a1843b35c71a0925985276ecced7040cae99d6635b6de7b50cb4630d3f3c2819

Analysis

max time kernel
141s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2023, 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

24.6MB
MD5

3055c62a18308282506fdf461ea9ec89
SHA1

b464491bff51eddb9dd9ca0d10dcefe681e68e78
SHA256

a1843b35c71a0925985276ecced7040cae99d6635b6de7b50cb4630d3f3c2819
SHA512

54b62463d7ad599576e993ae5aa4a5df6472a79be33a7a0198edd7c8daa8f385faf4f8b1976eaeb7e86fb82279e9e469e65580b1d1245d1ec0382830474f4558
SSDEEP

786432:f9z+qZY4h5mcsxmTyjWswiAKO7MTFgCzjvfK9Q:7V5mfCsw3T7MTxzjvfsQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2564	setup.exe

Loads dropped DLL 3 IoCs

pid	Process
4404	MsiExec.exe
4404	MsiExec.exe
4404	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
42	1760	msiexec.exe
44	1760	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1760	msiexec.exe
Token: SeSecurityPrivilege	4956	msiexec.exe
Token: SeCreateTokenPrivilege	1760	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1760	msiexec.exe
Token: SeLockMemoryPrivilege	1760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1760	msiexec.exe
Token: SeMachineAccountPrivilege	1760	msiexec.exe
Token: SeTcbPrivilege	1760	msiexec.exe
Token: SeSecurityPrivilege	1760	msiexec.exe
Token: SeTakeOwnershipPrivilege	1760	msiexec.exe
Token: SeLoadDriverPrivilege	1760	msiexec.exe
Token: SeSystemProfilePrivilege	1760	msiexec.exe
Token: SeSystemtimePrivilege	1760	msiexec.exe
Token: SeProfSingleProcessPrivilege	1760	msiexec.exe
Token: SeIncBasePriorityPrivilege	1760	msiexec.exe
Token: SeCreatePagefilePrivilege	1760	msiexec.exe
Token: SeCreatePermanentPrivilege	1760	msiexec.exe
Token: SeBackupPrivilege	1760	msiexec.exe
Token: SeRestorePrivilege	1760	msiexec.exe
Token: SeShutdownPrivilege	1760	msiexec.exe
Token: SeDebugPrivilege	1760	msiexec.exe
Token: SeAuditPrivilege	1760	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1760	msiexec.exe
Token: SeChangeNotifyPrivilege	1760	msiexec.exe
Token: SeRemoteShutdownPrivilege	1760	msiexec.exe
Token: SeUndockPrivilege	1760	msiexec.exe
Token: SeSyncAgentPrivilege	1760	msiexec.exe
Token: SeEnableDelegationPrivilege	1760	msiexec.exe
Token: SeManageVolumePrivilege	1760	msiexec.exe
Token: SeImpersonatePrivilege	1760	msiexec.exe
Token: SeCreateGlobalPrivilege	1760	msiexec.exe
Token: SeCreateTokenPrivilege	1760	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1760	msiexec.exe
Token: SeLockMemoryPrivilege	1760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1760	msiexec.exe
Token: SeMachineAccountPrivilege	1760	msiexec.exe
Token: SeTcbPrivilege	1760	msiexec.exe
Token: SeSecurityPrivilege	1760	msiexec.exe
Token: SeTakeOwnershipPrivilege	1760	msiexec.exe
Token: SeLoadDriverPrivilege	1760	msiexec.exe
Token: SeSystemProfilePrivilege	1760	msiexec.exe
Token: SeSystemtimePrivilege	1760	msiexec.exe
Token: SeProfSingleProcessPrivilege	1760	msiexec.exe
Token: SeIncBasePriorityPrivilege	1760	msiexec.exe
Token: SeCreatePagefilePrivilege	1760	msiexec.exe
Token: SeCreatePermanentPrivilege	1760	msiexec.exe
Token: SeBackupPrivilege	1760	msiexec.exe
Token: SeRestorePrivilege	1760	msiexec.exe
Token: SeShutdownPrivilege	1760	msiexec.exe
Token: SeDebugPrivilege	1760	msiexec.exe
Token: SeAuditPrivilege	1760	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1760	msiexec.exe
Token: SeChangeNotifyPrivilege	1760	msiexec.exe
Token: SeRemoteShutdownPrivilege	1760	msiexec.exe
Token: SeUndockPrivilege	1760	msiexec.exe
Token: SeSyncAgentPrivilege	1760	msiexec.exe
Token: SeEnableDelegationPrivilege	1760	msiexec.exe
Token: SeManageVolumePrivilege	1760	msiexec.exe
Token: SeImpersonatePrivilege	1760	msiexec.exe
Token: SeCreateGlobalPrivilege	1760	msiexec.exe
Token: SeCreateTokenPrivilege	1760	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1760	msiexec.exe
Token: SeLockMemoryPrivilege	1760	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1760	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2564	setup.exe
2564	setup.exe
2564	setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2564	2432	tmp.exe	100
PID 2432 wrote to memory of 2564	2432	tmp.exe	100
PID 2432 wrote to memory of 2564	2432	tmp.exe	100
PID 2564 wrote to memory of 1760	2564	setup.exe	101
PID 2564 wrote to memory of 1760	2564	setup.exe	101
PID 2564 wrote to memory of 1760	2564	setup.exe	101
PID 4956 wrote to memory of 4404	4956	msiexec.exe	104
PID 4956 wrote to memory of 4404	4956	msiexec.exe	104
PID 4956 wrote to memory of 4404	4956	msiexec.exe	104

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Adobe\Reader 9.4\Setup Files\setup.exe
  "C:\Users\Admin\AppData\Local\Adobe\Reader 9.4\Setup Files\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe /i "C:\Users\Admin\AppData\Local\Adobe\Reader 9.4\Setup Files\AcroRead.msi" REBOOT="ReallySuppress"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1760

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D8EE0BB325E39B4930EB7456B3EED2EF C
  2⤵
  - Loads dropped DLL
  PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\ADMIN\APPDATA\LOCAL\ADOBE\READER 9.4\SETUP FILES\Abcpy.ini

Filesize
1KB

MD5
e6fc41debdea75a3f07236ab0c4cc733

SHA1
150b34fe408ca67980ef43996a8611b575d0501c

SHA256
383148b125d25b72cd369471ac844507b17c59f499eb6cd82d1f654b2b3c0005

SHA512
76bd0e6af7cb7af5092f43b3c6fb4c2da2cba2eb23a34e81bd666c7fc007e59fa9c91208a762e3a3045316d36051f1047b03c1251c99911be282babf204d6dcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Reader 9.4\Setup Files\AcroRead.msi

Filesize
3.8MB

MD5
33e4ac38fb717295d9eeb24f3faf4b43

SHA1
a5e6da15b7593e3eb1e2d1ab39607f97db69dc2b

SHA256
1737c86c979591a53eda1855e543bbde81c0839aa9de41cbded7677e88e36044

SHA512
47830ca01b2baf46e0b7d6ad625a950fd01716c39926751c5fc5cde722a21acf68bcd36a44393e82373d518cf05026c6574378274fa48f678baffad4dde0eae5

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Reader 9.4\Setup Files\Setup.exe

Filesize
337KB

MD5
c490bb035d06cc769efde3d3a0d707de

SHA1
75bed88153483a02cd16ce13bcb4d187b7b58669

SHA256
6f9f100ea83e8bd856050285d564297b3fa7939376dff25a33b57f82f2f3a663

SHA512
9199d1ffbfbf704da2831d826f1d89ca044a76acb8b6e734d63903b6d8e84e2a76242454eed49ac5244ccdcd3f25b825ee7dacecebdedd50f1f644d808533969

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Reader 9.4\Setup Files\Setup.exe

Filesize
337KB

MD5
c490bb035d06cc769efde3d3a0d707de

SHA1
75bed88153483a02cd16ce13bcb4d187b7b58669

SHA256
6f9f100ea83e8bd856050285d564297b3fa7939376dff25a33b57f82f2f3a663

SHA512
9199d1ffbfbf704da2831d826f1d89ca044a76acb8b6e734d63903b6d8e84e2a76242454eed49ac5244ccdcd3f25b825ee7dacecebdedd50f1f644d808533969

