3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe
Size

1.6MB
MD5

f2fd7dae9e4bc8cbac68a6a5a82edcdf
SHA1

f9c5a6d6ea80afbb983da65aa126b4187f2419a0
SHA256

3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd
SHA512

ce861fc951759881c59a7613cdaeb2436ae25bb14101bbb2ff62f5bbae6504d51ecad7e9d3965d7edfb644e016ada6f275b5e9b4529289f6b5ed37f91c690589
SSDEEP

24576:4l83JdN3JxEIGeAteivk4Sz9zIZZV57ql/mwgFJTYFoS0me4Ck/+xH1L01AA8wxy:L39zAZrOlmwwJTdqt+xW/t+sYHtgO

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2548	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe

Loads dropped DLL 3 IoCs

pid	Process
2220	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe
2496	MsiExec.exe
2496	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1700	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1700	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1700	MSIEXEC.EXE
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeSecurityPrivilege	2628	msiexec.exe
Token: SeCreateTokenPrivilege	1700	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1700	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1700	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1700	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1700	MSIEXEC.EXE
Token: SeTcbPrivilege	1700	MSIEXEC.EXE
Token: SeSecurityPrivilege	1700	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1700	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1700	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1700	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1700	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1700	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1700	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1700	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1700	MSIEXEC.EXE
Token: SeBackupPrivilege	1700	MSIEXEC.EXE
Token: SeRestorePrivilege	1700	MSIEXEC.EXE
Token: SeShutdownPrivilege	1700	MSIEXEC.EXE
Token: SeDebugPrivilege	1700	MSIEXEC.EXE
Token: SeAuditPrivilege	1700	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1700	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1700	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1700	MSIEXEC.EXE
Token: SeUndockPrivilege	1700	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1700	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1700	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1700	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1700	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1700	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	1700	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1700	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1700	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1700	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1700	MSIEXEC.EXE
Token: SeTcbPrivilege	1700	MSIEXEC.EXE
Token: SeSecurityPrivilege	1700	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1700	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1700	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1700	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1700	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1700	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1700	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1700	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1700	MSIEXEC.EXE
Token: SeBackupPrivilege	1700	MSIEXEC.EXE
Token: SeRestorePrivilege	1700	MSIEXEC.EXE
Token: SeShutdownPrivilege	1700	MSIEXEC.EXE
Token: SeDebugPrivilege	1700	MSIEXEC.EXE
Token: SeAuditPrivilege	1700	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1700	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1700	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1700	MSIEXEC.EXE
Token: SeUndockPrivilege	1700	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1700	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1700	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1700	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1700	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1700	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	1700	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1700	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2548	2220	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	28
PID 2220 wrote to memory of 2548	2220	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	28
PID 2220 wrote to memory of 2548	2220	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	28
PID 2220 wrote to memory of 2548	2220	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	28
PID 2220 wrote to memory of 2548	2220	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	28
PID 2220 wrote to memory of 2548	2220	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	28
PID 2220 wrote to memory of 2548	2220	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	28
PID 2548 wrote to memory of 1700	2548	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	29
PID 2548 wrote to memory of 1700	2548	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	29
PID 2548 wrote to memory of 1700	2548	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	29
PID 2548 wrote to memory of 1700	2548	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	29
PID 2548 wrote to memory of 1700	2548	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	29
PID 2548 wrote to memory of 1700	2548	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	29
PID 2548 wrote to memory of 1700	2548	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	29
PID 2628 wrote to memory of 2496	2628	msiexec.exe	31
PID 2628 wrote to memory of 2496	2628	msiexec.exe	31
PID 2628 wrote to memory of 2496	2628	msiexec.exe	31
PID 2628 wrote to memory of 2496	2628	msiexec.exe	31
PID 2628 wrote to memory of 2496	2628	msiexec.exe	31
PID 2628 wrote to memory of 2496	2628	msiexec.exe	31
PID 2628 wrote to memory of 2496	2628	msiexec.exe	31

