86f883bacf34f255341eafa319ae478c8ed1eb2c961eac774498632b8ec92f01

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1e494152a63898d0f9f84df930a4685fa680c04433f987f55eae0fccd1400ef.exe
Size

6.3MB
MD5

a63eaea4f134ee8c95101530e57657a3
SHA1

192af9f082351203fdd623e75daf47fdd6d1a2a6
SHA256

b1e494152a63898d0f9f84df930a4685fa680c04433f987f55eae0fccd1400ef
SHA512

00b1ed77a555482c8dfc6af0be10f61a7ad5cc32c681d3312ad44946562c4f2c9cfd24087e9f5fd18a8f05149ebcd943553c88a375a8be834c6b8af923741f25
SSDEEP

98304:g9lesPlo5CddsbAqvQdYKV4YNyACCTmKR67I+tUv76dqYInWZFLLgHZp5rqEJIxC:Ien5ciAqIaKVvNUa+42ENWXesXCwy

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2420	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
2572	MsiExec.exe
2572	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b1e494152a63898d0f9f84df930a4685fa680c04433f987f55eae0fccd1400ef.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2768	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2768	msiexec.exe
Token: SeRestorePrivilege	2720	msiexec.exe
Token: SeTakeOwnershipPrivilege	2720	msiexec.exe
Token: SeSecurityPrivilege	2720	msiexec.exe
Token: SeCreateTokenPrivilege	2768	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2768	msiexec.exe
Token: SeLockMemoryPrivilege	2768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2768	msiexec.exe
Token: SeMachineAccountPrivilege	2768	msiexec.exe
Token: SeTcbPrivilege	2768	msiexec.exe
Token: SeSecurityPrivilege	2768	msiexec.exe
Token: SeTakeOwnershipPrivilege	2768	msiexec.exe
Token: SeLoadDriverPrivilege	2768	msiexec.exe
Token: SeSystemProfilePrivilege	2768	msiexec.exe
Token: SeSystemtimePrivilege	2768	msiexec.exe
Token: SeProfSingleProcessPrivilege	2768	msiexec.exe
Token: SeIncBasePriorityPrivilege	2768	msiexec.exe
Token: SeCreatePagefilePrivilege	2768	msiexec.exe
Token: SeCreatePermanentPrivilege	2768	msiexec.exe
Token: SeBackupPrivilege	2768	msiexec.exe
Token: SeRestorePrivilege	2768	msiexec.exe
Token: SeShutdownPrivilege	2768	msiexec.exe
Token: SeDebugPrivilege	2768	msiexec.exe
Token: SeAuditPrivilege	2768	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2768	msiexec.exe
Token: SeChangeNotifyPrivilege	2768	msiexec.exe
Token: SeRemoteShutdownPrivilege	2768	msiexec.exe
Token: SeUndockPrivilege	2768	msiexec.exe
Token: SeSyncAgentPrivilege	2768	msiexec.exe
Token: SeEnableDelegationPrivilege	2768	msiexec.exe
Token: SeManageVolumePrivilege	2768	msiexec.exe
Token: SeImpersonatePrivilege	2768	msiexec.exe
Token: SeCreateGlobalPrivilege	2768	msiexec.exe
Token: SeCreateTokenPrivilege	2768	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2768	msiexec.exe
Token: SeLockMemoryPrivilege	2768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2768	msiexec.exe
Token: SeMachineAccountPrivilege	2768	msiexec.exe
Token: SeTcbPrivilege	2768	msiexec.exe
Token: SeSecurityPrivilege	2768	msiexec.exe
Token: SeTakeOwnershipPrivilege	2768	msiexec.exe
Token: SeLoadDriverPrivilege	2768	msiexec.exe
Token: SeSystemProfilePrivilege	2768	msiexec.exe
Token: SeSystemtimePrivilege	2768	msiexec.exe
Token: SeProfSingleProcessPrivilege	2768	msiexec.exe
Token: SeIncBasePriorityPrivilege	2768	msiexec.exe
Token: SeCreatePagefilePrivilege	2768	msiexec.exe
Token: SeCreatePermanentPrivilege	2768	msiexec.exe
Token: SeBackupPrivilege	2768	msiexec.exe
Token: SeRestorePrivilege	2768	msiexec.exe
Token: SeShutdownPrivilege	2768	msiexec.exe
Token: SeDebugPrivilege	2768	msiexec.exe
Token: SeAuditPrivilege	2768	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2768	msiexec.exe
Token: SeChangeNotifyPrivilege	2768	msiexec.exe
Token: SeRemoteShutdownPrivilege	2768	msiexec.exe
Token: SeUndockPrivilege	2768	msiexec.exe
Token: SeSyncAgentPrivilege	2768	msiexec.exe
Token: SeEnableDelegationPrivilege	2768	msiexec.exe
Token: SeManageVolumePrivilege	2768	msiexec.exe
Token: SeImpersonatePrivilege	2768	msiexec.exe
Token: SeCreateGlobalPrivilege	2768	msiexec.exe
Token: SeCreateTokenPrivilege	2768	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2768	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2420	1588	b1e494152a63898d0f9f84df930a4685fa680c04433f987f55eae0fccd1400ef.exe	28
PID 1588 wrote to memory of 2420	1588	b1e494152a63898d0f9f84df930a4685fa680c04433f987f55eae0fccd1400ef.exe	28
PID 1588 wrote to memory of 2420	1588	b1e494152a63898d0f9f84df930a4685fa680c04433f987f55eae0fccd1400ef.exe	28
PID 1588 wrote to memory of 2420	1588	b1e494152a63898d0f9f84df930a4685fa680c04433f987f55eae0fccd1400ef.exe	28
PID 1588 wrote to memory of 2420	1588	b1e494152a63898d0f9f84df930a4685fa680c04433f987f55eae0fccd1400ef.exe	28
PID 1588 wrote to memory of 2420	1588	b1e494152a63898d0f9f84df930a4685fa680c04433f987f55eae0fccd1400ef.exe	28
PID 1588 wrote to memory of 2420	1588	b1e494152a63898d0f9f84df930a4685fa680c04433f987f55eae0fccd1400ef.exe	28
PID 2420 wrote to memory of 2768	2420	setup.exe	29
PID 2420 wrote to memory of 2768	2420	setup.exe	29
PID 2420 wrote to memory of 2768	2420	setup.exe	29
PID 2420 wrote to memory of 2768	2420	setup.exe	29
PID 2420 wrote to memory of 2768	2420	setup.exe	29
PID 2420 wrote to memory of 2768	2420	setup.exe	29
PID 2420 wrote to memory of 2768	2420	setup.exe	29
PID 2720 wrote to memory of 2572	2720	msiexec.exe	31
PID 2720 wrote to memory of 2572	2720	msiexec.exe	31
PID 2720 wrote to memory of 2572	2720	msiexec.exe	31
PID 2720 wrote to memory of 2572	2720	msiexec.exe	31
PID 2720 wrote to memory of 2572	2720	msiexec.exe	31
PID 2720 wrote to memory of 2572	2720	msiexec.exe	31
PID 2720 wrote to memory of 2572	2720	msiexec.exe	31

