Analysis
-
max time kernel
472s -
max time network
509s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
01-02-2024 11:17
General
-
Target
TS 5.17.5/setup.exe
-
Size
519KB
-
MD5
8f343990917e9436f243b013b5f8d1c1
-
SHA1
adc2000eb4cc2b7f3b4b4ccc5248ea929c0bf8eb
-
SHA256
cddccb68e072dcc325d12ea9c6bfe54a7cf55f8a7ac954e2e8ed48dda6fa0276
-
SHA512
ad0253737b149c1949e6c5fa1234ce72931c6d02ba96bb40bca8a22c896ef93e8bf1b2ac6fc7bcb454842bb4fd188d35e43e3763d0631aa5532d8395bdad33d5
-
SSDEEP
12288:fDPdsil5fCMggBIiMVO26kk+FGSeMb01JQntLOCVWU:fD1s2ts96kTNemV
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\TS 5.17.5\setup.exe"C:\Users\Admin\AppData\Local\Temp\TS 5.17.5\setup.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\TS 5.17.5\TS Setup.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4245C06E3EA936C55D47D3E5E60B6725 C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI4F39.tmpFilesize
325KB
MD5f048cf239cc583f8433634acf23cae55
SHA17d3a296a05267855cc637c5bf95fe687b7a765a2
SHA2564d6efad25f62f4c34998385819e46569869b09de4d8b3f1e22dc9e8f032ed3bb
SHA512a021d559150338ef823b8749d95ac262ec13d9c9ed80d2d0d67e0d7690ae61713219a5edf88d83832ad673f0d7a1d306b49af4f07020c98bac2cfb006bcf0c53