Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
23/10/2023, 04:03
Static task
static1
Behavioral task
behavioral1
Sample
TGSetup.msi
Resource
win7-20231020-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
TGSetup.msi
Resource
win10-20231020-en
windows10-1703-x64
3 signatures
150 seconds
Behavioral task
behavioral3
Sample
TGSetup.msi
Resource
win10v2004-20231020-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
TGSetup.msi
-
Size
37.3MB
-
MD5
a2bf86357fa871600abe9e011ba94008
-
SHA1
ba0c977df82ea3b008106e15cfbac9ad2bab2dcd
-
SHA256
0efb729f2661f2e187d9819210a44b8b29906a902ec6b8c31b0f553e6d206bce
-
SHA512
d831446866c6027d028325665ea56e97c1c01daf670ba2f797997f540941cd5d4babe8373c3165d5ac56fdbe7bf5643f926ad155e5be0f81f915a04f48e6f338
-
SSDEEP
786432:kvkRSdH4qrxuszvcNEyvDizwAfHXlv6nC2nBl0pZm0PeJ/pyPO:pRQH4qrxJzvEE3wAfVCBlmZ8M
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 852 5.exe -
resource yara_rule behavioral1/files/0x0006000000015cc2-36.dat upx behavioral1/memory/852-38-0x0000000000400000-0x000000000059E000-memory.dmp upx behavioral1/memory/852-46-0x0000000000400000-0x000000000059E000-memory.dmp upx -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File created C:\Program Files\T中文版\T中文版\tdata\D877F783D5D3EF8Cs msiexec.exe File created C:\Program Files\T中文版\T中文版\tdata\1831DD508716C0FEs msiexec.exe File created C:\Program Files\T中文版\T中文版\tdata\419BBA3C1F4CD6FBs msiexec.exe File created C:\Program Files\T中文版\T中文版\tdata\F8806DD0C461824Fs msiexec.exe File created C:\Program Files\T中文版\T中文版\tdata\usertag msiexec.exe File created C:\Program Files\T中文版\T中文版\tdata\39FF0766F494A425s msiexec.exe File created C:\Program Files\T中文版\T中文版\tdata\prefix msiexec.exe File created C:\Program Files\T中文版\T中文版\tdata\countries msiexec.exe File created C:\Program Files\T中文版\T中文版\IDI_ICON1.ico msiexec.exe File created C:\Program Files\T中文版\T中文版\TG.exe msiexec.exe File created C:\Program Files\T中文版\T中文版\tdata\shortcuts-default.json msiexec.exe File created C:\Program Files\T中文版\T中文版\tupdates\tupdate3007003 msiexec.exe File created C:\Program Files\T中文版\T中文版\tdata\A7FDF864FBC10B77s msiexec.exe File created C:\Program Files\T中文版\T中文版\tdata\61FD8CAF305801BFs msiexec.exe File created C:\Program Files\T中文版\T中文版\tdata\A3FE900CEFFAD4BAs msiexec.exe File created C:\Program Files\T中文版\T中文版\5.exe msiexec.exe File created C:\Program Files\T中文版\T中文版\tdata\B9183FBBE5D5BB42s msiexec.exe File created C:\Program Files\T中文版\T中文版\tdata\key_datas msiexec.exe File created C:\Program Files\T中文版\T中文版\tdata\shortcuts-custom.json msiexec.exe File created C:\Program Files\T中文版\T中文版\tdata\settingss msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\f778085.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI82B7.tmp msiexec.exe File created C:\Windows\Installer\f778088.msi msiexec.exe File created C:\Windows\Installer\f778086.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f778085.msi msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1680 msiexec.exe 1680 msiexec.exe 852 5.