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Reader 9.4\Setup Files\setup.exe

Filesize
337KB

MD5
c490bb035d06cc769efde3d3a0d707de

SHA1
75bed88153483a02cd16ce13bcb4d187b7b58669

SHA256
6f9f100ea83e8bd856050285d564297b3fa7939376dff25a33b57f82f2f3a663

SHA512
9199d1ffbfbf704da2831d826f1d89ca044a76acb8b6e734d63903b6d8e84e2a76242454eed49ac5244ccdcd3f25b825ee7dacecebdedd50f1f644d808533969

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Reader 9.4\Setup Files\setup.ini

Filesize
294B

MD5
8afb9ba1810f06880b98baadf822fca5

SHA1
3d5126fd4b54d4c2fab69f6e8d238dc9af1c26c7

SHA256
baed77b9ddfcf33e1b12b83d3bc7df95444d5258550ba22ca430176014fdb77f

SHA512
b98f51fcef5cc59319c1a4a29b50e23346840ece17540ac42ec5633af82bc538460c80dda0f43a0023745f5b42954416a8504d1573e55058b5211f470fcce777

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA7C9.tmp

Filesize
52KB

MD5
4a908ee9c6f2f4aad63382cccee731e4

SHA1
e572580949f277987fe232757ce88c2ac35e0223

SHA256
459f503fb8b4fc4a600261430ac77bf70118d41fa19f7b2620d43ba6e9c8fa5e

SHA512
75ba5856df7ed1457b6192e3b12c5dbb9cd0c6860d787357b37d5e2aabdd1dddb1fd6195064cad1b166431a71dee233b76cb6304d8e868050d79c731ef6e567f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA7C9.tmp

Filesize
52KB

MD5
4a908ee9c6f2f4aad63382cccee731e4

SHA1
e572580949f277987fe232757ce88c2ac35e0223

SHA256
459f503fb8b4fc4a600261430ac77bf70118d41fa19f7b2620d43ba6e9c8fa5e

SHA512
75ba5856df7ed1457b6192e3b12c5dbb9cd0c6860d787357b37d5e2aabdd1dddb1fd6195064cad1b166431a71dee233b76cb6304d8e868050d79c731ef6e567f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA8A5.tmp

Filesize
96KB

MD5
fadffef98d0f28368b843c6e9afd9782

SHA1
578101fadf1034c4a928b978260b120b740cdfb9

SHA256
73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886

SHA512
ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA8A5.tmp

Filesize
96KB

MD5
fadffef98d0f28368b843c6e9afd9782

SHA1
578101fadf1034c4a928b978260b120b740cdfb9

SHA256
73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886

SHA512
ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA8C5.tmp

Filesize
85KB

MD5
43623ef978845c1388f7fe91d9cbeeee

SHA1
71c53cb7ee2ed1b45ff690dfd4a79f9a8903b5db

SHA256
4581d04e799c426fbf39506d3a376d51dd49db7c89a6fad614c1f88a9b4b4c04

SHA512
34e244585f61171a07db0901d902bc0909f1d936419ba1f066f3065222d022d2ef903801b0ecd0042676a704feac916ec7b2a0f81a7caaac57c80721b1db9352

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA8C5.tmp

Filesize
85KB

MD5
43623ef978845c1388f7fe91d9cbeeee

SHA1
71c53cb7ee2ed1b45ff690dfd4a79f9a8903b5db

SHA256
4581d04e799c426fbf39506d3a376d51dd49db7c89a6fad614c1f88a9b4b4c04

SHA512
34e244585f61171a07db0901d902bc0909f1d936419ba1f066f3065222d022d2ef903801b0ecd0042676a704feac916ec7b2a0f81a7caaac57c80721b1db9352

Download Submit
memory/2432-0-0x0000000000F20000-0x0000000000F7F000-memory.dmp

Filesize
380KB

Download
memory/2432-51-0x0000000000F20000-0x0000000000F7F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads