bd936b016b13898976401db572ac3acb91b1523bdbcd98bf21cb782dbbfad496

Analysis

max time kernel
600s
max time network
605s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2023 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TechSolve.exe
Size

3.2MB
MD5

6fbe10e01d3bb0a73623148734b57e1b
SHA1

48654d09cc0d35b7866751ce9a06da9a220f4c64
SHA256

bd936b016b13898976401db572ac3acb91b1523bdbcd98bf21cb782dbbfad496
SHA512

f548cb7a8c3497884082996539ade470676713d6d186117649ab61fc837e2babcd373fd5b98f462f8cbcee7a0848fc984b023526818aba19083d6be6ce7313b6
SSDEEP

49152:ewWZPqYtQ1Rgr0CNgWFeRRaoQ2Bz9MR8GqKwHTC7SmD98aHGuR:5OP1tSqr0CNg1gn8TKwG7S1amW

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 64 IoCs

flow	pid	Process
21	636	msiexec.exe
23	636	msiexec.exe
24	636	msiexec.exe
25	636	msiexec.exe
26	636	msiexec.exe
27	636	msiexec.exe
28	636	msiexec.exe
29	636	msiexec.exe
30	636	msiexec.exe
31	636	msiexec.exe
32	636	msiexec.exe
33	636	msiexec.exe
34	636	msiexec.exe
35	636	msiexec.exe
36	636	msiexec.exe
37	636	msiexec.exe
38	636	msiexec.exe
39	636	msiexec.exe
40	636	msiexec.exe
41	636	msiexec.exe
42	636	msiexec.exe
43	636	msiexec.exe
44	636	msiexec.exe
45	636	msiexec.exe
50	636	msiexec.exe
51	636	msiexec.exe
52	636	msiexec.exe
53	636	msiexec.exe
54	636	msiexec.exe
55	636	msiexec.exe
56	636	msiexec.exe
57	636	msiexec.exe
60	636	msiexec.exe
62	636	msiexec.exe
63	636	msiexec.exe
64	636	msiexec.exe
65	636	msiexec.exe
66	636	msiexec.exe
67	636	msiexec.exe
68	636	msiexec.exe
69	636	msiexec.exe
70	636	msiexec.exe
71	636	msiexec.exe
72	636	msiexec.exe
73	636	msiexec.exe
74	636	msiexec.exe
75	636	msiexec.exe
76	636	msiexec.exe
77	636	msiexec.exe
78	636	msiexec.exe
79	636	msiexec.exe
80	636	msiexec.exe
81	636	msiexec.exe
82	636	msiexec.exe
86	636	msiexec.exe
87	636	msiexec.exe
88	636	msiexec.exe
89	636	msiexec.exe
90	636	msiexec.exe
91	636	msiexec.exe
92	636	msiexec.exe
93	636	msiexec.exe
94	636	msiexec.exe
95	636	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4460.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE77C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9633.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2D08.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC58E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD95.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1562.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CC0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6BD2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI78D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEF58.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF51F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9353.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF170.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8BCD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE635.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E51.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC9D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1EBF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE474.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI12EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI67B0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED69.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D6B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI334D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI63AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F9B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF73E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB9B6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9492.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C1D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDAE4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI77B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF23.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB30.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3288.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI211.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3E2C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE157.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB2B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI122.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0B9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6510.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E3F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6550.