f4b885c2f5dd9716d7d1a9f73754c5342d5998257c4c371cffde0fd8ab083b5d

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2023, 11:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Mario AVP(setup).exe
Size

7.6MB
MD5

71f8dec2d649515d2975206096f5a4da
SHA1

3a9e1119061042479e637cb61b664b007dc73900
SHA256

f4b885c2f5dd9716d7d1a9f73754c5342d5998257c4c371cffde0fd8ab083b5d
SHA512

283b2ef6375de911ef113dee2b7fc840d89766acc8f0b0143dea06464ce630b5590d270e943f8f9bd91490f7d9776a299d7da5242303dd3b465da8d8fa500786
SSDEEP

196608:o7Yrh2ImiRm3sHOarRSwqmsoZbQIXA7LB:ZhpI3JarR6NoagY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3480	MsiExec.exe
3480	MsiExec.exe
3480	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Mario AVP(setup).exe
File opened (read-only)	\??\Z:	Mario AVP(setup).exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	Mario AVP(setup).exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	Mario AVP(setup).exe
File opened (read-only)	\??\V:	Mario AVP(setup).exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	Mario AVP(setup).exe
File opened (read-only)	\??\H:	Mario AVP(setup).exe
File opened (read-only)	\??\I:	Mario AVP(setup).exe
File opened (read-only)	\??\R:	Mario AVP(setup).exe
File opened (read-only)	\??\U:	Mario AVP(setup).exe
File opened (read-only)	\??\Y:	Mario AVP(setup).exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	Mario AVP(setup).exe
File opened (read-only)	\??\M:	Mario AVP(setup).exe
File opened (read-only)	\??\Q:	Mario AVP(setup).exe
File opened (read-only)	\??\T:	Mario AVP(setup).exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	Mario AVP(setup).exe
File opened (read-only)	\??\L:	Mario AVP(setup).exe
File opened (read-only)	\??\N:	Mario AVP(setup).exe
File opened (read-only)	\??\X:	Mario AVP(setup).exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	Mario AVP(setup).exe
File opened (read-only)	\??\O:	Mario AVP(setup).exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	Mario AVP(setup).exe
File opened (read-only)	\??\W:	Mario AVP(setup).exe
File opened (read-only)	\??\V:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1276	Mario AVP(setup).exe
Token: SeAssignPrimaryTokenPrivilege	1276	Mario AVP(setup).exe
Token: SeLockMemoryPrivilege	1276	Mario AVP(setup).exe
Token: SeIncreaseQuotaPrivilege	1276	Mario AVP(setup).exe
Token: SeMachineAccountPrivilege	1276	Mario AVP(setup).exe
Token: SeTcbPrivilege	1276	Mario AVP(setup).exe
Token: SeSecurityPrivilege	1276	Mario AVP(setup).exe
Token: SeTakeOwnershipPrivilege	1276	Mario AVP(setup).exe
Token: SeLoadDriverPrivilege	1276	Mario AVP(setup).exe
Token: SeSystemProfilePrivilege	1276	Mario AVP(setup).exe
Token: SeSystemtimePrivilege	1276	Mario AVP(setup).exe
Token: SeProfSingleProcessPrivilege	1276	Mario AVP(setup).exe
Token: SeIncBasePriorityPrivilege	1276	Mario AVP(setup).exe
Token: SeCreatePagefilePrivilege	1276	Mario AVP(setup).exe
Token: SeCreatePermanentPrivilege	1276	Mario AVP(setup).exe
Token: SeBackupPrivilege	1276	Mario AVP(setup).exe
Token: SeRestorePrivilege	1276	Mario AVP(setup).exe
Token: SeShutdownPrivilege	1276	Mario AVP(setup).exe
Token: SeDebugPrivilege	1276	Mario AVP(setup).exe
Token: SeAuditPrivilege	1276	Mario AVP(setup).exe
Token: SeSystemEnvironmentPrivilege	1276	Mario AVP(setup).exe
Token: SeChangeNotifyPrivilege	1276	Mario AVP(setup).exe
Token: SeRemoteShutdownPrivilege	1276	Mario AVP(setup).exe
Token: SeUndockPrivilege	1276	Mario AVP(setup).exe
Token: SeSyncAgentPrivilege	1276	Mario AVP(setup).exe
Token: SeEnableDelegationPrivilege	1276	Mario AVP(setup).exe
Token: SeManageVolumePrivilege	1276	Mario AVP(setup).exe
Token: SeImpersonatePrivilege	1276	Mario AVP(setup).exe
Token: SeCreateGlobalPrivilege	1276	Mario AVP(setup).exe
Token: SeSecurityPrivilege	3788	msiexec.exe
Token: SeCreateTokenPrivilege	1276	Mario AVP(setup).exe
Token: SeAssignPrimaryTokenPrivilege	1276	Mario AVP(setup).exe
Token: SeLockMemoryPrivilege	1276	Mario AVP(setup).exe
Token: SeIncreaseQuotaPrivilege	1276	Mario AVP(setup).exe
Token: SeMachineAccountPrivilege	1276	Mario AVP(setup).exe
Token: SeTcbPrivilege	1276	Mario AVP(setup).exe
Token: SeSecurityPrivilege	1276	Mario AVP(setup).exe
Token: SeTakeOwnershipPrivilege	1276	Mario AVP(setup).exe
Token: SeLoadDriverPrivilege	1276	Mario AVP(setup).exe
Token: SeSystemProfilePrivilege	1276	Mario AVP(setup).exe
Token: SeSystemtimePrivilege	1276	Mario AVP(setup).exe
Token: SeProfSingleProcessPrivilege	1276	Mario AVP(setup).exe
Token: SeIncBasePriorityPrivilege	1276	Mario AVP(setup).exe
Token: SeCreatePagefilePrivilege	1276	Mario AVP(setup).exe
Token: SeCreatePermanentPrivilege	1276	Mario AVP(setup).exe
Token: SeBackupPrivilege	1276	Mario AVP(setup).exe
Token: SeRestorePrivilege	1276	Mario AVP(setup).exe
Token: SeShutdownPrivilege	1276	Mario AVP(setup).exe
Token: SeDebugPrivilege	1276	Mario AVP(setup).exe
Token: SeAuditPrivilege	1276	Mario AVP(setup).exe
Token: SeSystemEnvironmentPrivilege	1276	Mario AVP(setup).exe
Token: SeChangeNotifyPrivilege	1276	Mario AVP(setup).exe
Token: SeRemoteShutdownPrivilege	1276	Mario AVP(setup).exe
Token: SeUndockPrivilege	1276	Mario AVP(setup).exe
Token: SeSyncAgentPrivilege	1276	Mario AVP(setup).exe
Token: SeEnableDelegationPrivilege	1276	Mario AVP(setup).exe
Token: SeManageVolumePrivilege	1276	Mario AVP(setup).exe
Token: SeImpersonatePrivilege	1276	Mario AVP(setup).exe
Token: SeCreateGlobalPrivilege	1276	Mario AVP(setup).exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1276	Mario AVP(setup).exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1276	Mario AVP(setup).exe
1276	Mario AVP(setup).exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 3480	3788	msiexec.exe	95
PID 3788 wrote to memory of 3480	3788	msiexec.exe	95
PID 3788 wrote to memory of 3480	3788	msiexec.exe	95

