165af580e207ec41b5c2b13dc23f31799f2d465e8fd515ed58905970093ff73f

General

Target

Crypto_VX7_v1.0_200302.exe
Size

7.2MB
MD5

1d04b62a072a204163bd9472ebe33394
SHA1

2d231d23592cec7c3dfa28536e8c0a92547e5358
SHA256

165af580e207ec41b5c2b13dc23f31799f2d465e8fd515ed58905970093ff73f
SHA512

3a7258786423a1a599a16e09f8808d53c61640379193d2960189d19e7a12ab37b30ff21abe3007bc8e5b116d9820b2358cb14f2667455f5cbb533aa6c04668ed
SSDEEP

196608:Vlq+1NKtDNgOIv64EzrVhSbULzzxA/sSu1KKyqGX:ptv64EzrVhEw97S25+X

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1816	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1816	MSIEXEC.EXE
Token: SeSecurityPrivilege	948	msiexec.exe
Token: SeCreateTokenPrivilege	1816	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1816	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1816	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1816	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1816	MSIEXEC.EXE
Token: SeTcbPrivilege	1816	MSIEXEC.EXE
Token: SeSecurityPrivilege	1816	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1816	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1816	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1816	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1816	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1816	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1816	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1816	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1816	MSIEXEC.EXE
Token: SeBackupPrivilege	1816	MSIEXEC.EXE
Token: SeRestorePrivilege	1816	MSIEXEC.EXE
Token: SeShutdownPrivilege	1816	MSIEXEC.EXE
Token: SeDebugPrivilege	1816	MSIEXEC.EXE
Token: SeAuditPrivilege	1816	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1816	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1816	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1816	MSIEXEC.EXE
Token: SeUndockPrivilege	1816	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1816	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1816	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1816	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1816	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1816	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1816	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1816	1644	Crypto_VX7_v1.0_200302.exe	92
PID 1644 wrote to memory of 1816	1644	Crypto_VX7_v1.0_200302.exe	92
PID 1644 wrote to memory of 1816	1644	Crypto_VX7_v1.0_200302.exe	92

C:\Users\Admin\AppData\Local\Temp\Crypto_VX7_v1.0_200302.exe
"C:\Users\Admin\AppData\Local\Temp\Crypto_VX7_v1.0_200302.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{10761F84-6929-4CAB-BD49-BB55DD2D4215}\FANTECH VX7 Gaming Mouse.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Crypto_VX7_v1.0_200302.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1816

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{10761F84-6929-4CAB-BD49-BB55DD2D4215}\0x0409.ini

Filesize
21KB

MD5
8586214463bd73e1c2716113e5bd3e13

SHA1
f02e3a76fd177964a846d4aa0a23f738178db2be

SHA256
089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54

SHA512
309200f38d0e29c9aaa99bb6d95f4347f8a8c320eb65742e7c539246ad9b759608bd5151d1c5d1d05888979daa38f2b6c3bf492588b212b583b8adbe81fa161b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{10761F84-6929-4CAB-BD49-BB55DD2D4215}\FANTECH VX7 Gaming Mouse.msi

Filesize
6.6MB

MD5
dbe9abea1c5bd4f3facf9806978d0906

SHA1
a71f7378cab0e04ed763351fdafb4937ba4330ff

SHA256
2f18b77cc2e3a104adde8fe607403c8a9235f09e82dda013946cbe39a2492a33

SHA512
7d250a01edb1cfadde8165270f5a56b18f4412ecb2b7cf32b0490d42a7e15dc3bc3ba5380d2a589530952f957dd2fb00647901ffe2df1a32af58c2622c9abdf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~A72D.tmp

Filesize
5KB

MD5
546a8388639222ed70cb56ef794f5278

SHA1
c4af7b639e65d48b0b0a3c821ccddb8740b5d97e

SHA256
9e6833db39623e42a7a905b884859f7f9f0cc6a880139ed23478e293fd51eb81

SHA512
c1c700c193df3f3d3352b129e4787f70d514a03b571c0e170c7ec4c1a91dd17870ab69c5346f534588f2c264f747accaa4c40e34c90bae9a4f44df247e3af0ef

Download Submit

Analysis

Sharing