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI403F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD33.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C4E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8CD1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE42B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4670.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI15DA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9C19.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC39A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D7F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3626.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE395.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI29A2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA21F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB0B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF6.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3212	TechSolve.exe
Token: SeIncreaseQuotaPrivilege	3212	TechSolve.exe
Token: SeSecurityPrivilege	636	msiexec.exe
Token: SeCreateTokenPrivilege	3212	TechSolve.exe
Token: SeAssignPrimaryTokenPrivilege	3212	TechSolve.exe
Token: SeLockMemoryPrivilege	3212	TechSolve.exe
Token: SeIncreaseQuotaPrivilege	3212	TechSolve.exe
Token: SeMachineAccountPrivilege	3212	TechSolve.exe
Token: SeTcbPrivilege	3212	TechSolve.exe
Token: SeSecurityPrivilege	3212	TechSolve.exe
Token: SeTakeOwnershipPrivilege	3212	TechSolve.exe
Token: SeLoadDriverPrivilege	3212	TechSolve.exe
Token: SeSystemProfilePrivilege	3212	TechSolve.exe
Token: SeSystemtimePrivilege	3212	TechSolve.exe
Token: SeProfSingleProcessPrivilege	3212	TechSolve.exe
Token: SeIncBasePriorityPrivilege	3212	TechSolve.exe
Token: SeCreatePagefilePrivilege	3212	TechSolve.exe
Token: SeCreatePermanentPrivilege	3212	TechSolve.exe
Token: SeBackupPrivilege	3212	TechSolve.exe
Token: SeRestorePrivilege	3212	TechSolve.exe
Token: SeShutdownPrivilege	3212	TechSolve.exe
Token: SeDebugPrivilege	3212	TechSolve.exe
Token: SeAuditPrivilege	3212	TechSolve.exe
Token: SeSystemEnvironmentPrivilege	3212	TechSolve.exe
Token: SeChangeNotifyPrivilege	3212	TechSolve.exe
Token: SeRemoteShutdownPrivilege	3212	TechSolve.exe
Token: SeUndockPrivilege	3212	TechSolve.exe
Token: SeSyncAgentPrivilege	3212	TechSolve.exe
Token: SeEnableDelegationPrivilege	3212	TechSolve.exe
Token: SeManageVolumePrivilege	3212	TechSolve.exe
Token: SeImpersonatePrivilege	3212	TechSolve.exe
Token: SeCreateGlobalPrivilege	3212	TechSolve.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeShutdownPrivilege	3212	TechSolve.exe
Token: SeIncreaseQuotaPrivilege	3212	TechSolve.exe
Token: SeCreateTokenPrivilege	3212	TechSolve.exe
Token: SeAssignPrimaryTokenPrivilege	3212	TechSolve.exe
Token: SeLockMemoryPrivilege	3212	TechSolve.exe
Token: SeIncreaseQuotaPrivilege	3212	TechSolve.exe
Token: SeMachineAccountPrivilege	3212	TechSolve.exe
Token: SeTcbPrivilege	3212	TechSolve.exe
Token: SeSecurityPrivilege	3212	TechSolve.exe
Token: SeTakeOwnershipPrivilege	3212	TechSolve.exe
Token: SeLoadDriverPrivilege	3212	TechSolve.exe
Token: SeSystemProfilePrivilege	3212	TechSolve.exe
Token: SeSystemtimePrivilege	3212	TechSolve.exe
Token: SeProfSingleProcessPrivilege	3212	TechSolve.exe
Token: SeIncBasePriorityPrivilege	3212	TechSolve.exe
Token: SeCreatePagefilePrivilege	3212	TechSolve.exe
Token: SeCreatePermanentPrivilege	3212	TechSolve.exe
Token: SeBackupPrivilege	3212	TechSolve.exe
Token: SeRestorePrivilege	3212	TechSolve.exe
Token: SeShutdownPrivilege	3212	TechSolve.exe
Token: SeDebugPrivilege	3212	TechSolve.exe
Token: SeAuditPrivilege	3212	TechSolve.exe
Token: SeSystemEnvironmentPrivilege	3212	TechSolve.exe
Token: SeChangeNotifyPrivilege	3212	TechSolve.exe
Token: SeRemoteShutdownPrivilege	3212	TechSolve.exe
Token: SeUndockPrivilege	3212	TechSolve.exe
Token: SeSyncAgentPrivilege	3212	TechSolve.exe
Token: SeEnableDelegationPrivilege	3212	TechSolve.exe
Token: SeManageVolumePrivilege	3212	TechSolve.exe
Token: SeImpersonatePrivilege	3212	TechSolve.exe

C:\Users\Admin\AppData\Local\Temp\TechSolve.exe
"C:\Users\Admin\AppData\Local\Temp\TechSolve.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3212-0-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/3212-1-0x0000000000400000-0x0000000000740000-memory.dmp

Filesize
3.2MB

Download
memory/3212-3-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/3212-7-0x0000000000400000-0x0000000000740000-memory.dmp

Filesize
3.2MB

Download