d314979381670be394531a78835a56e5e5894aa7aa43da36d86fcda97db2567b

Resubmissions

09/03/2024, 00:10

240309-agetcabb6y 8

09/03/2024, 00:06

240309-adr99sac64 8

Analysis

max time kernel
155s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AMASS 2.0/AMASS/setup.exe
Size

140.6MB
MD5

0d8889f0d96f1564f8b990a297e48d1b
SHA1

40d540ada5a734c711ddc8e1967816041dcc60d8
SHA256

94c303148b663e9b069a4254d3a5d858bd14f173e0366053a1c0a076b49a1bf9
SHA512

71caa952272355f290293edd571a3cea4d76f7c29efee5c17ceba8f68c30f2540b2b56835859b3856b5affb6f1b9fedf734c86f454c006f0edfda9c72625a123
SSDEEP

3145728:eRFAvw1IEslZM6FCb9ymhlU8JxRiQtppxCAbWxeTbBJyVcAG09vvF34lMsZl:DiSFFCEmVJxcQRxdbWxGb7yakvyxl

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE

Executes dropped EXE 1 IoCs

pid	Process
3212	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
3368	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2860	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2860	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2860	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2860	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2860	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2860	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2860	MSIEXEC.EXE
Token: SeTcbPrivilege	2860	MSIEXEC.EXE
Token: SeSecurityPrivilege	2860	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2860	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2860	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2860	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2860	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2860	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2860	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2860	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2860	MSIEXEC.EXE
Token: SeBackupPrivilege	2860	MSIEXEC.EXE
Token: SeRestorePrivilege	2860	MSIEXEC.EXE
Token: SeShutdownPrivilege	2860	MSIEXEC.EXE
Token: SeDebugPrivilege	2860	MSIEXEC.EXE
Token: SeAuditPrivilege	2860	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2860	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2860	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2860	MSIEXEC.EXE
Token: SeUndockPrivilege	2860	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2860	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2860	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2860	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2860	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2860	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2860	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2860	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2860	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2860	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2860	MSIEXEC.EXE
Token: SeTcbPrivilege	2860	MSIEXEC.EXE
Token: SeSecurityPrivilege	2860	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2860	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2860	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2860	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2860	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2860	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2860	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2860	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2860	MSIEXEC.EXE
Token: SeBackupPrivilege	2860	MSIEXEC.EXE
Token: SeRestorePrivilege	2860	MSIEXEC.EXE
Token: SeShutdownPrivilege	2860	MSIEXEC.EXE
Token: SeDebugPrivilege	2860	MSIEXEC.EXE
Token: SeAuditPrivilege	2860	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2860	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2860	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2860	MSIEXEC.EXE
Token: SeUndockPrivilege	2860	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2860	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2860	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2860	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2860	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2860	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2860	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2860	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2860	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2860	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2860	MSIEXEC.EXE
2860	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 3212	4464	setup.exe	101
PID 4464 wrote to memory of 3212	4464	setup.exe	101
PID 4464 wrote to memory of 3212	4464	setup.exe	101
PID 3212 wrote to memory of 2860	3212	setup.exe	104
PID 3212 wrote to memory of 2860	3212	setup.exe	104
PID 3212 wrote to memory of 1476	3212	setup.exe	117
PID 3212 wrote to memory of 1476	3212	setup.exe	117
PID 3212 wrote to memory of 1476	3212	setup.exe	117

C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS\setup.exe
"C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\{21145FA2-98FC-4004-BCF1-A3E007D4F4A9}\setup.exe
  C:\Users\Admin\AppData\Local\Temp\{21145FA2-98FC-4004-BCF1-A3E007D4F4A9}\setup.exe /q"C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS\setup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{21145FA2-98FC-4004-BCF1-A3E007D4F4A9}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\system32\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{45C7EAD5-A76E-4803-9ADF-38D8A95B4990}\Malvern Panalytical AMASS.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS" SETUPEXENAME="setup.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{21145FA2-98FC-4004-BCF1-A3E007D4F4A9}"
    3⤵
    PID:1476

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2168
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B550B921100C6D8345E92FD1218CD57F C
  2⤵
  - Loads dropped DLL
  PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4252 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Downloaded Installations\{45C7EAD5-A76E-4803-9ADF-38D8A95B4990}\Malvern Panalytical AMASS.msi

Filesize
6.6MB

MD5
37eb9cfe9e36ea3b13abc9ec267cfb38

SHA1
0ee78af397265655e254afeb6e2dada633cda6d6

SHA256
7d966263f414712635fab39595e61408f1b8b3f9f879841ca3435c676ef082f9

SHA512
ad64769fd4f9a21edc0c7a4086f1a0bbd49ea8423e63ae202576d5aed914484a06eca75468d8f260ca5f444525c5ca9e762082134316f763315f5bb2becd7c33

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{45C7EAD5-A76E-4803-9ADF-38D8A95B4990}\Malvern Panalytical AMASS.msi

Filesize
2.1MB

MD5
e89bce8683431ea986cf409e067ddc94

SHA1
bb24c547757d06ad566803cc4641b261eeb20059

SHA256
753480ece9901db6e9607687958199f2b81a78c2c6f6388c1e80aff8dddfbb1e

SHA512
4146317d95035280bcadf86d08eec7bd053a0410e05f84721fc8285f9c8cb51f83708863b60fdedb990e90beab96f8558927ba1ce046db064b777c1349d0f1b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9C0C.tmp

Filesize
165KB

MD5
b5adf92090930e725510e2aafe97434f

SHA1
eb9aff632e16fcb0459554979d3562dcf5652e21

SHA256
1f6f0d9f136bc170cfbc48a1015113947087ac27aed1e3e91673ffc91b9f390b

SHA512
1076165011e20c2686fb6f84a47c31da939fa445d9334be44bdaa515c9269499bd70f83eb5fcfa6f34cf7a707a828ff1b192ec21245ee61817f06a66e74ff509

Download Submit
C:\Users\Admin\AppData\Local\Temp\{21145FA2-98FC-4004-BCF1-A3E007D4F4A9}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{21145FA2-98FC-4004-BCF1-A3E007D4F4A9}\_ISMSIDEL.INI

Filesize
592B

MD5
f7e738ccf1f1f5f4b5fda99d244bd6f2

SHA1
8730f6e715bcccbd59351a2d39d8e877e0d20ab4

SHA256
8a93e3a2f268694dcd67c7c35696eb4aaf8ee9b291c9a354fee648a9fe02b680

SHA512
c5062be5360ec62dfc336eceb0220f23f83b56f22bbc62e31624f4928e54323224639a445861b99c50896cd143abd9c6c4d7a7249abb6b4b78e1dda941b1c81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{21145FA2-98FC-4004-BCF1-A3E007D4F4A9}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{21145FA2-98FC-4004-BCF1-A3E007D4F4A9}\setup.exe

Filesize
856KB

MD5
29caa670fa67a736dd529b0c82363319

SHA1
07dffaa52dfaf31d67a6d2e1bf62c77aa5b97fef

SHA256
5ef9966c2d107ca844bdea2676c84169b36cbf8e3a6e9ede88cfc96cf6fa8945

SHA512
16ec02a3ad965a3105306dbcc46f2d51ffb4795536cc97f7bb21e32fe8900750c7dc8a207edabdc1a41d8429cac760f16ebf4718466bcafbed23ae7cdc1da958

Download Submit
C:\Users\Admin\AppData\Local\Temp\{21145FA2-98FC-4004-BCF1-A3E007D4F4A9}\setup.exe

Filesize
776KB

MD5
54e82d9bc95cb8c9a9b6582f06e6f47b

SHA1
2771ccb0473f4701a950338136a6917da55c571b

SHA256
b4adc0941ba7830df984bcaaec251669069050be8478b7dcdbe8d199e3721dfd

SHA512
4c32da4241d86ad233c6c1278994d0631c571f5ae0c81b2a2e24318e8f14cacc50d6f80359aeb8d8eadf777aa4be569ff68c50673abd180133cf6cfed73dfdc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6DF9.tmp

Filesize
5KB

MD5
dd495e2afa525e1db9450d2de7fc4745

SHA1
22cabae8a286d26af8aea8ea1dcfb946a0d9de47

SHA256
5425ac9206290d4bf84f8f49b442439bf44fe1bfdbbc18d7b486796261dce87e

SHA512
48cc7ec3b2e7ceebd586a13b1b5782d3d26c49b17be482b2733ae6d82f213c2f6654b63a88a4bb1e7d4dc381793944f6cb2384afca83a415956aef3b3f8152af

Download Submit