C:\Users\Admin\AppData\Local\Temp\3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe
"C:\Users\Admin\AppData\Local\Temp\3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\{B705813C-3411-42D1-ACEE-0E1A9EFD216A}\3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe
  C:\Users\Admin\AppData\Local\Temp\{B705813C-3411-42D1-ACEE-0E1A9EFD216A}\3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe /q"C:\Users\Admin\AppData\Local\Temp\3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{B705813C-3411-42D1-ACEE-0E1A9EFD216A}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{7C349C85-E355-435F-841B-DD95D51A60F5}\HP_DockAccessoryWMIProvider.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1700

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F35227124EDB1C6EF47DA0593C8181F8 C
  2⤵
  - Loads dropped DLL
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Downloaded Installations\{7C349C85-E355-435F-841B-DD95D51A60F5}\HP_DockAccessoryWMIProvider.msi

Filesize
1.1MB

MD5
078b60501d9916189a2e9e0a34f1ba31

SHA1
67504dba1ceef484600676bf02a9e7891be25776

SHA256
62aca9491484301ade44ce8b6edc04630a2656dffe7e16ce54c4900d75aad53d

SHA512
aca537da7796c48cf772360d7d60f1d7aa64247b6fae435dc69ebbc17742425cba9b0788e9f34d5e76c9d657c2cbaebf96ff33b02126b3c5fe846c3da8104a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3092.tmp

Filesize
173KB

MD5
d07d2c85ea1c0af02a99b6cf78ae79ef

SHA1
3ac922fc33789b61eb62085f3e49bca6aba4b4a9

SHA256
5a36c709648e40ec1224855fb77e7420ee53e267c185f31c2c016115fba4af38

SHA512
029bed817c10eebabd39a6c819eda3d76b09c7e34d182ec31c9f7d96fed530cd35feed88891ec61b6fb0d86ba44a07bfe3882e6fb3d9f0e41d48d2a99453789a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI30F1.tmp

Filesize
167KB

MD5
e80f90724939d4f85fc49de2460b94b5

SHA1
512ea4deba1c97cc7ec394bce0e4a32cd497176e

SHA256
8041d3ccbafa491d35f70030c3afeba683b0235bed24f242878d04c7e87b8687

SHA512
9494f1cd058dc3923e4f562d8ed2edf3d252f519efc6db4f1b5289d8a1b841a6cb927e14d33dab98e0bd4d22a5a473b8cd9424f77213527fbe0c183126356767

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B705813C-3411-42D1-ACEE-0E1A9EFD216A}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B705813C-3411-42D1-ACEE-0E1A9EFD216A}\_ISMSIDEL.INI

Filesize
828B

MD5
9a8c4453203d611571c08591e60c046f

SHA1
6be726670d8e473fa94a1999bbbbdb787fcae18e

SHA256
c50697b1cd2d6516d669fd9f68748da4e69b5f693371d8e867f888c2ca1d4ab6

SHA512
af5e1a4be90d5988d06057c90063e8875ecd71eebb156952f0ad4ba8d89194ad90d923bda9bb52d0ca0d427e2f586874f9c97a02496c07ea485a98065e32f458

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1B6F.tmp

Filesize
5KB

MD5
da995277cd11cb471f6ad99dfe735eb3

SHA1
67a7b3f463c0caa4ed889cef6d41390295c5f224

SHA256
17ebfb0fbb17c9265d78ff5397683c3331b324177da0a6a9f59b48ba44c90a49

SHA512
5a02cc0fec4ddb84dd21d5f0a50b2844633bb03218405165ae012d38e058ad3e80efce616786fac9d5c6c73a71f77b86d022ea8267dd832ce389a2cbb1b62130

Download Submit
\Users\Admin\AppData\Local\Temp\{B705813C-3411-42D1-ACEE-0E1A9EFD216A}\3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe

Filesize
1.6MB

MD5
f2fd7dae9e4bc8cbac68a6a5a82edcdf

SHA1
f9c5a6d6ea80afbb983da65aa126b4187f2419a0

SHA256
3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd

SHA512
ce861fc951759881c59a7613cdaeb2436ae25bb14101bbb2ff62f5bbae6504d51ecad7e9d3965d7edfb644e016ada6f275b5e9b4529289f6b5ed37f91c690589

Download Submit