5dfda81b477783c2c9698f0b26237c2d012b0a4bb657f67e7ded8cb0c4fd5113

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2023, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe
Size

7.7MB
MD5

1b117a78fc3f787f6b520a3c961b0a99
SHA1

a7febb4261f9ca842e6c56e999e08f0e60b8bc04
SHA256

50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76
SHA512

9f3d4f546996336606dc81210fc6138afda00a537a52843941512b6afcd26167d80de375cca826d90d56b2f3d084dc6f3e4390a8d429f081924c30cc77f27871
SSDEEP

98304:BXpTTfp5m2GMGSY5Aa5AfzCweiY5Aaevr9l08XjEthXO0oFyWRoo7gK/fUG+776w:tYTIehkQtZFoRl7R/i77+eTKF

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
19	2600	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Loads dropped DLL 4 IoCs

pid	Process
2124	MsiExec.exe
2124	MsiExec.exe
2124	MsiExec.exe
2124	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2600	msiexec.exe
Token: SeSecurityPrivilege	3396	msiexec.exe
Token: SeCreateTokenPrivilege	2600	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2600	msiexec.exe
Token: SeLockMemoryPrivilege	2600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2600	msiexec.exe
Token: SeMachineAccountPrivilege	2600	msiexec.exe
Token: SeTcbPrivilege	2600	msiexec.exe
Token: SeSecurityPrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeLoadDriverPrivilege	2600	msiexec.exe
Token: SeSystemProfilePrivilege	2600	msiexec.exe
Token: SeSystemtimePrivilege	2600	msiexec.exe
Token: SeProfSingleProcessPrivilege	2600	msiexec.exe
Token: SeIncBasePriorityPrivilege	2600	msiexec.exe
Token: SeCreatePagefilePrivilege	2600	msiexec.exe
Token: SeCreatePermanentPrivilege	2600	msiexec.exe
Token: SeBackupPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeShutdownPrivilege	2600	msiexec.exe
Token: SeDebugPrivilege	2600	msiexec.exe
Token: SeAuditPrivilege	2600	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2600	msiexec.exe
Token: SeChangeNotifyPrivilege	2600	msiexec.exe
Token: SeRemoteShutdownPrivilege	2600	msiexec.exe
Token: SeUndockPrivilege	2600	msiexec.exe
Token: SeSyncAgentPrivilege	2600	msiexec.exe
Token: SeEnableDelegationPrivilege	2600	msiexec.exe
Token: SeManageVolumePrivilege	2600	msiexec.exe
Token: SeImpersonatePrivilege	2600	msiexec.exe
Token: SeCreateGlobalPrivilege	2600	msiexec.exe
Token: SeCreateTokenPrivilege	2600	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2600	msiexec.exe
Token: SeLockMemoryPrivilege	2600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2600	msiexec.exe
Token: SeMachineAccountPrivilege	2600	msiexec.exe
Token: SeTcbPrivilege	2600	msiexec.exe
Token: SeSecurityPrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeLoadDriverPrivilege	2600	msiexec.exe
Token: SeSystemProfilePrivilege	2600	msiexec.exe
Token: SeSystemtimePrivilege	2600	msiexec.exe
Token: SeProfSingleProcessPrivilege	2600	msiexec.exe
Token: SeIncBasePriorityPrivilege	2600	msiexec.exe
Token: SeCreatePagefilePrivilege	2600	msiexec.exe
Token: SeCreatePermanentPrivilege	2600	msiexec.exe
Token: SeBackupPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeShutdownPrivilege	2600	msiexec.exe
Token: SeDebugPrivilege	2600	msiexec.exe
Token: SeAuditPrivilege	2600	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2600	msiexec.exe
Token: SeChangeNotifyPrivilege	2600	msiexec.exe
Token: SeRemoteShutdownPrivilege	2600	msiexec.exe
Token: SeUndockPrivilege	2600	msiexec.exe
Token: SeSyncAgentPrivilege	2600	msiexec.exe
Token: SeEnableDelegationPrivilege	2600	msiexec.exe
Token: SeManageVolumePrivilege	2600	msiexec.exe
Token: SeImpersonatePrivilege	2600	msiexec.exe
Token: SeCreateGlobalPrivilege	2600	msiexec.exe
Token: SeCreateTokenPrivilege	2600	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2600	msiexec.exe
Token: SeLockMemoryPrivilege	2600	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
264	50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe
2600	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 2600	264	50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe	88
PID 264 wrote to memory of 2600	264	50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe	88
PID 3396 wrote to memory of 2124	3396	msiexec.exe	93
PID 3396 wrote to memory of 2124	3396	msiexec.exe	93
PID 3396 wrote to memory of 2124	3396	msiexec.exe	93

C:\Users\Admin\AppData\Local\Temp\50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe
"C:\Users\Admin\AppData\Local\Temp\50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:264
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.36287.0\install\FL2000.x64.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\50f6559a6562b92e036508cf7e7e7ff3349bf95f791ae8d3143f0937ce289c76.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2600

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 32D68A3DAE3202707A97DB1F5ACC116F C
  2⤵
  - Loads dropped DLL
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI954B.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI954B.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI96A3.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI96A3.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI96F2.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI96F2.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI96F2.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9751.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9751.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\upd8A8E.tmp

Filesize
1KB

MD5
54ab87d570346f70eae42abac0cee76b

SHA1
a4cb1890225f6e37e2488b4e69fb6bf00f168baa

SHA256
7fbd8678415bf9f7a462a290f74fa32b148fe05c54b73f9c6fb01b38d919c690

SHA512
5f4f95417bec805ab6b2b2c10d284d5cf7c78e2c6dd42fbcdaae9bf78d71249c205aead6a7e0c35c3c0293db40763bb1e80348288b48f1b7cfd4b1e2eaf261d1

Download Submit
C:\Users\Admin\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.36287.0\install\FL2000.x64.msi

Filesize
1.5MB

MD5
21e58957eec0edd6be4d4390d7ef92d7

SHA1
a0de26e6eec0436a9bf13b6d336851775a20398a

SHA256
c2f78adc751f4850221baf10ea07581ecc9de2eea578ccd5866760498d4d36af

SHA512
e397e454c66e0af30657d66038381d29ecbef44e2d0e03ee2b3b4d76ac03e0c4d4f59694cb5c071dc2bce6d0dc2312626c0e7d1d1da9ae3d23455ded952cbd6e

Download Submit