Overview
overview
7Static
static
3SETUP.bat
windows7-x64
7SETUP.bat
windows10-2004-x64
6UPGRADE.bat
windows7-x64
1UPGRADE.bat
windows10-2004-x64
1postgresql...nt.msi
windows7-x64
7postgresql...nt.msi
windows10-2004-x64
7postgresql-8.3.msi
windows7-x64
7postgresql-8.3.msi
windows10-2004-x64
7vcredist_x86.exe
windows7-x64
7vcredist_x86.exe
windows10-2004-x64
7Analysis
-
max time kernel
122s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
07-11-2023 13:52
Static task
static1
Behavioral task
behavioral1
Sample
SETUP.bat
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral2
Sample
SETUP.bat
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
UPGRADE.bat
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral4
Sample
UPGRADE.bat
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
postgresql-8.3-int.msi
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral6
Sample
postgresql-8.3-int.msi
Resource
win10v2004-20231025-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
postgresql-8.3.msi
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral8
Sample
postgresql-8.3.msi
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
vcredist_x86.exe
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral10
Sample
vcredist_x86.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
General
-
Target
postgresql-8.3-int.msi
-
Size
23.7MB
-
MD5
6895639289dbb80a54aaf18bd2645a5d
-
SHA1
c51787c36d18db59d8931ac87d24f5aba1aa5adf
-
SHA256
e302da9f3e935abc408be595cd465a715c2e67aab5ce74db4703a85d28f7bf32
-
SHA512
ac08b6944f2f13e0ca6002e4da355899ef3393e964479fe9812a0e013ae2325b0f3abd7b57e21f698f63a0c3ad0f80e9d0d34b77436beec477004391ec0b87a4
-
SSDEEP
393216:KJ3blEW0Tglk+7PtfX0wrT5+N14qgufgZxL5hTYiqJg/R5e702Br+X4y7uptLxsG:i3uvgfPCwh1qgukxwi355ef42tLCG
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3044 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1952 msiexec.exe Token: SeIncreaseQuotaPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1720 msiexec.exe Token: SeTakeOwnershipPrivilege 1720 msiexec.exe Token: SeSecurityPrivilege 1720 msiexec.exe Token: SeCreateTokenPrivilege 1952 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1952 msiexec.exe Token: SeLockMemoryPrivilege 1952 msiexec.exe Token: SeIncreaseQuotaPrivilege 1952 msiexec.exe Token: SeMachineAccountPrivilege 1952 msiexec.exe Token: SeTcbPrivilege 1952 msiexec.exe Token: SeSecurityPrivilege 1952 msiexec.exe Token: SeTakeOwnershipPrivilege 1952 msiexec.exe Token: SeLoadDriverPrivilege 1952 msiexec.exe Token: SeSystemProfilePrivilege 1952 msiexec.exe Token: SeSystemtimePrivilege 1952 msiexec.exe Token: SeProfSingleProcessPrivilege 1952 msiexec.exe Token: SeIncBasePriorityPrivilege 1952 msiexec.exe Token: SeCreatePagefilePrivilege 1952 msiexec.exe Token: SeCreatePermanentPrivilege 1952 msiexec.exe Token: SeBackupPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeShutdownPrivilege 1952 msiexec.exe Token: SeDebugPrivilege 1952 msiexec.exe Token: SeAuditPrivilege 1952 msiexec.exe Token: SeSystemEnvironmentPrivilege 1952 msiexec.exe Token: SeChangeNotifyPrivilege 1952 msiexec.exe Token: SeRemoteShutdownPrivilege 1952 msiexec.exe Token: SeUndockPrivilege 1952 msiexec.exe Token: SeSyncAgentPrivilege 1952 msiexec.exe Token: SeEnableDelegationPrivilege 1952 msiexec.exe Token: SeManageVolumePrivilege 1952 msiexec.exe Token: SeImpersonatePrivilege 1952 msiexec.exe Token: SeCreateGlobalPrivilege 1952 msiexec.exe Token: SeCreateTokenPrivilege 1952 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1952 msiexec.exe Token: SeLockMemoryPrivilege 1952 msiexec.exe Token: SeIncreaseQuotaPrivilege 1952 msiexec.exe Token: SeMachineAccountPrivilege 1952 msiexec.exe Token: SeTcbPrivilege 1952 msiexec.exe Token: SeSecurityPrivilege 1952 msiexec.exe Token: SeTakeOwnershipPrivilege 1952 msiexec.exe Token: SeLoadDriverPrivilege 1952 msiexec.exe Token: SeSystemProfilePrivilege 1952 msiexec.exe Token: SeSystemtimePrivilege 1952 msiexec.exe Token: SeProfSingleProcessPrivilege 1952 msiexec.exe Token: SeIncBasePriorityPrivilege 1952 msiexec.exe Token: SeCreatePagefilePrivilege 1952 msiexec.exe Token: SeCreatePermanentPrivilege 1952 msiexec.exe Token: SeBackupPrivilege 1952 msiexec.exe Token: SeRestorePrivilege 1952 msiexec.exe Token: SeShutdownPrivilege 1952 msiexec.exe Token: SeDebugPrivilege 1952 msiexec.exe Token: SeAuditPrivilege 1952 msiexec.exe Token: SeSystemEnvironmentPrivilege 1952 msiexec.exe Token: SeChangeNotifyPrivilege 1952 msiexec.exe Token: SeRemoteShutdownPrivilege 1952 msiexec.exe Token: SeUndockPrivilege 1952 msiexec.exe Token: SeSyncAgentPrivilege 1952 msiexec.exe Token: SeEnableDelegationPrivilege 1952 msiexec.exe Token: SeManageVolumePrivilege 1952 msiexec.exe Token: SeImpersonatePrivilege 1952 msiexec.exe Token: SeCreateGlobalPrivilege 1952 msiexec.exe Token: SeCreateTokenPrivilege 1952 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1952 msiexec.exe 1952 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1720 wrote to memory of 3044 1720 msiexec.exe 29 PID 1720 wrote to memory of 3044 1720 msiexec.exe 29 PID 1720 wrote to memory of 3044 1720 msiexec.exe 29 PID 1720 wrote to memory of 3044 1720 msiexec.exe 29 PID 1720 wrote to memory of 3044 1720 msiexec.exe 29 PID 1720 wrote to memory of 3044 1720 msiexec.exe 29 PID 1720 wrote to memory of 3044 1720 msiexec.exe 29
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\postgresql-8.3-int.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1952
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B1D7B64D9131BB544E033424E9470F32 C2⤵
- Loads dropped DLL
PID:3044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD57aa255989b56a1e6ef971b75b493ee6f
SHA1a6aedc71e0081d89bec5e3b2916ca0c03cf82da9
SHA2569bc272ca2398321f0ea818b3e8a02f8c331716e59b2c048db139d766869ac807
SHA512cd2cbf985c6ea5b837a7c3db706a50b3f7ccf526734990f2697ec76f331822bfb52d3b92b8dd34eb05eaa3f2883523b8b6c53c668ec5860f2fb70f2c7fc30d4a
-
Filesize
348KB
MD57aa255989b56a1e6ef971b75b493ee6f
SHA1a6aedc71e0081d89bec5e3b2916ca0c03cf82da9
SHA2569bc272ca2398321f0ea818b3e8a02f8c331716e59b2c048db139d766869ac807
SHA512cd2cbf985c6ea5b837a7c3db706a50b3f7ccf526734990f2697ec76f331822bfb52d3b92b8dd34eb05eaa3f2883523b8b6c53c668ec5860f2fb70f2c7fc30d4a