C:\Users\Admin\AppData\Local\Temp\Mario AVP(setup).exe
"C:\Users\Admin\AppData\Local\Temp\Mario AVP(setup).exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C10343F5B53853E1520392B16EC9AA95 C
  2⤵
  - Loads dropped DLL
  PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1276\aicustact.dll

Filesize
59KB

MD5
2b1ff06e5b3f0f9338ae774907ccdbbb

SHA1
c0629e38f5f04cdea4238ebabb19e3540f8ff930

SHA256
bf0accc0505d5aa63e64b216dcc1ab9ecffdf613ee838f0b31c6ed194b84aa14

SHA512
678162786b036a6789dfcc6f5a46c66dce9938a12fc737de7dd71673500bc7f065001ca1c6928f498451eaa1ab0c27e18e5ee3dfeea64a6044ef503f22d2ac4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1D96.tmp

Filesize
59KB

MD5
2b1ff06e5b3f0f9338ae774907ccdbbb

SHA1
c0629e38f5f04cdea4238ebabb19e3540f8ff930

SHA256
bf0accc0505d5aa63e64b216dcc1ab9ecffdf613ee838f0b31c6ed194b84aa14

SHA512
678162786b036a6789dfcc6f5a46c66dce9938a12fc737de7dd71673500bc7f065001ca1c6928f498451eaa1ab0c27e18e5ee3dfeea64a6044ef503f22d2ac4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1D96.tmp

Filesize
59KB

MD5
2b1ff06e5b3f0f9338ae774907ccdbbb

SHA1
c0629e38f5f04cdea4238ebabb19e3540f8ff930

SHA256
bf0accc0505d5aa63e64b216dcc1ab9ecffdf613ee838f0b31c6ed194b84aa14

SHA512
678162786b036a6789dfcc6f5a46c66dce9938a12fc737de7dd71673500bc7f065001ca1c6928f498451eaa1ab0c27e18e5ee3dfeea64a6044ef503f22d2ac4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1DB6.tmp

Filesize
59KB

MD5
2b1ff06e5b3f0f9338ae774907ccdbbb

SHA1
c0629e38f5f04cdea4238ebabb19e3540f8ff930

SHA256
bf0accc0505d5aa63e64b216dcc1ab9ecffdf613ee838f0b31c6ed194b84aa14

SHA512
678162786b036a6789dfcc6f5a46c66dce9938a12fc737de7dd71673500bc7f065001ca1c6928f498451eaa1ab0c27e18e5ee3dfeea64a6044ef503f22d2ac4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1DB6.tmp

