3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd

Analysis

max time kernel
147s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2024 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe
Size

1.6MB
MD5

f2fd7dae9e4bc8cbac68a6a5a82edcdf
SHA1

f9c5a6d6ea80afbb983da65aa126b4187f2419a0
SHA256

3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd
SHA512

ce861fc951759881c59a7613cdaeb2436ae25bb14101bbb2ff62f5bbae6504d51ecad7e9d3965d7edfb644e016ada6f275b5e9b4529289f6b5ed37f91c690589
SSDEEP

24576:4l83JdN3JxEIGeAteivk4Sz9zIZZV57ql/mwgFJTYFoS0me4Ck/+xH1L01AA8wxy:L39zAZrOlmwwJTdqt+xW/t+sYHtgO

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
700	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe

Loads dropped DLL 2 IoCs

pid	Process
2868	MsiExec.exe
2868	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3752	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3752	MSIEXEC.EXE
Token: SeSecurityPrivilege	2448	msiexec.exe
Token: SeCreateTokenPrivilege	3752	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3752	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3752	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3752	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3752	MSIEXEC.EXE
Token: SeTcbPrivilege	3752	MSIEXEC.EXE
Token: SeSecurityPrivilege	3752	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3752	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3752	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3752	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3752	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3752	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3752	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3752	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3752	MSIEXEC.EXE
Token: SeBackupPrivilege	3752	MSIEXEC.EXE
Token: SeRestorePrivilege	3752	MSIEXEC.EXE
Token: SeShutdownPrivilege	3752	MSIEXEC.EXE
Token: SeDebugPrivilege	3752	MSIEXEC.EXE
Token: SeAuditPrivilege	3752	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3752	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3752	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3752	MSIEXEC.EXE
Token: SeUndockPrivilege	3752	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3752	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3752	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3752	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3752	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3752	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	3752	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3752	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3752	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3752	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3752	MSIEXEC.EXE
Token: SeTcbPrivilege	3752	MSIEXEC.EXE
Token: SeSecurityPrivilege	3752	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3752	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3752	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3752	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3752	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3752	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3752	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3752	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3752	MSIEXEC.EXE
Token: SeBackupPrivilege	3752	MSIEXEC.EXE
Token: SeRestorePrivilege	3752	MSIEXEC.EXE
Token: SeShutdownPrivilege	3752	MSIEXEC.EXE
Token: SeDebugPrivilege	3752	MSIEXEC.EXE
Token: SeAuditPrivilege	3752	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3752	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3752	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3752	MSIEXEC.EXE
Token: SeUndockPrivilege	3752	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3752	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3752	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3752	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3752	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3752	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	3752	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3752	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3752	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3752	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 700	2876	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	88
PID 2876 wrote to memory of 700	2876	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	88
PID 2876 wrote to memory of 700	2876	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	88
PID 700 wrote to memory of 3752	700	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	96
PID 700 wrote to memory of 3752	700	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	96
PID 700 wrote to memory of 3752	700	3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe	96
PID 2448 wrote to memory of 2868	2448	msiexec.exe	99
PID 2448 wrote to memory of 2868	2448	msiexec.exe	99
PID 2448 wrote to memory of 2868	2448	msiexec.exe	99

C:\Users\Admin\AppData\Local\Temp\3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe
"C:\Users\Admin\AppData\Local\Temp\3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\{43009D8E-8B42-4012-8655-1E64DD298CCD}\3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe
  C:\Users\Admin\AppData\Local\Temp\{43009D8E-8B42-4012-8655-1E64DD298CCD}\3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe /q"C:\Users\Admin\AppData\Local\Temp\3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{43009D8E-8B42-4012-8655-1E64DD298CCD}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{7C349C85-E355-435F-841B-DD95D51A60F5}\HP_DockAccessoryWMIProvider.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3752

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CEE8D5FC97FC6CD07BEC24DC71A350B3 C
  2⤵
  - Loads dropped DLL
  PID:2868

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Downloaded Installations\{7C349C85-E355-435F-841B-DD95D51A60F5}\HP_DockAccessoryWMIProvider.msi

