6e9c1729af27cc806129e5620a36661a7d914ad3c38a3ab6ae370128b619dc0f

Analysis

max time kernel
117s
max time network
149s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.2-pc-gdps-v1.11.2-installer.exe
Size

310.6MB
MD5

c47656d7d75824c1434352303d813582
SHA1

9800edaf6c6038307ededc2fdf9ba5d9badb73b0
SHA256

6e9c1729af27cc806129e5620a36661a7d914ad3c38a3ab6ae370128b619dc0f
SHA512

7aac5de88b1a1b271f8af372e1a2b4f84753078be8f4245d3c084b0b0a73ff4cdb0ba935e5f0ec039397c7d2ba95242424c7ecbde077272d6d3bc084e6f804be
SSDEEP

6291456:wOGXmMItKrmebF4YybN8pplmIcOQALvDoaRUnnggvBDe0PrZhlJe9X:wOGWMItKqYamPlv1fP2RvBDe0lhlJwX

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2316	2.2-pc-gdps-v1.11.2-installer.exe
2528	MsiExec.exe
2528	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\R:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\W:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\J:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\P:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\Q:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\X:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\V:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\U:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\K:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\N:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\S:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\Z:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\I:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\L:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\O:	2.2-pc-gdps-v1.11.2-installer.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	2.2-pc-gdps-v1.11.2-installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeSecurityPrivilege	2740	msiexec.exe
Token: SeCreateTokenPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeAssignPrimaryTokenPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeLockMemoryPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeIncreaseQuotaPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeMachineAccountPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeTcbPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeSecurityPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeTakeOwnershipPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeLoadDriverPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeSystemProfilePrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeSystemtimePrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeProfSingleProcessPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeIncBasePriorityPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeCreatePagefilePrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeCreatePermanentPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeBackupPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeRestorePrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeShutdownPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeDebugPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeAuditPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeSystemEnvironmentPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeChangeNotifyPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeRemoteShutdownPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeUndockPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeSyncAgentPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeEnableDelegationPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeManageVolumePrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeImpersonatePrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeCreateGlobalPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeCreateTokenPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeAssignPrimaryTokenPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeLockMemoryPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeIncreaseQuotaPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeMachineAccountPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeTcbPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeSecurityPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeTakeOwnershipPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeLoadDriverPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeSystemProfilePrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeSystemtimePrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeProfSingleProcessPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeIncBasePriorityPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeCreatePagefilePrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeCreatePermanentPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeBackupPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeRestorePrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeShutdownPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeDebugPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeAuditPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeSystemEnvironmentPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeChangeNotifyPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeRemoteShutdownPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeUndockPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeSyncAgentPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeEnableDelegationPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeManageVolumePrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeImpersonatePrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeCreateGlobalPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeCreateTokenPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeAssignPrimaryTokenPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe
Token: SeLockMemoryPrivilege	2316	2.2-pc-gdps-v1.11.2-installer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2316	2.2-pc-gdps-v1.11.2-installer.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2528	2740	msiexec.exe	29
PID 2740 wrote to memory of 2528	2740	msiexec.exe	29
PID 2740 wrote to memory of 2528	2740	msiexec.exe	29
PID 2740 wrote to memory of 2528	2740	msiexec.exe	29
PID 2740 wrote to memory of 2528	2740	msiexec.exe	29
PID 2740 wrote to memory of 2528	2740	msiexec.exe	29
PID 2740 wrote to memory of 2528	2740	msiexec.exe	29

C:\Users\Admin\AppData\Local\Temp\2.2-pc-gdps-v1.11.2-installer.exe
"C:\Users\Admin\AppData\Local\Temp\2.2-pc-gdps-v1.11.2-installer.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2316

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D03CD781570F9134DC1517A1474D5E05 C
  2⤵
  - Loads dropped DLL
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2316\aboutbtn

Filesize
2KB

MD5
06232bd0fbe29745165465efa0afa76f

SHA1
a30ec5ce3a322c4fc1ae2540e0bdb0819a156b6d

SHA256
fb61ccba3eb778fdb56422e9075f88eb8bb0f89c7c4c7a947bf3b1e8805f00d8

SHA512
d8e291e07a33a82cdbfe957fbe2fd957197c0e24c52a616de3cdc6d99d748663ca773dc52bcbeb50d2dbdfa61e12a7abee0fa9429c51d86de515bd4e3f498681

