e5ad7ad9f3a2608383fa7620dc30edf035156b117a688d5a2f96a1de10ee0a2b

General

Target

f9a6de86c94cd0dee8677f209d63e99e.exe
Size

1.0MB
MD5

f9a6de86c94cd0dee8677f209d63e99e
SHA1

0a49344ad81d12c9855cbc0a117b9ac119d8591a
SHA256

e5ad7ad9f3a2608383fa7620dc30edf035156b117a688d5a2f96a1de10ee0a2b
SHA512

ecec6b823b7e54933b068ef635fe2bd30eb28c2e9d7514fc710eb670af9a90c323358bccb3104e5a63cc794c1b6a48ceabe829d19257efcbca775315de2b02b5
SSDEEP

24576:JmTe546UaAKlYJDJE3QDRtCKaVuUgwb6beDHHDDSvdiUm:JmA46VAsY3VDTG56yDHHDOlBm

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2188	msiexec.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2188	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2188	msiexec.exe
Token: SeRestorePrivilege	2904	msiexec.exe
Token: SeTakeOwnershipPrivilege	2904	msiexec.exe
Token: SeSecurityPrivilege	2904	msiexec.exe
Token: SeCreateTokenPrivilege	2188	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2188	msiexec.exe
Token: SeLockMemoryPrivilege	2188	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2188	msiexec.exe
Token: SeMachineAccountPrivilege	2188	msiexec.exe
Token: SeTcbPrivilege	2188	msiexec.exe
Token: SeSecurityPrivilege	2188	msiexec.exe
Token: SeTakeOwnershipPrivilege	2188	msiexec.exe
Token: SeLoadDriverPrivilege	2188	msiexec.exe
Token: SeSystemProfilePrivilege	2188	msiexec.exe
Token: SeSystemtimePrivilege	2188	msiexec.exe
Token: SeProfSingleProcessPrivilege	2188	msiexec.exe
Token: SeIncBasePriorityPrivilege	2188	msiexec.exe
Token: SeCreatePagefilePrivilege	2188	msiexec.exe
Token: SeCreatePermanentPrivilege	2188	msiexec.exe
Token: SeBackupPrivilege	2188	msiexec.exe
Token: SeRestorePrivilege	2188	msiexec.exe
Token: SeShutdownPrivilege	2188	msiexec.exe
Token: SeDebugPrivilege	2188	msiexec.exe
Token: SeAuditPrivilege	2188	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2188	msiexec.exe
Token: SeChangeNotifyPrivilege	2188	msiexec.exe
Token: SeRemoteShutdownPrivilege	2188	msiexec.exe
Token: SeUndockPrivilege	2188	msiexec.exe
Token: SeSyncAgentPrivilege	2188	msiexec.exe
Token: SeEnableDelegationPrivilege	2188	msiexec.exe
Token: SeManageVolumePrivilege	2188	msiexec.exe
Token: SeImpersonatePrivilege	2188	msiexec.exe
Token: SeCreateGlobalPrivilege	2188	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2188	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2188	2976	f9a6de86c94cd0dee8677f209d63e99e.exe	28
PID 2976 wrote to memory of 2188	2976	f9a6de86c94cd0dee8677f209d63e99e.exe	28
PID 2976 wrote to memory of 2188	2976	f9a6de86c94cd0dee8677f209d63e99e.exe	28
PID 2976 wrote to memory of 2188	2976	f9a6de86c94cd0dee8677f209d63e99e.exe	28
PID 2976 wrote to memory of 2188	2976	f9a6de86c94cd0dee8677f209d63e99e.exe	28
PID 2976 wrote to memory of 2188	2976	f9a6de86c94cd0dee8677f209d63e99e.exe	28
PID 2976 wrote to memory of 2188	2976	f9a6de86c94cd0dee8677f209d63e99e.exe	28

C:\Users\Admin\AppData\Local\Temp\f9a6de86c94cd0dee8677f209d63e99e.exe
"C:\Users\Admin\AppData\Local\Temp\f9a6de86c94cd0dee8677f209d63e99e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Camtech\USB AutoRunner\install\USB AutoRunner.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\f9a6de86c94cd0dee8677f209d63e99e.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2188

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Autousb.ini

Filesize
82B

MD5
e3ec887e6d9d44859cb1937152d848c3

SHA1
328307d3ebd8a1882b316b570b6877d1b5ad5973

SHA256
82bfa8aac13c2226f8e52359f42ac9667552c56fb5b242a2d23df8ad574cb1e5

SHA512
4a6bdfdd581b941029089b1437db75b409fff70f85aa4913438d5ee482e05741e6e212280d86cf130f687d1af98136918d20ce7ec63ac8eefe73c3a9210733a8

Download Submit
C:\Users\Admin\AppData\Roaming\Camtech\USB AutoRunner\install\USB AutoRunner.msi

Filesize
160KB

MD5
f8f6acc70c6897d7cb1036073c71ed57

SHA1
1d106abe47e3369de0392b78d12af4e5a5b5b838

SHA256
5be54708d093f2156b90cf9d4ef3ee74b159001efc9786eac743b59596bc098d

SHA512
81581745bdf589a6409b9d31046c1a34119d6762a3c3ab028d6504cddda44dbfb4242aaaeb2e8b5ccd15e55c4099697b0c5960550851638ad8ea708fcf93a9b5

Download Submit

Analysis

Sharing