034c85c

SHA1
ebeaa855a9c3bf64ebb4835ffa99c65c31bade9b

SHA256
6134374eab877f2c931aef4816e616ccf5c1adbd4c46d2d8bec76a452d687ec7

SHA512
dc50e052bc3b68854f94e5fffb3b0184993e76de9f5e58b194202c3ad4712218114928173e9cec68c0515f60f702ecddba82c8d5c199bcae78a8574af93cefb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~26E.tmp

Filesize
5KB

MD5
f4420f59c6351c602d96fb83c7c3cdaa

SHA1
cc6ecb16ef9923b6606ba1321246d601c54dc071

SHA256
0b96961a30aa872d0643eede003d3b7270248e0d286303ffa67e90685cc0be7e

SHA512
ab3f64ab8edefb4926d7e8a1d5c81652655aaf2c0c94ac6421f3b9f9343542854932d48827a778f36366674bc1d99b265f8c3dfdf3fd72de0332007a94214b8c

Download Submit