Analysis
-
max time kernel
1083s -
max time network
1168s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23/12/2023, 12:02
Static task
static1
Behavioral task
behavioral1
Sample
Setup_SmoothWizard_1-0-0-7.msi
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
1200 seconds
General
-
Target
Setup_SmoothWizard_1-0-0-7.msi
-
Size
3.3MB
-
MD5
253310261c1d0d7ac2f136307d2c7761
-
SHA1
c68e9122f3d6a40a9418f5e1782a89c23674c937
-
SHA256
92769f62cbfd2f1bd615b0976d069e839c4bb0f3ee759c316a05aa0de8fc50c9
-
SHA512
468b666bd7a1150b37c2d20d5d0803f08141bcd3de5d82a7e01eb278bc62c857706656df94075d6ab1b6f9a72979b28a005a5425bfd450362a699f58f3b3fd31
-
SSDEEP
98304:WWB/Pss9Mp8lzKGtL00lriLvAdAJ4sVLkbkH:d/P99MalzxlirAd4G
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 388 MsiExec.exe 388 MsiExec.exe -
Blocklisted process makes network request 5 IoCs
flow pid Process 10 4984 msiexec.exe 11 4984 msiexec.exe 14 4984 msiexec.exe 46 4984 msiexec.exe 48 4984 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4984 msiexec.exe Token: SeIncreaseQuotaPrivilege 4984 msiexec.exe Token: SeSecurityPrivilege 972 msiexec.exe Token: SeCreateTokenPrivilege 4984 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4984 msiexec.exe Token: SeLockMemoryPrivilege 4984 msiexec.exe Token: SeIncreaseQuotaPrivilege 4984 msiexec.exe Token: SeMachineAccountPrivilege 4984 msiexec.exe Token: SeTcbPrivilege 4984 msiexec.exe Token: SeSecurityPrivilege 4984 msiexec.exe Token: SeTakeOwnershipPrivilege 4984 msiexec.exe Token: SeLoadDriverPrivilege 4984 msiexec.exe Token: SeSystemProfilePrivilege 4984 msiexec.exe Token: SeSystemtimePrivilege 4984 msiexec.exe Token: SeProfSingleProcessPrivilege 4984 msiexec.exe Token: SeIncBasePriorityPrivilege 4984 msiexec.exe Token: SeCreatePagefilePrivilege 4984 msiexec.exe Token: SeCreatePermanentPrivilege 4984 msiexec.exe Token: SeBackupPrivilege 4984 msiexec.exe Token: SeRestorePrivilege 4984 msiexec.exe Token: SeShutdownPrivilege 4984 msiexec.exe Token: SeDebugPrivilege 4984 msiexec.exe Token: SeAuditPrivilege 4984 msiexec.exe Token: SeSystemEnvironmentPrivilege 4984 msiexec.exe Token: SeChangeNotifyPrivilege 4984 msiexec.exe Token: SeRemoteShutdownPrivilege 4984 msiexec.exe Token: SeUndockPrivilege 4984 msiexec.exe Token: SeSyncAgentPrivilege 4984 msiexec.exe Token: SeEnableDelegationPrivilege 4984 msiexec.exe Token: SeManageVolumePrivilege 4984 msiexec.exe Token: SeImpersonatePrivilege 4984 msiexec.exe Token: SeCreateGlobalPrivilege 4984 msiexec.exe Token: SeCreateTokenPrivilege 4984 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4984 msiexec.exe Token: SeLockMemoryPrivilege 4984 msiexec.exe Token: SeIncreaseQuotaPrivilege 4984 msiexec.exe Token: SeMachineAccountPrivilege 4984 msiexec.exe Token: SeTcbPrivilege 4984 msiexec.exe Token: SeSecurityPrivilege 4984 msiexec.exe Token: SeTakeOwnershipPrivilege 4984 msiexec.exe Token: SeLoadDriverPrivilege 4984 msiexec.exe Token: SeSystemProfilePrivilege 4984 msiexec.exe Token: SeSystemtimePrivilege 4984 msiexec.exe Token: SeProfSingleProcessPrivilege 4984 msiexec.exe Token: SeIncBasePriorityPrivilege 4984 msiexec.exe Token: SeCreatePagefilePrivilege 4984 msiexec.exe Token: SeCreatePermanentPrivilege 4984 msiexec.exe Token: SeBackupPrivilege 4984 msiexec.exe Token: SeRestorePrivilege 4984 msiexec.exe Token: SeShutdownPrivilege 4984 msiexec.exe Token: SeDebugPrivilege 4984 msiexec.exe Token: SeAuditPrivilege 4984 msiexec.exe Token: SeSystemEnvironmentPrivilege 4984 msiexec.exe Token: SeChangeNotifyPrivilege 4984 msiexec.exe Token: SeRemoteShutdownPrivilege 4984 msiexec.exe Token: SeUndockPrivilege 4984 msiexec.exe Token: SeSyncAgentPrivilege 4984 msiexec.exe Token: SeEnableDelegationPrivilege 4984 msiexec.exe Token: SeManageVolumePrivilege 4984 msiexec.exe Token: SeImpersonatePrivilege 4984 msiexec.exe Token: SeCreateGlobalPrivilege 4984 msiexec.exe Token: SeCreateTokenPrivilege 4984 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4984 msiexec.exe Token: SeLockMemoryPrivilege 4984 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4984 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 972 wrote to memory of 388 972 msiexec.exe 103 PID 972 wrote to memory of 388 972 msiexec.exe 103 PID 972 wrote to memory of 388 972 msiexec.exe 103
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_SmoothWizard_1-0-0-7.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4984
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BD6328921AC5410C6063879102ED7DA3 C2⤵
- Loads dropped DLL
PID:388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
285KB
MD5b77a2a2768b9cc78a71bbffb9812b978
SHA1b70e27eb446fe1c3bc8ea03dabbee2739a782e04
SHA256f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0
SHA512a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57