163637b73a55ea9fd571d1b23158f9ddc7f91f602052e02cfeaaf399c855b8c2

Analysis

max time kernel
143s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bfa8ef43ffa27d7a5a3e15216795a25.exe
Size

2.8MB
MD5

0bfa8ef43ffa27d7a5a3e15216795a25
SHA1

6b2544cf0d54e1e29d3b620dedd6dfececab6296
SHA256

163637b73a55ea9fd571d1b23158f9ddc7f91f602052e02cfeaaf399c855b8c2
SHA512

bb5f15588fe6c4e3412a9b96ffd0b7077b04beceed6a2f7f232ba2ca4133366d08025798085cce5fa2e7caec9d703f9c46af4ee2728101bfad2f1806c7369187
SSDEEP

49152:nRnbpZbKD4eS03aMrxkBM2u/EFbNgwFWclebK0tq6M8eIHtx8qjJ8:nRnbP03rlGru/ERB4yeto87txvji

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	0bfa8ef43ffa27d7a5a3e15216795a25.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 2 IoCs

pid	Process
1480	setup.exe
1404	dotnetchk.exe

Loads dropped DLL 2 IoCs

pid	Process
3216	MsiExec.exe
3216	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
31	4240	msiexec.exe
36	4240	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4652	0bfa8ef43ffa27d7a5a3e15216795a25.exe
4652	0bfa8ef43ffa27d7a5a3e15216795a25.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4240	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4240	msiexec.exe
Token: SeSecurityPrivilege	3252	msiexec.exe
Token: SeCreateTokenPrivilege	4240	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4240	msiexec.exe
Token: SeLockMemoryPrivilege	4240	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4240	msiexec.exe
Token: SeMachineAccountPrivilege	4240	msiexec.exe
Token: SeTcbPrivilege	4240	msiexec.exe
Token: SeSecurityPrivilege	4240	msiexec.exe
Token: SeTakeOwnershipPrivilege	4240	msiexec.exe
Token: SeLoadDriverPrivilege	4240	msiexec.exe
Token: SeSystemProfilePrivilege	4240	msiexec.exe
Token: SeSystemtimePrivilege	4240	msiexec.exe
Token: SeProfSingleProcessPrivilege	4240	msiexec.exe
Token: SeIncBasePriorityPrivilege	4240	msiexec.exe
Token: SeCreatePagefilePrivilege	4240	msiexec.exe
Token: SeCreatePermanentPrivilege	4240	msiexec.exe
Token: SeBackupPrivilege	4240	msiexec.exe
Token: SeRestorePrivilege	4240	msiexec.exe
Token: SeShutdownPrivilege	4240	msiexec.exe
Token: SeDebugPrivilege	4240	msiexec.exe
Token: SeAuditPrivilege	4240	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4240	msiexec.exe
Token: SeChangeNotifyPrivilege	4240	msiexec.exe
Token: SeRemoteShutdownPrivilege	4240	msiexec.exe
Token: SeUndockPrivilege	4240	msiexec.exe
Token: SeSyncAgentPrivilege	4240	msiexec.exe
Token: SeEnableDelegationPrivilege	4240	msiexec.exe
Token: SeManageVolumePrivilege	4240	msiexec.exe
Token: SeImpersonatePrivilege	4240	msiexec.exe
Token: SeCreateGlobalPrivilege	4240	msiexec.exe
Token: SeCreateTokenPrivilege	4240	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4240	msiexec.exe
Token: SeLockMemoryPrivilege	4240	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4240	msiexec.exe
Token: SeMachineAccountPrivilege	4240	msiexec.exe
Token: SeTcbPrivilege	4240	msiexec.exe
Token: SeSecurityPrivilege	4240	msiexec.exe
Token: SeTakeOwnershipPrivilege	4240	msiexec.exe
Token: SeLoadDriverPrivilege	4240	msiexec.exe
Token: SeSystemProfilePrivilege	4240	msiexec.exe
Token: SeSystemtimePrivilege	4240	msiexec.exe
Token: SeProfSingleProcessPrivilege	4240	msiexec.exe
Token: SeIncBasePriorityPrivilege	4240	msiexec.exe
Token: SeCreatePagefilePrivilege	4240	msiexec.exe
Token: SeCreatePermanentPrivilege	4240	msiexec.exe
Token: SeBackupPrivilege	4240	msiexec.exe
Token: SeRestorePrivilege	4240	msiexec.exe
Token: SeShutdownPrivilege	4240	msiexec.exe
Token: SeDebugPrivilege	4240	msiexec.exe
Token: SeAuditPrivilege	4240	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4240	msiexec.exe
Token: SeChangeNotifyPrivilege	4240	msiexec.exe
Token: SeRemoteShutdownPrivilege	4240	msiexec.exe
Token: SeUndockPrivilege	4240	msiexec.exe
Token: SeSyncAgentPrivilege	4240	msiexec.exe
Token: SeEnableDelegationPrivilege	4240	msiexec.exe
Token: SeManageVolumePrivilege	4240	msiexec.exe
Token: SeImpersonatePrivilege	4240	msiexec.exe
Token: SeCreateGlobalPrivilege	4240	msiexec.exe
Token: SeCreateTokenPrivilege	4240	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4240	msiexec.exe
Token: SeLockMemoryPrivilege	4240	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4240	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 1480	4652	0bfa8ef43ffa27d7a5a3e15216795a25.exe	91
PID 4652 wrote to memory of 1480	4652	0bfa8ef43ffa27d7a5a3e15216795a25.exe	91
PID 4652 wrote to memory of 1480	4652	0bfa8ef43ffa27d7a5a3e15216795a25.exe	91
PID 1480 wrote to memory of 1404	1480	setup.exe	93
PID 1480 wrote to memory of 1404	1480	setup.exe	93
PID 1480 wrote to memory of 1404	1480	setup.exe	93
PID 1480 wrote to memory of 4240	1480	setup.exe	94
PID 1480 wrote to memory of 4240	1480	setup.exe	94
PID 1480 wrote to memory of 4240	1480	setup.exe	94
PID 3252 wrote to memory of 3216	3252	msiexec.exe	97
PID 3252 wrote to memory of 3216	3252	msiexec.exe	97
PID 3252 wrote to memory of 3216	3252	msiexec.exe	97