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2316\applogoicon

Filesize
3KB

MD5
4c66fc57c7935bca5d67ced502e6ff60

SHA1
6346e971a8853f716d33d1dc712e3af1d8aac930

SHA256
2f04dc2cafb6eec6ab95630247187aed48c6abe27a02c592d3569da0168114ce

SHA512
ed100bafd78ea02738741e0914d1e7d0db857900fcca4ac3ffbd941c492db3e648cfd8ecf97db325b4356cf0dbac743f132e47c89f73f1b11d73ebc72343970c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2316\background

Filesize
2KB

MD5
9e23da7c3cd3fb8113e698a12a3d3047

SHA1
6d021109495d77a53afe101f2b03a4da847e6d99

SHA256
b671008e5d4a15409051d7b3d2aa40f7c028e1dab5876c2882976793abb9356c

SHA512
65e885984681cee190764515f61bb8da3c29463b87f4371fff27ae4c4089af46c9b98910a847ec29d7368160d6aaf841fb93f1347c9abc47bce5cf997c8b4ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2316\buttonimgs

Filesize
1KB

MD5
6956ac5e9d5e47daeb7d147d67d9e526

SHA1
427449cf08f0c78f1bf3850565201991828e278c

SHA256
f8f4efdb34b00775638c95568761c93436812af56c8f41116f2f92a987ca9ae0

SHA512
a82f9d199e36dfcdad7393761d1cf541d67b0b70d4b31cf71ad38dab3e95b351143c1aff4adea3207d1fd1e9c3523e9b7e3cea37cb61f9f2845894c60327651c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDF96.tmp

Filesize
578KB

MD5
89afe34385ab2b63a7cb0121792be070

SHA1
56cdf3f32d03aa4a175fa69a33a21aaf5b42078d

SHA256
36e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103

SHA512
14a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE17A.tmp

Filesize
578KB

MD5
89afe34385ab2b63a7cb0121792be070

SHA1
56cdf3f32d03aa4a175fa69a33a21aaf5b42078d

SHA256
36e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103

SHA512
14a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c

Download Submit
C:\Users\Admin\AppData\Roaming\user666\2.2 PC GDPS 1.11.2\install\2.2 PC GDPS v1.11.2 Installer.msi

Filesize
4.0MB

MD5
f3a7cf5997ef85999dc5df3f0476f16b

SHA1
56a8774fd6461b249923090f86984faa81b53b52

SHA256
a2d6a0fe448ddccf54894e9b2b486cbf24b2b3fbe84de1a6bfac3fbca80e1dd5

SHA512
2a478087ad77ed2813af6a7ea806a12f46d3da599799f10ae097261e81d3c01cc650ce1e6b1d48dffb228f562b79558f7946a8c30a7704a8ea049ac054b2fa4a

Download Submit
\Users\Admin\AppData\Local\Temp\MSIDF96.tmp

Filesize
578KB

MD5
89afe34385ab2b63a7cb0121792be070

SHA1
56cdf3f32d03aa4a175fa69a33a21aaf5b42078d

SHA256
36e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103

SHA512
14a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c

Download Submit
\Users\Admin\AppData\Local\Temp\MSIE17A.tmp

Filesize
578KB

MD5
89afe34385ab2b63a7cb0121792be070

SHA1
56cdf3f32d03aa4a175fa69a33a21aaf5b42078d

SHA256
36e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103

SHA512
14a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c

Download Submit
\Users\Admin\AppData\Roaming\user666\2.2 PC GDPS 1.11.2\install\1033.dll

Filesize
46KB

MD5
985996b25e378f667e220c9901002456

SHA1
d4c30befd7faaeb5bef23f1b5aa3b6f4fc50b42f

SHA256
8782676bd8d487f516c3733e463c1b2cbeb983bd1ae61121eecc6d1498d21f82

SHA512
eb02350f02a5984c5ba4c396e7dd90d422cc6e94d6f7842884975072dc8bef638a5c88c52dedea745db99c2ec8dc00b354ec2597b52ccd7dddb9058d09411db1

Download Submit
memory/2316-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2316-65-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download