670f7cee25aaba5c1f3bfbb4f024eaf394304b87928c96531d7393cf9730fa58

Analysis

max time kernel
120s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AcerDisplayWidget_Setup_v402.exe
Size

2.4MB
MD5

afe24df14339b0f48595819a92184550
SHA1

aae435cdfce1c456c1bcccb9fc471a43a01ca432
SHA256

52bd445d38590a3f986f20618f9b419eb06f38098d8aa0c929364c9a4ea22848
SHA512

b405329a081fcefa025eae6c47faaaeef1c9aa8d78d8024c526b32d116e2f0d07c85c304781534200a8c365c115c8ebca3f3ec6c68812cb65774a8996fab37de
SSDEEP

49152:/XTwCzbCMN9HmwFWHIAHerVBRN4PxP8kL/Ln03:/XrN9HPQIqsR

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2432	MsiExec.exe
2432	MsiExec.exe
2432	MsiExec.exe
2432	MsiExec.exe
2432	MsiExec.exe
2432	MsiExec.exe
2432	MsiExec.exe
2432	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	2432	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\S:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\U:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\V:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\W:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\L:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\I:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\X:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\J:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\K:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\N:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\Q:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\T:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\Z:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\M:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\P:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\Y:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\O:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	AcerDisplayWidget_Setup_v402.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	AcerDisplayWidget_Setup_v402.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1756	AcerDisplayWidget_Setup_v402.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeSecurityPrivilege	2684	msiexec.exe
Token: SeCreateTokenPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeAssignPrimaryTokenPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeLockMemoryPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeIncreaseQuotaPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeMachineAccountPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeTcbPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeSecurityPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeTakeOwnershipPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeLoadDriverPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeSystemProfilePrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeSystemtimePrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeProfSingleProcessPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeIncBasePriorityPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeCreatePagefilePrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeCreatePermanentPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeBackupPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeRestorePrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeShutdownPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeDebugPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeAuditPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeSystemEnvironmentPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeChangeNotifyPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeRemoteShutdownPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeUndockPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeSyncAgentPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeEnableDelegationPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeManageVolumePrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeImpersonatePrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeCreateGlobalPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeCreateTokenPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeAssignPrimaryTokenPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeLockMemoryPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeIncreaseQuotaPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeMachineAccountPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeTcbPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeSecurityPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeTakeOwnershipPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeLoadDriverPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeSystemProfilePrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeSystemtimePrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeProfSingleProcessPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeIncBasePriorityPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeCreatePagefilePrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeCreatePermanentPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeBackupPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeRestorePrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeShutdownPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeDebugPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeAuditPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeSystemEnvironmentPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeChangeNotifyPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeRemoteShutdownPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeUndockPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeSyncAgentPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeEnableDelegationPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeManageVolumePrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeImpersonatePrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeCreateGlobalPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeCreateTokenPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeAssignPrimaryTokenPrivilege	1756	AcerDisplayWidget_Setup_v402.exe
Token: SeLockMemoryPrivilege	1756	AcerDisplayWidget_Setup_v402.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2432	2684	msiexec.exe	29
PID 2684 wrote to memory of 2432	2684	msiexec.exe	29
PID 2684 wrote to memory of 2432	2684	msiexec.exe	29
PID 2684 wrote to memory of 2432	2684	msiexec.exe	29
PID 2684 wrote to memory of 2432	2684	msiexec.exe	29
PID 2684 wrote to memory of 2432	2684	msiexec.exe	29
PID 2684 wrote to memory of 2432	2684	msiexec.exe	29

C:\Users\Admin\AppData\Local\Temp\AcerDisplayWidget_Setup_v402.exe
"C:\Users\Admin\AppData\Local\Temp\AcerDisplayWidget_Setup_v402.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A58EC1D0AC5E52F5A0AAADA73C0F43CF C
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1756\dialog

Filesize
36KB

MD5
abf1076064505dee794fa7aed67252b8

SHA1
358d4e501bb3007feece82a4039cc1050f23fab4

SHA256
fb0d133f05de6aa6a7a3491ae532191a60c438b35d9ff7bfec9e63131f6f0c73

SHA512
9a4680a8d186c1d7550b5e03cbdd095b0c88b2e0249a3af75fa0253d2c9a6f0aa1dd570ecf1a273683a14e6c7b5fb11678be3da439a3bf23eab790372e96e321

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab62DA.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI666B.tmp

Filesize
216KB

MD5
d261a064a6612a2b5f8774e55d49e8bb

SHA1
a4ac194b86202bc8ad412a642f42ce1aeca2c433

SHA256
83a68300f22fa9f45fea46e16aada7887c3b8b09cef3faf098c30b428e6a4629

SHA512
2857e9422de455ec3351bc61a62f2d1e49a29112efdadf30f84d7920c2867b2bb20bdb43e8f4346b5004e8ee8612cedd098ebb4b66dc6ba8a2fff718e0154238

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI67E2.tmp

Filesize
95KB

MD5
d9c2e8b05556f5b53d2a944e5ab8484d

SHA1
2919b22581861c077ad56e05b9924db3670e822b

SHA256
5728ba8a164e6cb9d29412b0ce9f2572db2beb98afa2edab9072baf3e292204a

SHA512
424602285ae449de58cf0962cfcf0a88a91c6a0d2300bf94af5247262c4b14f75fd0a9510410457e5cb4bbf1223e22f4381804e83eb14036fd29fabe36eeb4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6FE2.tmp

Filesize
377KB

MD5
197b1bdd8ca8123d3d4a9445e2a8859c

SHA1
f1ed85a054d63c4bf9006bd75062549179b9d776

SHA256
b10fbfbcf69cbf5f728e508dbfdde40cfe045e8b7a8e58e4e1b0f05150ede90a

SHA512
e7d711f8c1f87ab59bfcd50944082ad49e87c3457ff93188f99c171b5d788941af22480e65957936263bd9fbd3179dbeb84532b3dd5b2086bcdb8dee21af4cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI707F.tmp

Filesize
375KB

MD5
1d5bf0c2a610dd324f0e1990cdf3b65f

SHA1
c94c6f943b0fad5a05351a2fd62e93e75b17faad

SHA256
3b16c4678f727d35db5e033883cd943e8bb0b84ee15afeb18cf796ae2372e1e9

SHA512
73ae2bcc83ad67f41f416f295d516d45c7786b3f09276ff9c1c611b151d1e8f1ee1bff80ff2c966a2746e1ced2c888dd70b9fe10ae42563ace09c42076a3bc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6369.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1756-0-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1756-128-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download