Filesize
1.1MB

MD5
078b60501d9916189a2e9e0a34f1ba31

SHA1
67504dba1ceef484600676bf02a9e7891be25776

SHA256
62aca9491484301ade44ce8b6edc04630a2656dffe7e16ce54c4900d75aad53d

SHA512
aca537da7796c48cf772360d7d60f1d7aa64247b6fae435dc69ebbc17742425cba9b0788e9f34d5e76c9d657c2cbaebf96ff33b02126b3c5fe846c3da8104a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5237.tmp

Filesize
173KB

MD5
d07d2c85ea1c0af02a99b6cf78ae79ef

SHA1
3ac922fc33789b61eb62085f3e49bca6aba4b4a9

SHA256
5a36c709648e40ec1224855fb77e7420ee53e267c185f31c2c016115fba4af38

SHA512
029bed817c10eebabd39a6c819eda3d76b09c7e34d182ec31c9f7d96fed530cd35feed88891ec61b6fb0d86ba44a07bfe3882e6fb3d9f0e41d48d2a99453789a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5286.tmp

Filesize
167KB

MD5
e80f90724939d4f85fc49de2460b94b5

SHA1
512ea4deba1c97cc7ec394bce0e4a32cd497176e

SHA256
8041d3ccbafa491d35f70030c3afeba683b0235bed24f242878d04c7e87b8687

SHA512
9494f1cd058dc3923e4f562d8ed2edf3d252f519efc6db4f1b5289d8a1b841a6cb927e14d33dab98e0bd4d22a5a473b8cd9424f77213527fbe0c183126356767

Download Submit
C:\Users\Admin\AppData\Local\Temp\{43009D8E-8B42-4012-8655-1E64DD298CCD}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{43009D8E-8B42-4012-8655-1E64DD298CCD}\3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd.exe

Filesize
1.6MB

MD5
f2fd7dae9e4bc8cbac68a6a5a82edcdf

SHA1
f9c5a6d6ea80afbb983da65aa126b4187f2419a0

SHA256
3718ba20c5c578a8cbfe21d13d383be2822cfd2f346c2e65d817dbfdfea082fd

SHA512
ce861fc951759881c59a7613cdaeb2436ae25bb14101bbb2ff62f5bbae6504d51ecad7e9d3965d7edfb644e016ada6f275b5e9b4529289f6b5ed37f91c690589

Download Submit
C:\Users\Admin\AppData\Local\Temp\{43009D8E-8B42-4012-8655-1E64DD298CCD}\_ISMSIDEL.INI

Filesize
828B

MD5
8d07e5d476927875693eca2515c531e8

SHA1
ffe43e08f61f47590b7afa0a1317e297898d9e06

SHA256
7d486a354322b0f45287b7df37795f8335c799d0b4d7a517f79b96de2ab7a9a3

SHA512
14d4899048d5a7fa930ec39f06e18695381e379f9cfe2e154747026800a384dec8c5678f51e6f202d397f432f6e8d6944d50f7dc722ead0e5c799c8a15bc0e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3BF2.tmp

Filesize
5KB

MD5
da995277cd11cb471f6ad99dfe735eb3

SHA1
67a7b3f463c0caa4ed889cef6d41390295c5f224

SHA256
17ebfb0fbb17c9265d78ff5397683c3331b324177da0a6a9f59b48ba44c90a49

SHA512
5a02cc0fec4ddb84dd21d5f0a50b2844633bb03218405165ae012d38e058ad3e80efce616786fac9d5c6c73a71f77b86d022ea8267dd832ce389a2cbb1b62130

Download Submit
memory/3404-72-0x0000023D05340000-0x0000023D05350000-memory.dmp

Filesize
64KB

Download
memory/3404-88-0x0000023D05440000-0x0000023D05450000-memory.dmp

Filesize
64KB

Download
memory/3404-104-0x0000023D0D780000-0x0000023D0D781000-memory.dmp

Filesize
4KB

Download
memory/3404-106-0x0000023D0D7B0000-0x0000023D0D7B1000-memory.dmp

Filesize
4KB

Download
memory/3404-107-0x0000023D0D7B0000-0x0000023D0D7B1000-memory.dmp

Filesize
4KB

Download
memory/3404-108-0x0000023D0D8C0000-0x0000023D0D8C1000-memory.dmp

Filesize
4KB

Download