C:\Users\Admin\AppData\Local\Temp\0bfa8ef43ffa27d7a5a3e15216795a25.exe
"C:\Users\Admin\AppData\Local\Temp\0bfa8ef43ffa27d7a5a3e15216795a25.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Users\Admin\AppData\Local\Temp\lui7FEE.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\lui7FEE.tmp\setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Users\Admin\AppData\Local\Temp\VSDC96A.tmp\DotNetFX\dotnetchk.exe
    "C:\Users\Admin\AppData\Local\Temp\VSDC96A.tmp\DotNetFX\dotnetchk.exe"
    3⤵
    - Executes dropped EXE
    PID:1404
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\lui7FEE.tmp\MorphJuniorInstaller.msi"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4240

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3F086972BD275A5BF4E0C2AB48E041D4 C
  2⤵
  - Loads dropped DLL
  PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_B3A886FA3C8164A3F02FCB44EE73FFCA

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEF32.tmp

Filesize
222KB

MD5
fb4ed24de182178cac3cd3870a4ba5b6

SHA1
38b168fbe97b72a5de5eaef16535ea1aed964e1b

SHA256
5070b4cdf7e2f95535f3340a3a0d9bce496478d0bd445b470dd67278a910c578

SHA512
03ffa685a28333cc7d8eb4a0fdd8c5dce85ca1126bcdefebda83a91586b98ae559d56074b943a6df0ec011eaa58b6841026ffb8b42e08b74351b0118011d3c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSDC96A.tmp\DotNetFX\dotnetchk.exe

Filesize
86KB

MD5
289df668f70cd5cdfe36fea4b491fa28

SHA1
6d78099c40542b11771389fa38938724905167f2

SHA256
2e643745991bac3e5ec460b0bbbe2002f433c77a82514122b31708302ecc9306

SHA512
b7d115d34f9e4ad73f89c04221855b3f3c6dac4b009c7d5b268cfcf651ea4cbd9588ab7a690392b1d1a4afae3b47d3d20bf1ff4f98a2bbfefed1c4cef7d04499

Download Submit
C:\Users\Admin\AppData\Local\Temp\lui7FEE.tmp\MorphJuniorInstaller.msi

Filesize
2.7MB

MD5
217a00528ef186c898f8141c225d059c

SHA1
aa0d72a233a0c7d5b2c2dde3ac2f21f58bbf9fec

SHA256
b189000d72aacee31857ffa8548e7d4810f36550f984a3a348754a457aad6da8

SHA512
f3740065b925fa57ef4e0488970ffe4827a6d66b78d4469ab186e25ee5cbab7e615d179286cf57917f49da487b688cf10bf26011ab408257e8f3cf3f017f1fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lui7FEE.tmp\setup.exe

Filesize
476KB

MD5
50b23ffb50b5982cd3bf637b59607c71

SHA1
da21fe32ffe21aa3cb977859063917d77a999c0b

SHA256
6455fa611d74d5d194828613882b66389cb27c5b9a33348af9edffa55eb8dfe4

SHA512
dc2e808ae3bb3ea5fa76622b70f911d563c4760c9ddb066edb5c370f5fa0c051cd52fbb62d7d10dc84d239246e3f951eedee9ef0deb7082d9015f8ccdcd7bc06

Download Submit