dbd561a752a9101f8110410ff891b102dfe9315616c8e4e195ea96cdf5e7eaee

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e6c9ba720edbd0647288dd63fed0596.exe
Size

785KB
MD5

5e6c9ba720edbd0647288dd63fed0596
SHA1

a8ec4f31555a56e009a19fe043ce0e133fa64183
SHA256

dbd561a752a9101f8110410ff891b102dfe9315616c8e4e195ea96cdf5e7eaee
SHA512

3c295cbdfeb35981917ec7e69901cb7e397307b401919b3cd46cc929befdbd573e885d6643ae8a1d8ebf5d90b713fda1b2bfb11fa31184f46712f81c50dd9c70
SSDEEP

24576:FmeCml14VlAhYsRhiO87WC6BEQb4HaIQ1TZBh+g+:UI4VlAhYsRq7W1qQb9/3hX+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1752	ins957C.tmp

Loads dropped DLL 2 IoCs

pid	Process
2252	5e6c9ba720edbd0647288dd63fed0596.exe
1960	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2248	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2092	msiexec.exe
Token: SeTakeOwnershipPrivilege	2092	msiexec.exe
Token: SeSecurityPrivilege	2092	msiexec.exe
Token: SeCreateTokenPrivilege	2248	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2248	msiexec.exe
Token: SeLockMemoryPrivilege	2248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2248	msiexec.exe
Token: SeMachineAccountPrivilege	2248	msiexec.exe
Token: SeTcbPrivilege	2248	msiexec.exe
Token: SeSecurityPrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeLoadDriverPrivilege	2248	msiexec.exe
Token: SeSystemProfilePrivilege	2248	msiexec.exe
Token: SeSystemtimePrivilege	2248	msiexec.exe
Token: SeProfSingleProcessPrivilege	2248	msiexec.exe
Token: SeIncBasePriorityPrivilege	2248	msiexec.exe
Token: SeCreatePagefilePrivilege	2248	msiexec.exe
Token: SeCreatePermanentPrivilege	2248	msiexec.exe
Token: SeBackupPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeShutdownPrivilege	2248	msiexec.exe
Token: SeDebugPrivilege	2248	msiexec.exe
Token: SeAuditPrivilege	2248	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2248	msiexec.exe
Token: SeChangeNotifyPrivilege	2248	msiexec.exe
Token: SeRemoteShutdownPrivilege	2248	msiexec.exe
Token: SeUndockPrivilege	2248	msiexec.exe
Token: SeSyncAgentPrivilege	2248	msiexec.exe
Token: SeEnableDelegationPrivilege	2248	msiexec.exe
Token: SeManageVolumePrivilege	2248	msiexec.exe
Token: SeImpersonatePrivilege	2248	msiexec.exe
Token: SeCreateGlobalPrivilege	2248	msiexec.exe
Token: SeCreateTokenPrivilege	2248	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2248	msiexec.exe
Token: SeLockMemoryPrivilege	2248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2248	msiexec.exe
Token: SeMachineAccountPrivilege	2248	msiexec.exe
Token: SeTcbPrivilege	2248	msiexec.exe
Token: SeSecurityPrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeLoadDriverPrivilege	2248	msiexec.exe
Token: SeSystemProfilePrivilege	2248	msiexec.exe
Token: SeSystemtimePrivilege	2248	msiexec.exe
Token: SeProfSingleProcessPrivilege	2248	msiexec.exe
Token: SeIncBasePriorityPrivilege	2248	msiexec.exe
Token: SeCreatePagefilePrivilege	2248	msiexec.exe
Token: SeCreatePermanentPrivilege	2248	msiexec.exe
Token: SeBackupPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeShutdownPrivilege	2248	msiexec.exe
Token: SeDebugPrivilege	2248	msiexec.exe
Token: SeAuditPrivilege	2248	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2248	msiexec.exe
Token: SeChangeNotifyPrivilege	2248	msiexec.exe
Token: SeRemoteShutdownPrivilege	2248	msiexec.exe
Token: SeUndockPrivilege	2248	msiexec.exe
Token: SeSyncAgentPrivilege	2248	msiexec.exe
Token: SeEnableDelegationPrivilege	2248	msiexec.exe
Token: SeManageVolumePrivilege	2248	msiexec.exe
Token: SeImpersonatePrivilege	2248	msiexec.exe
Token: SeCreateGlobalPrivilege	2248	msiexec.exe
Token: SeCreateTokenPrivilege	2248	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2248	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1752	2252	5e6c9ba720edbd0647288dd63fed0596.exe	28
PID 2252 wrote to memory of 1752	2252	5e6c9ba720edbd0647288dd63fed0596.exe	28
PID 2252 wrote to memory of 1752	2252	5e6c9ba720edbd0647288dd63fed0596.exe	28
PID 2252 wrote to memory of 1752	2252	5e6c9ba720edbd0647288dd63fed0596.exe	28
PID 2252 wrote to memory of 1752	2252	5e6c9ba720edbd0647288dd63fed0596.exe	28
PID 2252 wrote to memory of 1752	2252	5e6c9ba720edbd0647288dd63fed0596.exe	28
PID 2252 wrote to memory of 1752	2252	5e6c9ba720edbd0647288dd63fed0596.exe	28
PID 1752 wrote to memory of 2248	1752	ins957C.tmp	29
PID 1752 wrote to memory of 2248	1752	ins957C.tmp	29
PID 1752 wrote to memory of 2248	1752	ins957C.tmp	29
PID 1752 wrote to memory of 2248	1752	ins957C.tmp	29
PID 1752 wrote to memory of 2248	1752	ins957C.tmp	29
PID 1752 wrote to memory of 2248	1752	ins957C.tmp	29
PID 1752 wrote to memory of 2248	1752	ins957C.tmp	29
PID 2092 wrote to memory of 1960	2092	msiexec.exe	31
PID 2092 wrote to memory of 1960	2092	msiexec.exe	31
PID 2092 wrote to memory of 1960	2092	msiexec.exe	31
PID 2092 wrote to memory of 1960	2092	msiexec.exe	31
PID 2092 wrote to memory of 1960	2092	msiexec.exe	31
PID 2092 wrote to memory of 1960	2092	msiexec.exe	31
PID 2092 wrote to memory of 1960	2092	msiexec.exe	31

