fe6b3f3d68776b2be6555eb82565c948b64a8ab9b9b566e5a6fa34c33eb190d7

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 14:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b.exe
Size

17.2MB
MD5

3a431ad03ffe53aa02fea1a7a168330f
SHA1

9f3d6cf63b5fc071591291720d49d78afa9e14fe
SHA256

4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b
SHA512

1b77ee1df34f5c84fcbe8dbb0c8785ac47188cd2b87e9ed9956278c3b47056aa8b2c89ac940a9915d789337192e943c3795f6170429ea201107b9acf94efcff9
SSDEEP

393216:sYs7hvMmW5HiLg9999999a6WI6jV9ALHeBbMDbqP49yMK4FLwGtq4nQLpI:Ahv7WNi89999999aFRjV9AzKbMXyMKW1

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1176	bootstrap.exe

Loads dropped DLL 4 IoCs

pid	Process
1948	4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b.exe
1176	bootstrap.exe
2580	MsiExec.exe
2580	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	bootstrap.exe
File opened (read-only)	\??\M:	bootstrap.exe
File opened (read-only)	\??\N:	bootstrap.exe
File opened (read-only)	\??\Q:	bootstrap.exe
File opened (read-only)	\??\Z:	bootstrap.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	bootstrap.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	bootstrap.exe
File opened (read-only)	\??\T:	bootstrap.exe
File opened (read-only)	\??\U:	bootstrap.exe
File opened (read-only)	\??\Y:	bootstrap.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	bootstrap.exe
File opened (read-only)	\??\E:	bootstrap.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	bootstrap.exe
File opened (read-only)	\??\R:	bootstrap.exe
File opened (read-only)	\??\V:	bootstrap.exe
File opened (read-only)	\??\X:	bootstrap.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	bootstrap.exe
File opened (read-only)	\??\H:	bootstrap.exe
File opened (read-only)	\??\I:	bootstrap.exe
File opened (read-only)	\??\J:	bootstrap.exe
File opened (read-only)	\??\S:	bootstrap.exe
File opened (read-only)	\??\W:	bootstrap.exe
File opened (read-only)	\??\P:	bootstrap.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1176	bootstrap.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1176	bootstrap.exe
Token: SeIncreaseQuotaPrivilege	1176	bootstrap.exe
Token: SeRestorePrivilege	2200	msiexec.exe
Token: SeTakeOwnershipPrivilege	2200	msiexec.exe
Token: SeSecurityPrivilege	2200	msiexec.exe
Token: SeCreateTokenPrivilege	1176	bootstrap.exe
Token: SeAssignPrimaryTokenPrivilege	1176	bootstrap.exe
Token: SeLockMemoryPrivilege	1176	bootstrap.exe
Token: SeIncreaseQuotaPrivilege	1176	bootstrap.exe
Token: SeMachineAccountPrivilege	1176	bootstrap.exe
Token: SeTcbPrivilege	1176	bootstrap.exe
Token: SeSecurityPrivilege	1176	bootstrap.exe
Token: SeTakeOwnershipPrivilege	1176	bootstrap.exe
Token: SeLoadDriverPrivilege	1176	bootstrap.exe
Token: SeSystemProfilePrivilege	1176	bootstrap.exe
Token: SeSystemtimePrivilege	1176	bootstrap.exe
Token: SeProfSingleProcessPrivilege	1176	bootstrap.exe
Token: SeIncBasePriorityPrivilege	1176	bootstrap.exe
Token: SeCreatePagefilePrivilege	1176	bootstrap.exe
Token: SeCreatePermanentPrivilege	1176	bootstrap.exe
Token: SeBackupPrivilege	1176	bootstrap.exe
Token: SeRestorePrivilege	1176	bootstrap.exe
Token: SeShutdownPrivilege	1176	bootstrap.exe
Token: SeDebugPrivilege	1176	bootstrap.exe
Token: SeAuditPrivilege	1176	bootstrap.exe
Token: SeSystemEnvironmentPrivilege	1176	bootstrap.exe
Token: SeChangeNotifyPrivilege	1176	bootstrap.exe
Token: SeRemoteShutdownPrivilege	1176	bootstrap.exe
Token: SeUndockPrivilege	1176	bootstrap.exe
Token: SeSyncAgentPrivilege	1176	bootstrap.exe
Token: SeEnableDelegationPrivilege	1176	bootstrap.exe
Token: SeManageVolumePrivilege	1176	bootstrap.exe
Token: SeImpersonatePrivilege	1176	bootstrap.exe
Token: SeCreateGlobalPrivilege	1176	bootstrap.exe
Token: SeCreateTokenPrivilege	1176	bootstrap.exe
Token: SeAssignPrimaryTokenPrivilege	1176	bootstrap.exe
Token: SeLockMemoryPrivilege	1176	bootstrap.exe
Token: SeIncreaseQuotaPrivilege	1176	bootstrap.exe
Token: SeMachineAccountPrivilege	1176	bootstrap.exe
Token: SeTcbPrivilege	1176	bootstrap.exe
Token: SeSecurityPrivilege	1176	bootstrap.exe
Token: SeTakeOwnershipPrivilege	1176	bootstrap.exe
Token: SeLoadDriverPrivilege	1176	bootstrap.exe
Token: SeSystemProfilePrivilege	1176	bootstrap.exe
Token: SeSystemtimePrivilege	1176	bootstrap.exe
Token: SeProfSingleProcessPrivilege	1176	bootstrap.exe
Token: SeIncBasePriorityPrivilege	1176	bootstrap.exe
Token: SeCreatePagefilePrivilege	1176	bootstrap.exe
Token: SeCreatePermanentPrivilege	1176	bootstrap.exe
Token: SeBackupPrivilege	1176	bootstrap.exe
Token: SeRestorePrivilege	1176	bootstrap.exe
Token: SeShutdownPrivilege	1176	bootstrap.exe
Token: SeDebugPrivilege	1176	bootstrap.exe
Token: SeAuditPrivilege	1176	bootstrap.exe
Token: SeSystemEnvironmentPrivilege	1176	bootstrap.exe
Token: SeChangeNotifyPrivilege	1176	bootstrap.exe
Token: SeRemoteShutdownPrivilege	1176	bootstrap.exe
Token: SeUndockPrivilege	1176	bootstrap.exe
Token: SeSyncAgentPrivilege	1176	bootstrap.exe
Token: SeEnableDelegationPrivilege	1176	bootstrap.exe
Token: SeManageVolumePrivilege	1176	bootstrap.exe
Token: SeImpersonatePrivilege	1176	bootstrap.exe
Token: SeCreateGlobalPrivilege	1176	bootstrap.exe
Token: SeCreateTokenPrivilege	1176	bootstrap.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1176	bootstrap.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1176	1948	4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b.exe	28
PID 1948 wrote to memory of 1176	1948	4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b.exe	28
PID 1948 wrote to memory of 1176	1948	4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b.exe	28
PID 1948 wrote to memory of 1176	1948	4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b.exe	28
PID 1948 wrote to memory of 1176	1948	4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b.exe	28
PID 1948 wrote to memory of 1176	1948	4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b.exe	28
PID 1948 wrote to memory of 1176	1948	4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b.exe	28
PID 2200 wrote to memory of 2580	2200	msiexec.exe	32
PID 2200 wrote to memory of 2580	2200	msiexec.exe	32
PID 2200 wrote to memory of 2580	2200	msiexec.exe	32
PID 2200 wrote to memory of 2580	2200	msiexec.exe	32
PID 2200 wrote to memory of 2580	2200	msiexec.exe	32
PID 2200 wrote to memory of 2580	2200	msiexec.exe	32
PID 2200 wrote to memory of 2580	2200	msiexec.exe	32

