dbd561a752a9101f8110410ff891b102dfe9315616c8e4e195ea96cdf5e7eaee

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e6c9ba720edbd0647288dd63fed0596.exe
Size

785KB
MD5

5e6c9ba720edbd0647288dd63fed0596
SHA1

a8ec4f31555a56e009a19fe043ce0e133fa64183
SHA256

dbd561a752a9101f8110410ff891b102dfe9315616c8e4e195ea96cdf5e7eaee
SHA512

3c295cbdfeb35981917ec7e69901cb7e397307b401919b3cd46cc929befdbd573e885d6643ae8a1d8ebf5d90b713fda1b2bfb11fa31184f46712f81c50dd9c70
SSDEEP

24576:FmeCml14VlAhYsRhiO87WC6BEQb4HaIQ1TZBh+g+:UI4VlAhYsRq7W1qQb9/3hX+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1268	ins3DA5.tmp

Loads dropped DLL 1 IoCs

pid	Process
3536	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3924	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3924	msiexec.exe
Token: SeSecurityPrivilege	2412	msiexec.exe
Token: SeCreateTokenPrivilege	3924	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3924	msiexec.exe
Token: SeLockMemoryPrivilege	3924	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3924	msiexec.exe
Token: SeMachineAccountPrivilege	3924	msiexec.exe
Token: SeTcbPrivilege	3924	msiexec.exe
Token: SeSecurityPrivilege	3924	msiexec.exe
Token: SeTakeOwnershipPrivilege	3924	msiexec.exe
Token: SeLoadDriverPrivilege	3924	msiexec.exe
Token: SeSystemProfilePrivilege	3924	msiexec.exe
Token: SeSystemtimePrivilege	3924	msiexec.exe
Token: SeProfSingleProcessPrivilege	3924	msiexec.exe
Token: SeIncBasePriorityPrivilege	3924	msiexec.exe
Token: SeCreatePagefilePrivilege	3924	msiexec.exe
Token: SeCreatePermanentPrivilege	3924	msiexec.exe
Token: SeBackupPrivilege	3924	msiexec.exe
Token: SeRestorePrivilege	3924	msiexec.exe
Token: SeShutdownPrivilege	3924	msiexec.exe
Token: SeDebugPrivilege	3924	msiexec.exe
Token: SeAuditPrivilege	3924	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3924	msiexec.exe
Token: SeChangeNotifyPrivilege	3924	msiexec.exe
Token: SeRemoteShutdownPrivilege	3924	msiexec.exe
Token: SeUndockPrivilege	3924	msiexec.exe
Token: SeSyncAgentPrivilege	3924	msiexec.exe
Token: SeEnableDelegationPrivilege	3924	msiexec.exe
Token: SeManageVolumePrivilege	3924	msiexec.exe
Token: SeImpersonatePrivilege	3924	msiexec.exe
Token: SeCreateGlobalPrivilege	3924	msiexec.exe
Token: SeCreateTokenPrivilege	3924	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3924	msiexec.exe
Token: SeLockMemoryPrivilege	3924	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3924	msiexec.exe
Token: SeMachineAccountPrivilege	3924	msiexec.exe
Token: SeTcbPrivilege	3924	msiexec.exe
Token: SeSecurityPrivilege	3924	msiexec.exe
Token: SeTakeOwnershipPrivilege	3924	msiexec.exe
Token: SeLoadDriverPrivilege	3924	msiexec.exe
Token: SeSystemProfilePrivilege	3924	msiexec.exe
Token: SeSystemtimePrivilege	3924	msiexec.exe
Token: SeProfSingleProcessPrivilege	3924	msiexec.exe
Token: SeIncBasePriorityPrivilege	3924	msiexec.exe
Token: SeCreatePagefilePrivilege	3924	msiexec.exe
Token: SeCreatePermanentPrivilege	3924	msiexec.exe
Token: SeBackupPrivilege	3924	msiexec.exe
Token: SeRestorePrivilege	3924	msiexec.exe
Token: SeShutdownPrivilege	3924	msiexec.exe
Token: SeDebugPrivilege	3924	msiexec.exe
Token: SeAuditPrivilege	3924	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3924	msiexec.exe
Token: SeChangeNotifyPrivilege	3924	msiexec.exe
Token: SeRemoteShutdownPrivilege	3924	msiexec.exe
Token: SeUndockPrivilege	3924	msiexec.exe
Token: SeSyncAgentPrivilege	3924	msiexec.exe
Token: SeEnableDelegationPrivilege	3924	msiexec.exe
Token: SeManageVolumePrivilege	3924	msiexec.exe
Token: SeImpersonatePrivilege	3924	msiexec.exe
Token: SeCreateGlobalPrivilege	3924	msiexec.exe
Token: SeCreateTokenPrivilege	3924	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3924	msiexec.exe
Token: SeLockMemoryPrivilege	3924	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3924	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 1268	1264	5e6c9ba720edbd0647288dd63fed0596.exe	14
PID 1264 wrote to memory of 1268	1264	5e6c9ba720edbd0647288dd63fed0596.exe	14
PID 1264 wrote to memory of 1268	1264	5e6c9ba720edbd0647288dd63fed0596.exe	14
PID 1268 wrote to memory of 3924	1268	ins3DA5.tmp	24
PID 1268 wrote to memory of 3924	1268	ins3DA5.tmp	24
PID 2412 wrote to memory of 3536	2412	msiexec.exe	32
PID 2412 wrote to memory of 3536	2412	msiexec.exe	32
PID 2412 wrote to memory of 3536	2412	msiexec.exe	32

