56eff77b029b5f56c47d11fe58878627065dbeacbc3108d50d98a83420152c2b

Analysis

max time kernel
136s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QuickTimeInstaller.exe
Size

40.0MB
MD5

1a762049bef7fc3a53014833757de2d2
SHA1

e906b9b585a02c08270316fd21f8f5ce0081526a
SHA256

56eff77b029b5f56c47d11fe58878627065dbeacbc3108d50d98a83420152c2b
SHA512

b030994a6a0bab58ca135205770cc5bfd1830628573116836b30c7865b91314be767a5b6453a143464bddda263dd3487b763209bee6f1eb94240de74a2613c8e
SSDEEP

786432:ypGoHCbrFwMp9H25FtfGhJ4wNvMpZzSPwjs9jNdpS1o0K9:yPinmMeQhJhCV49hG1o/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2676	QuickTimeInstallerAdmin.exe

Loads dropped DLL 7 IoCs

pid	Process
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
24	1572	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5040	MsiExec.exe
5040	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	4776	QuickTimeInstaller.exe
Token: SeIncBasePriorityPrivilege	4776	QuickTimeInstaller.exe
Token: SeShutdownPrivilege	1572	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1572	msiexec.exe
Token: SeSecurityPrivilege	4372	msiexec.exe
Token: SeCreateTokenPrivilege	1572	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1572	msiexec.exe
Token: SeLockMemoryPrivilege	1572	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1572	msiexec.exe
Token: SeMachineAccountPrivilege	1572	msiexec.exe
Token: SeTcbPrivilege	1572	msiexec.exe
Token: SeSecurityPrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeLoadDriverPrivilege	1572	msiexec.exe
Token: SeSystemProfilePrivilege	1572	msiexec.exe
Token: SeSystemtimePrivilege	1572	msiexec.exe
Token: SeProfSingleProcessPrivilege	1572	msiexec.exe
Token: SeIncBasePriorityPrivilege	1572	msiexec.exe
Token: SeCreatePagefilePrivilege	1572	msiexec.exe
Token: SeCreatePermanentPrivilege	1572	msiexec.exe
Token: SeBackupPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeShutdownPrivilege	1572	msiexec.exe
Token: SeDebugPrivilege	1572	msiexec.exe
Token: SeAuditPrivilege	1572	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1572	msiexec.exe
Token: SeChangeNotifyPrivilege	1572	msiexec.exe
Token: SeRemoteShutdownPrivilege	1572	msiexec.exe
Token: SeUndockPrivilege	1572	msiexec.exe
Token: SeSyncAgentPrivilege	1572	msiexec.exe
Token: SeEnableDelegationPrivilege	1572	msiexec.exe
Token: SeManageVolumePrivilege	1572	msiexec.exe
Token: SeImpersonatePrivilege	1572	msiexec.exe
Token: SeCreateGlobalPrivilege	1572	msiexec.exe
Token: SeCreateTokenPrivilege	1572	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1572	msiexec.exe
Token: SeLockMemoryPrivilege	1572	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1572	msiexec.exe
Token: SeMachineAccountPrivilege	1572	msiexec.exe
Token: SeTcbPrivilege	1572	msiexec.exe
Token: SeSecurityPrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeLoadDriverPrivilege	1572	msiexec.exe
Token: SeSystemProfilePrivilege	1572	msiexec.exe
Token: SeSystemtimePrivilege	1572	msiexec.exe
Token: SeProfSingleProcessPrivilege	1572	msiexec.exe
Token: SeIncBasePriorityPrivilege	1572	msiexec.exe
Token: SeCreatePagefilePrivilege	1572	msiexec.exe
Token: SeCreatePermanentPrivilege	1572	msiexec.exe
Token: SeBackupPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeShutdownPrivilege	1572	msiexec.exe
Token: SeDebugPrivilege	1572	msiexec.exe
Token: SeAuditPrivilege	1572	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1572	msiexec.exe
Token: SeChangeNotifyPrivilege	1572	msiexec.exe
Token: SeRemoteShutdownPrivilege	1572	msiexec.exe
Token: SeUndockPrivilege	1572	msiexec.exe
Token: SeSyncAgentPrivilege	1572	msiexec.exe
Token: SeEnableDelegationPrivilege	1572	msiexec.exe
Token: SeManageVolumePrivilege	1572	msiexec.exe
Token: SeImpersonatePrivilege	1572	msiexec.exe
Token: SeCreateGlobalPrivilege	1572	msiexec.exe
Token: SeCreateTokenPrivilege	1572	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1572	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 1572	4776	QuickTimeInstaller.exe	92
PID 4776 wrote to memory of 1572	4776	QuickTimeInstaller.exe	92
PID 4776 wrote to memory of 1572	4776	QuickTimeInstaller.exe	92
PID 4372 wrote to memory of 5040	4372	msiexec.exe	95
PID 4372 wrote to memory of 5040	4372	msiexec.exe	95
PID 4372 wrote to memory of 5040	4372	msiexec.exe	95
PID 5040 wrote to memory of 2676	5040	MsiExec.exe	106
PID 5040 wrote to memory of 2676	5040	MsiExec.exe	106
PID 5040 wrote to memory of 2676	5040	MsiExec.exe	106

C:\Users\Admin\AppData\Local\Temp\QuickTimeInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\QuickTimeInstaller.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\IXP847.TMP\QuickTime.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1572

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7727DCC8C3BFC98EF487E4CB4E1FFB44 C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\IXP847.TMP\QuickTimeInstallerAdmin.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP847.TMP\QuickTimeInstallerAdmin.exe" /evt EDA2 /pid 5040 /mon 912 1068
    3⤵
    - Executes dropped EXE
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP847.TMP\QuickTime.msi

Filesize
27.1MB

MD5
5376b2262b6e9773801520b6735c6de9

SHA1
fbddb7e5d7f06ff4e5c65d57c01ef27c0bca7ca5

SHA256
03ea287b99df2605a9d32b0fe9096d811b8c7ed1654f822ff76f7e172e0ed0b8

SHA512
cce529666d0f33ee347cb001bb0d37d07c25473545b3a6de6efa44f93f1326b520a822c7b46061b7de2690c0144485d62520fbf757217167ec1bbd131f78f826

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP847.TMP\QuickTimeInstallerAdmin.exe

Filesize
78KB

MD5
621ed0e1d558cd598cc423b61bfa1f04

SHA1
2a0fca94934e9614ac6ae7c4e0f593f01f17ddab

SHA256
12f4f1d2003ab8de46c7dd67e885a90c517a0a4596953fe796bf0c3754112043

SHA512
f6f1f5c22fd4b10c4a8d69048a47c31c558d6fc8a8acb14cf37b32f0c3677ea12dc0d5e8beada4fedb059c14029103bb210fd490d85185375eea3d42fb6e9ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI443D.tmp

Filesize
134KB

MD5
fc09fd1c7a4e16ab8a5e9106f1344bf2

SHA1
8b07a5259b8f3a2ecb4758ab745ae3e8f7b9d652

SHA256
f3569339784a54ac40e0ba00b86e225ac0804e8112956dec6b1ea805d514f638

SHA512
d787551ccbfabbf9dca17e50e1a508dd4afe124220d201f923e864a0e8f54c4abc58d1d11d20fc5c1913917c87a78e8e661f3c76b4cc55f77a798d24622257cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4519.tmp

Filesize
426KB

MD5
1f847c95adf4f7fe0956d815cb17d907

SHA1
0d3638822942ad4d9c0d492c5df5fb33f36fa178

SHA256
10db6192b63c7260405597f9f8a1eb54a9f4f49b34a87b68be04bb8bd815da1d

SHA512
23062dc0d3f1c157615c5679ad03c76242659bfbe08a5ebd8d85ce2af05925c4fdcc0e789d5e278afc9235dd9472b038aff2bce5e27f4ba8c7f18cf084d81ccf

Download Submit