C:\Users\Admin\AppData\Local\Temp\4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b.exe
"C:\Users\Admin\AppData\Local\Temp\4f0dda013891cb54e2bdbfc766b4815632acd8717e40834c284ff5f52e7c380b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bootstrap.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bootstrap.exe CSAD_MARKET=xx-xx
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1176

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57B22485C4C1990EE181CE0FD7D41CDC C
  2⤵
  - Loads dropped DLL
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MsnMsgs.Msi

Filesize
15.9MB

MD5
5d5c86e8314b2b51c3614cec454706d9

SHA1
9749a3a0a7aeeec91d66a1d45a08eeb588bc93dc

SHA256
02fa57cd166ed728e45b27210a945d2a21cf43c2d79641dd83bac3390493ac5f

SHA512
b98591843bb2092888a6be6a1821091ff2a05559f6fabd9ead9a1db05bf79726caa875a59fc02704e8b7695cc2cda968dc7db3e9a7818dec646469d7cf20e93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bootstrap.dll

Filesize
66KB

MD5
db052a2dca5a30e03b5f09112df7f54a

SHA1
2f4265bd26977b06a17846891206946e9c11cf04

SHA256
580cce29b501521c942750b9360307cd4781dd998e78055d222e2d29e470def7

SHA512
c7c85a1d1558f90ae4d69a76e04339c8bb8dfea3f923545983fe725ba628ee8f2cda8fc14d4e65ab9d872c82e1430977bf0dcc8f32d2fd4b431f01d0663bc4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bootstrap.exe

Filesize
69KB

MD5
e8dfa3a47a398d492bf8c8394ca32a33

SHA1
4067c3c3da6a4a5df3d41e70e857bd20c243a673

SHA256
314a110e1c400685396c9b20ad1c55e6be1a9e92b10bacc620d3fa6ef8f65235

SHA512
f8dc2b90202eaf02de0170cd7acb9ae06f1dd537abdd9aa33c9fc9e1cbccd7071a47a766e292018cacf456431f4d330f4fa269dbcf52b5242d1341dcd875f698

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF6FE.tmp

Filesize
118KB

MD5
62511aa3698b878de9b2c2606e011b15

SHA1
63f435dcc46c9c3d1748a5432c602ace91c9362a

SHA256
29f7ee527226de4698c63aa1fe0d6f55ff6e38cb5b3e6dcd9b7bc6458c3251ad

SHA512
5b78f9f6500cca59891c4802460eb9c667cdde29e6b2443de8178e7bacc936be08ebaf0d5081f5a05db0a588979b3b5db6947ff67a19a34200d4548c02ea9a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF856.tmp

Filesize
118KB

MD5
62511aa3698b878de9b2c2606e011b15

SHA1
63f435dcc46c9c3d1748a5432c602ace91c9362a

SHA256
29f7ee527226de4698c63aa1fe0d6f55ff6e38cb5b3e6dcd9b7bc6458c3251ad

SHA512
5b78f9f6500cca59891c4802460eb9c667cdde29e6b2443de8178e7bacc936be08ebaf0d5081f5a05db0a588979b3b5db6947ff67a19a34200d4548c02ea9a44

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\bootstrap.dll

Filesize
66KB

MD5
db052a2dca5a30e03b5f09112df7f54a

SHA1
2f4265bd26977b06a17846891206946e9c11cf04

SHA256
580cce29b501521c942750b9360307cd4781dd998e78055d222e2d29e470def7

SHA512
c7c85a1d1558f90ae4d69a76e04339c8bb8dfea3f923545983fe725ba628ee8f2cda8fc14d4e65ab9d872c82e1430977bf0dcc8f32d2fd4b431f01d0663bc4a5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\bootstrap.exe

Filesize
69KB

MD5
e8dfa3a47a398d492bf8c8394ca32a33

SHA1
4067c3c3da6a4a5df3d41e70e857bd20c243a673

SHA256
314a110e1c400685396c9b20ad1c55e6be1a9e92b10bacc620d3fa6ef8f65235

SHA512
f8dc2b90202eaf02de0170cd7acb9ae06f1dd537abdd9aa33c9fc9e1cbccd7071a47a766e292018cacf456431f4d330f4fa269dbcf52b5242d1341dcd875f698

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF6FE.tmp

Filesize
118KB

MD5
62511aa3698b878de9b2c2606e011b15

SHA1
63f435dcc46c9c3d1748a5432c602ace91c9362a

SHA256
29f7ee527226de4698c63aa1fe0d6f55ff6e38cb5b3e6dcd9b7bc6458c3251ad

SHA512
5b78f9f6500cca59891c4802460eb9c667cdde29e6b2443de8178e7bacc936be08ebaf0d5081f5a05db0a588979b3b5db6947ff67a19a34200d4548c02ea9a44

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF856.tmp

Filesize
118KB

MD5
62511aa3698b878de9b2c2606e011b15

SHA1
63f435dcc46c9c3d1748a5432c602ace91c9362a

SHA256
29f7ee527226de4698c63aa1fe0d6f55ff6e38cb5b3e6dcd9b7bc6458c3251ad

SHA512
5b78f9f6500cca59891c4802460eb9c667cdde29e6b2443de8178e7bacc936be08ebaf0d5081f5a05db0a588979b3b5db6947ff67a19a34200d4548c02ea9a44

Download Submit
memory/1176-16-0x0000000000190000-0x00000000001A2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads