Analysis
-
max time kernel
472s -
max time network
509s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 11:17
Static task
static1
Behavioral task
behavioral1
Sample
TS 5.17.5/TS Setup.msi
Resource
win10v2004-20231215-en
Behavioral task
behavioral2
Sample
TS 5.17.5/setup.exe
Resource
win10v2004-20231215-en
General
-
Target
TS 5.17.5/setup.exe
-
Size
519KB
-
MD5
8f343990917e9436f243b013b5f8d1c1
-
SHA1
adc2000eb4cc2b7f3b4b4ccc5248ea929c0bf8eb
-
SHA256
cddccb68e072dcc325d12ea9c6bfe54a7cf55f8a7ac954e2e8ed48dda6fa0276
-
SHA512
ad0253737b149c1949e6c5fa1234ce72931c6d02ba96bb40bca8a22c896ef93e8bf1b2ac6fc7bcb454842bb4fd188d35e43e3763d0631aa5532d8395bdad33d5
-
SSDEEP
12288:fDPdsil5fCMggBIiMVO26kk+FGSeMb01JQntLOCVWU:fD1s2ts96kTNemV
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
setup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation setup.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 1124 MsiExec.exe 1124 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 400 msiexec.exe Token: SeIncreaseQuotaPrivilege 400 msiexec.exe Token: SeSecurityPrivilege 3708 msiexec.exe Token: SeCreateTokenPrivilege 400 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 400 msiexec.exe Token: SeLockMemoryPrivilege 400 msiexec.exe Token: SeIncreaseQuotaPrivilege 400 msiexec.exe Token: SeMachineAccountPrivilege 400 msiexec.exe Token: SeTcbPrivilege 400 msiexec.exe Token: SeSecurityPrivilege 400 msiexec.exe Token: SeTakeOwnershipPrivilege 400 msiexec.exe Token: SeLoadDriverPrivilege 400 msiexec.exe Token: SeSystemProfilePrivilege 400 msiexec.exe Token: SeSystemtimePrivilege 400 msiexec.exe Token: SeProfSingleProcessPrivilege 400 msiexec.exe Token: SeIncBasePriorityPrivilege 400 msiexec.exe Token: SeCreatePagefilePrivilege 400 msiexec.exe Token: SeCreatePermanentPrivilege 400 msiexec.exe Token: SeBackupPrivilege 400 msiexec.exe Token: SeRestorePrivilege 400 msiexec.exe Token: SeShutdownPrivilege 400 msiexec.exe Token: SeDebugPrivilege 400 msiexec.exe Token: SeAuditPrivilege 400 msiexec.exe Token: SeSystemEnvironmentPrivilege 400 msiexec.exe Token: SeChangeNotifyPrivilege 400 msiexec.exe Token: SeRemoteShutdownPrivilege 400 msiexec.exe Token: SeUndockPrivilege 400 msiexec.exe Token: SeSyncAgentPrivilege 400 msiexec.exe Token: SeEnableDelegationPrivilege 400 msiexec.exe Token: SeManageVolumePrivilege 400 msiexec.exe Token: SeImpersonatePrivilege 400 msiexec.exe Token: SeCreateGlobalPrivilege 400 msiexec.exe Token: SeCreateTokenPrivilege 400 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 400 msiexec.exe Token: SeLockMemoryPrivilege 400 msiexec.exe Token: SeIncreaseQuotaPrivilege 400 msiexec.exe Token: SeMachineAccountPrivilege 400 msiexec.exe Token: SeTcbPrivilege 400 msiexec.exe Token: SeSecurityPrivilege 400 msiexec.exe Token: SeTakeOwnershipPrivilege 400 msiexec.exe Token: SeLoadDriverPrivilege 400 msiexec.exe Token: SeSystemProfilePrivilege 400 msiexec.exe Token: SeSystemtimePrivilege 400 msiexec.exe Token: SeProfSingleProcessPrivilege 400 msiexec.exe Token: SeIncBasePriorityPrivilege 400 msiexec.exe Token: SeCreatePagefilePrivilege 400 msiexec.exe Token: SeCreatePermanentPrivilege 400 msiexec.exe Token: SeBackupPrivilege 400 msiexec.exe Token: SeRestorePrivilege 400 msiexec.exe Token: SeShutdownPrivilege 400 msiexec.exe Token: SeDebugPrivilege 400 msiexec.exe Token: SeAuditPrivilege 400 msiexec.exe Token: SeSystemEnvironmentPrivilege 400 msiexec.exe Token: SeChangeNotifyPrivilege 400 msiexec.exe Token: SeRemoteShutdownPrivilege 400 msiexec.exe Token: SeUndockPrivilege 400 msiexec.exe Token: SeSyncAgentPrivilege 400 msiexec.exe Token: SeEnableDelegationPrivilege 400 msiexec.exe Token: SeManageVolumePrivilege 400 msiexec.exe Token: SeImpersonatePrivilege 400 msiexec.exe Token: SeCreateGlobalPrivilege 400 msiexec.exe Token: SeCreateTokenPrivilege 400 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 400 msiexec.exe Token: SeLockMemoryPrivilege 400 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 400 msiexec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
setup.exemsiexec.exedescription pid process target process PID 4260 wrote to memory of 400 4260 setup.exe msiexec.exe PID 4260 wrote to memory of 400 4260 setup.exe msiexec.exe PID 4260 wrote to memory of 400 4260 setup.exe msiexec.exe PID 3708 wrote to memory of 1124 3708 msiexec.exe MsiExec.exe PID 3708 wrote to memory of 1124 3708 msiexec.exe MsiExec.exe PID 3708 wrote to memory of 1124 3708 msiexec.exe MsiExec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TS 5.17.5\setup.exe"C:\Users\Admin\AppData\Local\Temp\TS 5.17.5\setup.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\TS 5.17.5\TS Setup.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4245C06E3EA936C55D47D3E5E60B6725 C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI4F39.tmpFilesize
325KB
MD5f048cf239cc583f8433634acf23cae55
SHA17d3a296a05267855cc637c5bf95fe687b7a765a2
SHA2564d6efad25f62f4c34998385819e46569869b09de4d8b3f1e22dc9e8f032ed3bb
SHA512a021d559150338ef823b8749d95ac262ec13d9c9ed80d2d0d67e0d7690ae61713219a5edf88d83832ad673f0d7a1d306b49af4f07020c98bac2cfb006bcf0c53