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2064 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2064 msiexec.exe Token: SeIncreaseQuotaPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeSecurityPrivilege 1680 msiexec.exe Token: SeCreateTokenPrivilege 2064 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2064 msiexec.exe Token: SeLockMemoryPrivilege 2064 msiexec.exe Token: SeIncreaseQuotaPrivilege 2064 msiexec.exe Token: SeMachineAccountPrivilege 2064 msiexec.exe Token: SeTcbPrivilege 2064 msiexec.exe Token: SeSecurityPrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe Token: SeLoadDriverPrivilege 2064 msiexec.exe Token: SeSystemProfilePrivilege 2064 msiexec.exe Token: SeSystemtimePrivilege 2064 msiexec.exe Token: SeProfSingleProcessPrivilege 2064 msiexec.exe Token: SeIncBasePriorityPrivilege 2064 msiexec.exe Token: SeCreatePagefilePrivilege 2064 msiexec.exe Token: SeCreatePermanentPrivilege 2064 msiexec.exe Token: SeBackupPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeShutdownPrivilege 2064 msiexec.exe Token: SeDebugPrivilege 2064 msiexec.exe Token: SeAuditPrivilege 2064 msiexec.exe Token: SeSystemEnvironmentPrivilege 2064 msiexec.exe Token: SeChangeNotifyPrivilege 2064 msiexec.exe Token: SeRemoteShutdownPrivilege 2064 msiexec.exe Token: SeUndockPrivilege 2064 msiexec.exe Token: SeSyncAgentPrivilege 2064 msiexec.exe Token: SeEnableDelegationPrivilege 2064 msiexec.exe Token: SeManageVolumePrivilege 2064 msiexec.exe Token: SeImpersonatePrivilege 2064 msiexec.exe Token: SeCreateGlobalPrivilege 2064 msiexec.exe Token: SeBackupPrivilege 2716 vssvc.exe Token: SeRestorePrivilege 2716 vssvc.exe Token: SeAuditPrivilege 2716 vssvc.exe Token: SeBackupPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeRestorePrivilege 2504 DrvInst.exe Token: SeRestorePrivilege 2504 DrvInst.exe Token: SeRestorePrivilege 2504 DrvInst.exe Token: SeRestorePrivilege 2504 DrvInst.exe Token: SeRestorePrivilege 2504 DrvInst.exe Token: SeRestorePrivilege 2504 DrvInst.exe Token: SeRestorePrivilege 2504 DrvInst.exe Token: SeLoadDriverPrivilege 2504 DrvInst.exe Token: SeLoadDriverPrivilege 2504 DrvInst.exe Token: SeLoadDriverPrivilege 2504 DrvInst.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2064 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 852 5.exe 852 5.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1680 wrote to memory of 852 1680 msiexec.exe 34 PID 1680 wrote to memory of 852 1680 msiexec.exe 34 PID 1680 wrote to memory of 852 1680 msiexec.exe 34 PID 1680 wrote to memory of 852 1680 msiexec.exe 34 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TGSetup.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2064
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Program Files\T中文版\T中文版\5.exe"C:\Program Files\T中文版\T中文版\5.exe" /Commit2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:852
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000057C" "0000000000000498"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD503b6047e1cae3c09193454b45db5525a
SHA1a5185080807fafca2c9840b1b16666b559d720a2
SHA256baa0af581aa4ca54db977c8268c827bff4986be809ff4cbf224fb0e4a7c20bf8
SHA51249cffbdf09b7e7c92fb1de7c0f677472fd11b5e759341c73c91ac83ccca632a547a7e76585cf9e9f317e846c9dd38dd27ef4d792019dfe51cbf9190dc4fe4627
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7NWSSREY\UZW1J2PQ.htm
Filesize390KB
MD5c4935d99068dc068e9517ec606ff1526
SHA1b9924aa5a810158a1ab75af689375f4a4f923ecf
SHA25648410b26c39854720a28712852d4f779d52b960a2cda9776fb4a74a927497711
SHA51232bd25c424d4c750c58bbe8974cca7f4bf0dee8a4d47bc5a8e1df3b619d4cea705638f5e2203a59721306570f71135bed78894c402e1d17c39d165bb7d94e653