7fd9ab936674c3a68d699acf9c30964552eb2db01b4b9391ec8c357561674872

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2023, 12:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

openvpn-pfSense-UDP4-1194-rkf1-install-2.5.2-I601-amd64.exe
Size

3.5MB
MD5

178206b5723ee0b2d4c28678fffa8226
SHA1

e4e51c2ff79843ce7a26cc45d9a8a3c914b5aa50
SHA256

7fd9ab936674c3a68d699acf9c30964552eb2db01b4b9391ec8c357561674872
SHA512

1f9cd02b1425532d7c756be318fcec3c9c115dbf202c65abb4d80b63425496151c731ff0f81db5ac67ec3c14332b3991d891c2faa27c4df3c1a5dbfa3f99c485
SSDEEP

98304:zgwRiZa99ihvHqhBhK7pMmfNZDPp7vJ6oRfDXwHn6fg3la:zgZYE1mhK7mmlZLf6oJqLQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	openvpn-pfSense-UDP4-1194-rkf1-install-2.5.2-I601-amd64.exe

Loads dropped DLL 1 IoCs

pid	Process
372	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	1952	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1952	msiexec.exe
Token: SeSecurityPrivilege	4176	msiexec.exe
Token: SeCreateTokenPrivilege	1952	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1952	msiexec.exe
Token: SeLockMemoryPrivilege	1952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1952	msiexec.exe
Token: SeMachineAccountPrivilege	1952	msiexec.exe
Token: SeTcbPrivilege	1952	msiexec.exe
Token: SeSecurityPrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeLoadDriverPrivilege	1952	msiexec.exe
Token: SeSystemProfilePrivilege	1952	msiexec.exe
Token: SeSystemtimePrivilege	1952	msiexec.exe
Token: SeProfSingleProcessPrivilege	1952	msiexec.exe
Token: SeIncBasePriorityPrivilege	1952	msiexec.exe
Token: SeCreatePagefilePrivilege	1952	msiexec.exe
Token: SeCreatePermanentPrivilege	1952	msiexec.exe
Token: SeBackupPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeShutdownPrivilege	1952	msiexec.exe
Token: SeDebugPrivilege	1952	msiexec.exe
Token: SeAuditPrivilege	1952	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1952	msiexec.exe
Token: SeChangeNotifyPrivilege	1952	msiexec.exe
Token: SeRemoteShutdownPrivilege	1952	msiexec.exe
Token: SeUndockPrivilege	1952	msiexec.exe
Token: SeSyncAgentPrivilege	1952	msiexec.exe
Token: SeEnableDelegationPrivilege	1952	msiexec.exe
Token: SeManageVolumePrivilege	1952	msiexec.exe
Token: SeImpersonatePrivilege	1952	msiexec.exe
Token: SeCreateGlobalPrivilege	1952	msiexec.exe
Token: SeCreateTokenPrivilege	1952	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1952	msiexec.exe
Token: SeLockMemoryPrivilege	1952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1952	msiexec.exe
Token: SeMachineAccountPrivilege	1952	msiexec.exe
Token: SeTcbPrivilege	1952	msiexec.exe
Token: SeSecurityPrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeLoadDriverPrivilege	1952	msiexec.exe
Token: SeSystemProfilePrivilege	1952	msiexec.exe
Token: SeSystemtimePrivilege	1952	msiexec.exe
Token: SeProfSingleProcessPrivilege	1952	msiexec.exe
Token: SeIncBasePriorityPrivilege	1952	msiexec.exe
Token: SeCreatePagefilePrivilege	1952	msiexec.exe
Token: SeCreatePermanentPrivilege	1952	msiexec.exe
Token: SeBackupPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeShutdownPrivilege	1952	msiexec.exe
Token: SeDebugPrivilege	1952	msiexec.exe
Token: SeAuditPrivilege	1952	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1952	msiexec.exe
Token: SeChangeNotifyPrivilege	1952	msiexec.exe
Token: SeRemoteShutdownPrivilege	1952	msiexec.exe
Token: SeUndockPrivilege	1952	msiexec.exe
Token: SeSyncAgentPrivilege	1952	msiexec.exe
Token: SeEnableDelegationPrivilege	1952	msiexec.exe
Token: SeManageVolumePrivilege	1952	msiexec.exe
Token: SeImpersonatePrivilege	1952	msiexec.exe
Token: SeCreateGlobalPrivilege	1952	msiexec.exe
Token: SeCreateTokenPrivilege	1952	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1952	msiexec.exe
Token: SeLockMemoryPrivilege	1952	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2932	openvpn-pfSense-UDP4-1194-rkf1-install-2.5.2-I601-amd64.exe
1952	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 1952	2932	openvpn-pfSense-UDP4-1194-rkf1-install-2.5.2-I601-amd64.exe	88
PID 2932 wrote to memory of 1952	2932	openvpn-pfSense-UDP4-1194-rkf1-install-2.5.2-I601-amd64.exe	88
PID 2932 wrote to memory of 1952	2932	openvpn-pfSense-UDP4-1194-rkf1-install-2.5.2-I601-amd64.exe	88
PID 4176 wrote to memory of 372	4176	msiexec.exe	91
PID 4176 wrote to memory of 372	4176	msiexec.exe	91

C:\Users\Admin\AppData\Local\Temp\openvpn-pfSense-UDP4-1194-rkf1-install-2.5.2-I601-amd64.exe
"C:\Users\Admin\AppData\Local\Temp\openvpn-pfSense-UDP4-1194-rkf1-install-2.5.2-I601-amd64.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i openvpn-install.msi /norestart
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1952

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding A4C633A2AFF3673062732B9C2343C613 C
  2⤵
  - Loads dropped DLL
  PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\openvpn-install.msi

Filesize
4.4MB

MD5
6057bb983b6948d07b5051863a063050

SHA1
8ad1e04c577215da07c06df4a62a7849f7d91ee6

SHA256
ed839826006f046020252a41ac87b87728e08497dd5afd01444369bc0247d790

SHA512
cdac3cadc05a6c4605f3f6cbf9c1ce9db15d1d5aa3f92fec66deccc5b216f4b3ebbddb25224ea5135336b836e0dedd6c3c092d3b77477319c3a4de8705e239d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAC7C.tmp

Filesize
57KB

MD5
79eaf512e1274bbc9d7a9c8b1953de6a

SHA1
64b386ad284f99a979ed4bb45e17cb3d65092d30

SHA256
cfa770eba6cfe1a8083bccf69e6bd317f04cf731017def22c816a8f89d41a586

SHA512
664fdce5615f534379c66b6d83cf7ee664a3285ab2e88c3dab61171c6338deb3cdd291f2b8fb99f9248f07163ff905afb7f2eda97cd2aeaed9c1bb0a6efccd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAC7C.tmp

Filesize
57KB

MD5
79eaf512e1274bbc9d7a9c8b1953de6a

SHA1
64b386ad284f99a979ed4bb45e17cb3d65092d30

SHA256
cfa770eba6cfe1a8083bccf69e6bd317f04cf731017def22c816a8f89d41a586

SHA512
664fdce5615f534379c66b6d83cf7ee664a3285ab2e88c3dab61171c6338deb3cdd291f2b8fb99f9248f07163ff905afb7f2eda97cd2aeaed9c1bb0a6efccd52

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads