670f7cee25aaba5c1f3bfbb4f024eaf394304b87928c96531d7393cf9730fa58

Analysis

max time kernel
144s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240220-en
resource tags

arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AcerDisplayWidget_Setup_v402.exe
Size

2.4MB
MD5

afe24df14339b0f48595819a92184550
SHA1

aae435cdfce1c456c1bcccb9fc471a43a01ca432
SHA256

52bd445d38590a3f986f20618f9b419eb06f38098d8aa0c929364c9a4ea22848
SHA512

b405329a081fcefa025eae6c47faaaeef1c9aa8d78d8024c526b32d116e2f0d07c85c304781534200a8c365c115c8ebca3f3ec6c68812cb65774a8996fab37de
SSDEEP

49152:/XTwCzbCMN9HmwFWHIAHerVBRN4PxP8kL/Ln03:/XrN9HPQIqsR

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe
2396	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
29	2396	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\N:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\O:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\Q:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\X:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\J:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\Z:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\Y:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\L:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\S:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\T:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\R:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\V:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\W:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\E:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\H:	AcerDisplayWidget_Setup_v402.exe
File opened (read-only)	\??\P:	AcerDisplayWidget_Setup_v402.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4123566616-543693798-272350410-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	AcerDisplayWidget_Setup_v402.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4123566616-543693798-272350410-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	AcerDisplayWidget_Setup_v402.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4380	msiexec.exe
Token: SeCreateTokenPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeAssignPrimaryTokenPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeLockMemoryPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeIncreaseQuotaPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeMachineAccountPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeTcbPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeSecurityPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeTakeOwnershipPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeLoadDriverPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeSystemProfilePrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeSystemtimePrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeProfSingleProcessPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeIncBasePriorityPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeCreatePagefilePrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeCreatePermanentPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeBackupPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeRestorePrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeShutdownPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeDebugPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeAuditPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeSystemEnvironmentPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeChangeNotifyPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeRemoteShutdownPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeUndockPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeSyncAgentPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeEnableDelegationPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeManageVolumePrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeImpersonatePrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeCreateGlobalPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeCreateTokenPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeAssignPrimaryTokenPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeLockMemoryPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeIncreaseQuotaPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeMachineAccountPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeTcbPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeSecurityPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeTakeOwnershipPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeLoadDriverPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeSystemProfilePrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeSystemtimePrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeProfSingleProcessPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeIncBasePriorityPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeCreatePagefilePrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeCreatePermanentPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeBackupPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeRestorePrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeShutdownPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeDebugPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeAuditPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeSystemEnvironmentPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeChangeNotifyPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeRemoteShutdownPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeUndockPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeSyncAgentPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeEnableDelegationPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeManageVolumePrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeImpersonatePrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeCreateGlobalPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeCreateTokenPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeAssignPrimaryTokenPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeLockMemoryPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeIncreaseQuotaPrivilege	2180	AcerDisplayWidget_Setup_v402.exe
Token: SeMachineAccountPrivilege	2180	AcerDisplayWidget_Setup_v402.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 2396	4380	msiexec.exe	90
PID 4380 wrote to memory of 2396	4380	msiexec.exe	90
PID 4380 wrote to memory of 2396	4380	msiexec.exe	90

C:\Users\Admin\AppData\Local\Temp\AcerDisplayWidget_Setup_v402.exe
"C:\Users\Admin\AppData\Local\Temp\AcerDisplayWidget_Setup_v402.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0B2A0FED5080B92C6D982AD846CED1E7 C
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2180\dialog

Filesize
36KB

MD5
abf1076064505dee794fa7aed67252b8

SHA1
358d4e501bb3007feece82a4039cc1050f23fab4

SHA256
fb0d133f05de6aa6a7a3491ae532191a60c438b35d9ff7bfec9e63131f6f0c73

SHA512
9a4680a8d186c1d7550b5e03cbdd095b0c88b2e0249a3af75fa0253d2c9a6f0aa1dd570ecf1a273683a14e6c7b5fb11678be3da439a3bf23eab790372e96e321

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7E87.tmp

Filesize
216KB

MD5
d261a064a6612a2b5f8774e55d49e8bb

SHA1
a4ac194b86202bc8ad412a642f42ce1aeca2c433

SHA256
83a68300f22fa9f45fea46e16aada7887c3b8b09cef3faf098c30b428e6a4629

SHA512
2857e9422de455ec3351bc61a62f2d1e49a29112efdadf30f84d7920c2867b2bb20bdb43e8f4346b5004e8ee8612cedd098ebb4b66dc6ba8a2fff718e0154238

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7F73.tmp

Filesize
375KB

MD5
1d5bf0c2a610dd324f0e1990cdf3b65f

SHA1
c94c6f943b0fad5a05351a2fd62e93e75b17faad

SHA256
3b16c4678f727d35db5e033883cd943e8bb0b84ee15afeb18cf796ae2372e1e9

SHA512
73ae2bcc83ad67f41f416f295d516d45c7786b3f09276ff9c1c611b151d1e8f1ee1bff80ff2c966a2746e1ced2c888dd70b9fe10ae42563ace09c42076a3bc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8738.tmp

Filesize
377KB

MD5
197b1bdd8ca8123d3d4a9445e2a8859c

SHA1
f1ed85a054d63c4bf9006bd75062549179b9d776

SHA256
b10fbfbcf69cbf5f728e508dbfdde40cfe045e8b7a8e58e4e1b0f05150ede90a

SHA512
e7d711f8c1f87ab59bfcd50944082ad49e87c3457ff93188f99c171b5d788941af22480e65957936263bd9fbd3179dbeb84532b3dd5b2086bcdb8dee21af4cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi8792.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi87C2.tmp

Filesize
81KB

MD5
125b0f6bf378358e4f9c837ff6682d94

SHA1
8715beb626e0f4bd79a14819cc0f90b81a2e58ad

SHA256
e99eab3c75989b519f7f828373042701329acbd8ceadf4f3ff390f346ac76193

SHA512
b63bb6bfda70d42472868b5a1d3951cf9b2e00a7fadb08c1f599151a1801a19f5a75cfc3ace94c952cfd284eb261c7d6f11be0ebbcaa701b75036d3a6b442db2

Download Submit