Filesize
59KB

MD5
2b1ff06e5b3f0f9338ae774907ccdbbb

SHA1
c0629e38f5f04cdea4238ebabb19e3540f8ff930

SHA256
bf0accc0505d5aa63e64b216dcc1ab9ecffdf613ee838f0b31c6ed194b84aa14

SHA512
678162786b036a6789dfcc6f5a46c66dce9938a12fc737de7dd71673500bc7f065001ca1c6928f498451eaa1ab0c27e18e5ee3dfeea64a6044ef503f22d2ac4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5F6.tmp

Filesize
80KB

MD5
aac6268448436f94cb308cb894c0c7a9

SHA1
2797639111bad3cbda74810a44d84aba166d7e6b

SHA256
037dd634897dcf66ea7ea8c4e832523a5e6ad571318140e848d270ce06d2e5c9

SHA512
5172e49cbbfac3d896a0f36f43d61a8e3bae0df8a2d6f1afadfb2e60df128233a1ce019494fbfbba6471468fe8ec346269d621cf395a6c105bd78503ad5aa20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5F6.tmp

Filesize
80KB

MD5
aac6268448436f94cb308cb894c0c7a9

SHA1
2797639111bad3cbda74810a44d84aba166d7e6b

SHA256
037dd634897dcf66ea7ea8c4e832523a5e6ad571318140e848d270ce06d2e5c9

SHA512
5172e49cbbfac3d896a0f36f43d61a8e3bae0df8a2d6f1afadfb2e60df128233a1ce019494fbfbba6471468fe8ec346269d621cf395a6c105bd78503ad5aa20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F865C264-FE60-4382-90BB-0EFCCD942E63}\Spring.742DA8B7\common.js

Filesize
3KB

MD5
690082110d93dc879c46dabbfb76933c

SHA1
16206b29ae1ed7f0750f7ba89f84ee714cd73243

SHA256
41bd0f4054ff4a413b97f7caa577d5670b8001eb3f97447da1b8c0cb94e48458

SHA512
a2c010ac6e1b377bb1a71779100818b34387987b38b7827deafc3556a426500446d62747bea26050725103db3ae9b262b2c6b977acfc6d8202de6703c1d79f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F865C264-FE60-4382-90BB-0EFCCD942E63}\Spring.742DA8B7\jquery-1.3.2.js

Filesize
122KB

MD5
294a2e4595b558a007bd76d4489c79e2

SHA1
f46a8712373bfb739648a685b3a276f417e1cbc4

SHA256
c1cf48a58c37644a92e77e5128f925be59526ba8ffb1c1180522a71df68858c6

SHA512
314659445fc8781598d362771c9dc8eb96fe3f45e88223cf51366f5d049f0c4b18c0ae5eecb02c18c1e79277684848ddcee01960e8cf59e12e6633066c67dd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F865C264-FE60-4382-90BB-0EFCCD942E63}\Spring.742DA8B7\prepare.html

Filesize
2KB

MD5
18ebbd95fda7c6c7df664f2b6eb3d139

SHA1
eb6540302ba3d4feefb5af83c21c9d28780fa85e

SHA256
7b7d18eec45946c04a23e2835f0fab542d03ab82a421a3a8f03b1810d532c40b

SHA512
928d520f9b5b2a80ea9256e112c30ee303b6799a15ef7e7f6b2f9c80b661a8bc15f17743cff68eae693c445791db05b28d055afdd9f5463c0c7d08ac3b0fe679

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F865C264-FE60-4382-90BB-0EFCCD942E63}\Spring.742DA8B7\style.css

Filesize
4KB

MD5
82c520b6ccca08467487c683a04566f9

SHA1
61ddad46b84fc358b56cda580aefb67e8b13d5a7

SHA256
a1e24da90f27b552624652a0b5750b61fc6e0428c2ac852710e64a98cd6b7adf

SHA512
61c24fc6b2dcca3aebd1eeb0fe2ff83772ba8f23649bd45d73ce0a12ac3843624abe92dd337b777d65cf42a8b327ac86aad2221d489d315290c5bbaf2ddd98db

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F865C264-FE60-4382-90BB-0EFCCD942E63}\Spring.742DA8B7\varstyle.css

Filesize
232B

MD5
4d161da5ee722e74b8aea7422733c385

SHA1
d978c410b61d756f970ff829c42721e29b2ff85d

SHA256
d40aad6e8ab28144bbe3d5bb85f8b10d9baddda14dd6fd12946a0c8b8599f04b

SHA512
89482aa2fea9250ecda37e61e4d42e405f71097d018355d60d30c0c67f0de4b338c0722dc44745c1c2c3a9d816d7fcf3ba161132426b5542b10373d9de7d58f8

Download Submit
C:\Users\Admin\AppData\Roaming\DjAmol gRoup\Mario AVP\install\Amol.msi

Filesize
966KB

MD5
d07d43895d5e902c455453590325f504

SHA1
2bd9ac6fdfeb44d9da1806d0ac87299748fabba7

SHA256
9d64d50ba158021bac4f7b523acb672b97f7476a4d19fbfa4ffd09545f226e0a

SHA512
473754b34fc5b50401a4409ce6414fc50537c51768247090be3300fa00158b08d68ef5b21d73ea3f1aca4644319254a3d724aebde2180cb2e863da9f856d70d2

Download Submit
memory/1276-0-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1276-89-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download