C:\Users\Admin\AppData\Local\Temp\5e6c9ba720edbd0647288dd63fed0596.exe
"C:\Users\Admin\AppData\Local\Temp\5e6c9ba720edbd0647288dd63fed0596.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\ins957C.tmp
  "C:\Users\Admin\AppData\Local\Temp\ins957C.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\system32\msiexec.exe
    /i "C:\Users\Admin\AppData\Roaming\RM Royal Media Ltd.\Rummy Royal\install\RummyRoyal_Live_ro.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\ins957C.tmp" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Enumerates connected drives
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2248

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 89A874572717F1F442C9B7F6DBF371D9 C
  2⤵
  - Loads dropped DLL
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI9AF8.tmp

Filesize
14KB

MD5
1afa5d8db46927c210ca89b7ec81e1c7

SHA1
e5cd5b8f8afe4faf43a64d4c16d048228b9ee2fd

SHA256
e55a022de86edfd958583023e9989b94751ea36322587e047c9af642d3fb82dc

SHA512
6e860e077149e0466b267f2300ca1eba67eaee419f1bf8cc8e7ad0542472f197407b4ca6dd60632cd731ef4780a7c389bd8dedafa7e330113ef0062f188e4b24

Download Submit
C:\Users\Admin\AppData\Roaming\RM Royal Media Ltd\Rummy Royal\install\RummyRoyal_Live_ro.msi

Filesize
307KB

MD5
2e9658e4e518430e1e541300096c156c

SHA1
23ff9b3a29e67c41dbca34bc64e053fdbb11d0aa

SHA256
de07612cf1ac248e6f3b4055889904b358eed8bc0be3182f109826154da61ff6

SHA512
ebef6305892e11ac11adf13700a952774b125073df3b70949b2588a647235b5e166d61b7f6096e11eec2c28fc7393e1534d0fcd095361332870af53d9923374f

Download Submit
\Users\Admin\AppData\Local\Temp\ins957C.tmp

Filesize
759KB

MD5
b331c7ea97039f7f4d99e197081bb9d0

SHA1
24ea959bb14f0bfb6a7fba16921cd00fe6931ec4

SHA256
80fe81ae5c858593247799ca3a2ad2f3f8203d86a0d19b25468684e08a13338c

SHA512
0d888f771aa473ee6d1766b9cab612bb1095ede32a662b91cc77628f8875d19656afc4a830c6d5f66b7d592a12646e8c32ae777c48b7c3530f8337920e0c1957

Download Submit