C:\Users\Admin\AppData\Local\Temp\5e6c9ba720edbd0647288dd63fed0596.exe
"C:\Users\Admin\AppData\Local\Temp\5e6c9ba720edbd0647288dd63fed0596.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\ins3DA5.tmp
  "C:\Users\Admin\AppData\Local\Temp\ins3DA5.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\system32\msiexec.exe
    /i "C:\Users\Admin\AppData\Roaming\RM Royal Media Ltd.\Rummy Royal\install\RummyRoyal_Live_ro.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\ins3DA5.tmp" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3924

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DCF74887D774D6DB4623F0D38462B4B6 C
  2⤵
  - Loads dropped DLL
  PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI4045.tmp

Filesize
14KB

MD5
1afa5d8db46927c210ca89b7ec81e1c7

SHA1
e5cd5b8f8afe4faf43a64d4c16d048228b9ee2fd

SHA256
e55a022de86edfd958583023e9989b94751ea36322587e047c9af642d3fb82dc

SHA512
6e860e077149e0466b267f2300ca1eba67eaee419f1bf8cc8e7ad0542472f197407b4ca6dd60632cd731ef4780a7c389bd8dedafa7e330113ef0062f188e4b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\ins3DA5.tmp

Filesize
377KB

MD5
71bd40809a59e3b79889dfddf2aa8887

SHA1
6e2fc3038f093a1f69999edc51308e539540d455

SHA256
2d9bde8edba841b6895739fe3b32c7dc1ca62c899c8f3856e95ae43da7755b88

SHA512
c1d4a5c5fbde52855010a0de646c1426c2df583fbae15c6395d766df9b9df27cc8a65181d1df8b384053783712b865de3af96f2648d95e82e48f8c0c678a2a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\ins3DA5.tmp

Filesize
759KB

MD5
b331c7ea97039f7f4d99e197081bb9d0

SHA1
24ea959bb14f0bfb6a7fba16921cd00fe6931ec4

SHA256
80fe81ae5c858593247799ca3a2ad2f3f8203d86a0d19b25468684e08a13338c

SHA512
0d888f771aa473ee6d1766b9cab612bb1095ede32a662b91cc77628f8875d19656afc4a830c6d5f66b7d592a12646e8c32ae777c48b7c3530f8337920e0c1957

Download Submit