C:\Users\Admin\AppData\Local\Temp\b1e494152a63898d0f9f84df930a4685fa680c04433f987f55eae0fccd1400ef.exe
"C:\Users\Admin\AppData\Local\Temp\b1e494152a63898d0f9f84df930a4685fa680c04433f987f55eae0fccd1400ef.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PublisherInteractiveGuideSetupEN.msi"
    3⤵
    - Enumerates connected drives
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2768

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5CBAA474ADADA129B771DBD912A586FC C
  2⤵
  - Loads dropped DLL
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PublisherInteractiveGuideSetupEN.msi

Filesize
4.0MB

MD5
16eae58d0f8158dfa96a9441fdb6695c

SHA1
353a4db19bb609254d35666e57a68b074dad2b61

SHA256
4a690af5bd09f3d2362bc80318ecbe93fc4db2c0fe21ade30586da6f89595808

SHA512
358a28113c31ef7d2a6ecbcce254f81afbdb9c59b9c80dd79e13db658fd35fe26ba64d9749e5ee2f15cece69189128188d5505a09a6f5fc21f97a06817f4e091

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe

Filesize
400KB

MD5
6d9c1d19828bfd666eedf8220cfb017e

SHA1
1b1a9745876ae02b52586da4caa12421f5c071e4

SHA256
9fd609219ccbcaf36d7d24e7bf9f81ed2a73d05fc373aad39828d364a5038bdc

SHA512
293c7e9d9713ba46c488be6d423280a4fa75e4f9f2985c5c6525662f09768816b476301003abeac7bf602d7210951d0e76b9c1d091d20e7cf4dc357bc0754e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI83B1.tmp

Filesize
231KB

MD5
5494165b1384faeefdd3d5133df92f5a

SHA1
b7b82805f1a726c4eee39152d1a6a59031d7798c

SHA256
ba0ad3a4d2112b269e379a2231128e7ebe23e95d5d04878d6ee8815e657bb055

SHA512
ecd5012df2a060fa58664e856a84716f162d3420e7a7a1368612451ec65f2dcd674c7031d780a6c9d357700f6baeb31325748bc29270850ee4070079f15be613

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads