5dfda81b477783c2c9698f0b26237c2d012b0a4bb657f67e7ded8cb0c4fd5113

Analysis

max time kernel
144s
max time network
152s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
26-11-2023 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe
Size

7.7MB
MD5

1b117a78fc3f787f6b520a3c961b0a99
SHA1

a7febb4261f9ca842e6c56e999e08f0e60b8bc04
SHA256

50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76
SHA512

9f3d4f546996336606dc81210fc6138afda00a537a52843941512b6afcd26167d80de375cca826d90d56b2f3d084dc6f3e4390a8d429f081924c30cc77f27871
SSDEEP

98304:BXpTTfp5m2GMGSY5Aa5AfzCweiY5Aaevr9l08XjEthXO0oFyWRoo7gK/fUG+776w:tYTIehkQtZFoRl7R/i77+eTKF

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
9	2772	msiexec.exe
11	2772	msiexec.exe
13	2772	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Loads dropped DLL 3 IoCs

pid	Process
2704	MsiExec.exe
2704	MsiExec.exe
2704	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2772	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2772	msiexec.exe
Token: SeRestorePrivilege	2320	msiexec.exe
Token: SeTakeOwnershipPrivilege	2320	msiexec.exe
Token: SeSecurityPrivilege	2320	msiexec.exe
Token: SeCreateTokenPrivilege	2772	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2772	msiexec.exe
Token: SeLockMemoryPrivilege	2772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2772	msiexec.exe
Token: SeMachineAccountPrivilege	2772	msiexec.exe
Token: SeTcbPrivilege	2772	msiexec.exe
Token: SeSecurityPrivilege	2772	msiexec.exe
Token: SeTakeOwnershipPrivilege	2772	msiexec.exe
Token: SeLoadDriverPrivilege	2772	msiexec.exe
Token: SeSystemProfilePrivilege	2772	msiexec.exe
Token: SeSystemtimePrivilege	2772	msiexec.exe
Token: SeProfSingleProcessPrivilege	2772	msiexec.exe
Token: SeIncBasePriorityPrivilege	2772	msiexec.exe
Token: SeCreatePagefilePrivilege	2772	msiexec.exe
Token: SeCreatePermanentPrivilege	2772	msiexec.exe
Token: SeBackupPrivilege	2772	msiexec.exe
Token: SeRestorePrivilege	2772	msiexec.exe
Token: SeShutdownPrivilege	2772	msiexec.exe
Token: SeDebugPrivilege	2772	msiexec.exe
Token: SeAuditPrivilege	2772	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2772	msiexec.exe
Token: SeChangeNotifyPrivilege	2772	msiexec.exe
Token: SeRemoteShutdownPrivilege	2772	msiexec.exe
Token: SeUndockPrivilege	2772	msiexec.exe
Token: SeSyncAgentPrivilege	2772	msiexec.exe
Token: SeEnableDelegationPrivilege	2772	msiexec.exe
Token: SeManageVolumePrivilege	2772	msiexec.exe
Token: SeImpersonatePrivilege	2772	msiexec.exe
Token: SeCreateGlobalPrivilege	2772	msiexec.exe
Token: SeCreateTokenPrivilege	2772	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2772	msiexec.exe
Token: SeLockMemoryPrivilege	2772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2772	msiexec.exe
Token: SeMachineAccountPrivilege	2772	msiexec.exe
Token: SeTcbPrivilege	2772	msiexec.exe
Token: SeSecurityPrivilege	2772	msiexec.exe
Token: SeTakeOwnershipPrivilege	2772	msiexec.exe
Token: SeLoadDriverPrivilege	2772	msiexec.exe
Token: SeSystemProfilePrivilege	2772	msiexec.exe
Token: SeSystemtimePrivilege	2772	msiexec.exe
Token: SeProfSingleProcessPrivilege	2772	msiexec.exe
Token: SeIncBasePriorityPrivilege	2772	msiexec.exe
Token: SeCreatePagefilePrivilege	2772	msiexec.exe
Token: SeCreatePermanentPrivilege	2772	msiexec.exe
Token: SeBackupPrivilege	2772	msiexec.exe
Token: SeRestorePrivilege	2772	msiexec.exe
Token: SeShutdownPrivilege	2772	msiexec.exe
Token: SeDebugPrivilege	2772	msiexec.exe
Token: SeAuditPrivilege	2772	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2772	msiexec.exe
Token: SeChangeNotifyPrivilege	2772	msiexec.exe
Token: SeRemoteShutdownPrivilege	2772	msiexec.exe
Token: SeUndockPrivilege	2772	msiexec.exe
Token: SeSyncAgentPrivilege	2772	msiexec.exe
Token: SeEnableDelegationPrivilege	2772	msiexec.exe
Token: SeManageVolumePrivilege	2772	msiexec.exe
Token: SeImpersonatePrivilege	2772	msiexec.exe
Token: SeCreateGlobalPrivilege	2772	msiexec.exe
Token: SeCreateTokenPrivilege	2772	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2940	50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe
2772	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2772	2940	50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe	29
PID 2940 wrote to memory of 2772	2940	50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe	29
PID 2940 wrote to memory of 2772	2940	50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe	29
PID 2940 wrote to memory of 2772	2940	50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe	29
PID 2940 wrote to memory of 2772	2940	50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe	29
PID 2940 wrote to memory of 2772	2940	50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe	29
PID 2940 wrote to memory of 2772	2940	50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe	29
PID 2320 wrote to memory of 2704	2320	msiexec.exe	31
PID 2320 wrote to memory of 2704	2320	msiexec.exe	31
PID 2320 wrote to memory of 2704	2320	msiexec.exe	31
PID 2320 wrote to memory of 2704	2320	msiexec.exe	31
PID 2320 wrote to memory of 2704	2320	msiexec.exe	31
PID 2320 wrote to memory of 2704	2320	msiexec.exe	31
PID 2320 wrote to memory of 2704	2320	msiexec.exe	31

C:\Users\Admin\AppData\Local\Temp\50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe
"C:\Users\Admin\AppData\Local\Temp\50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.36287.0\install\FL2000.x64.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2772

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 89AA20C9438E03F5DDA8DCA063C151AD C
  2⤵
  - Loads dropped DLL
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab4C1F.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4F6E.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI50B6.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI50D6.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI50D6.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4DC7.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\upd425E.tmp

Filesize
1KB

MD5
54ab87d570346f70eae42abac0cee76b

SHA1
a4cb1890225f6e37e2488b4e69fb6bf00f168baa

SHA256
7fbd8678415bf9f7a462a290f74fa32b148fe05c54b73f9c6fb01b38d919c690

SHA512
5f4f95417bec805ab6b2b2c10d284d5cf7c78e2c6dd42fbcdaae9bf78d71249c205aead6a7e0c35c3c0293db40763bb1e80348288b48f1b7cfd4b1e2eaf261d1

Download Submit
C:\Users\Admin\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.36287.0\install\FL2000.x64.msi

Filesize
1.5MB

MD5
21e58957eec0edd6be4d4390d7ef92d7

SHA1
a0de26e6eec0436a9bf13b6d336851775a20398a

SHA256
c2f78adc751f4850221baf10ea07581ecc9de2eea578ccd5866760498d4d36af

SHA512
e397e454c66e0af30657d66038381d29ecbef44e2d0e03ee2b3b4d76ac03e0c4d4f59694cb5c071dc2bce6d0dc2312626c0e7d1d1da9ae3d23455ded952cbd6e

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4F6E.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
\Users\Admin\AppData\Local\Temp\MSI50B6.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
\Users\Admin\AppData\Local\Temp\MSI50D6.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
memory/2940-0-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2940-68-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download