d314979381670be394531a78835a56e5e5894aa7aa43da36d86fcda97db2567b

Resubmissions

09/03/2024, 00:10

240309-agetcabb6y 8

09/03/2024, 00:06

240309-adr99sac64 8

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 00:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AMASS 2.0/AMASS/setup.exe
Size

140.6MB
MD5

0d8889f0d96f1564f8b990a297e48d1b
SHA1

40d540ada5a734c711ddc8e1967816041dcc60d8
SHA256

94c303148b663e9b069a4254d3a5d858bd14f173e0366053a1c0a076b49a1bf9
SHA512

71caa952272355f290293edd571a3cea4d76f7c29efee5c17ceba8f68c30f2540b2b56835859b3856b5affb6f1b9fedf734c86f454c006f0edfda9c72625a123
SSDEEP

3145728:eRFAvw1IEslZM6FCb9ymhlU8JxRiQtppxCAbWxeTbBJyVcAG09vvF34lMsZl:DiSFFCEmVJxcQRxdbWxGb7yakvyxl

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	setup.exe
2480	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2628	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2628	MSIEXEC.EXE
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeSecurityPrivilege	2616	msiexec.exe
Token: SeCreateTokenPrivilege	2628	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2628	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2628	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2628	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2628	MSIEXEC.EXE
Token: SeTcbPrivilege	2628	MSIEXEC.EXE
Token: SeSecurityPrivilege	2628	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2628	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2628	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2628	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2628	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2628	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2628	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2628	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2628	MSIEXEC.EXE
Token: SeBackupPrivilege	2628	MSIEXEC.EXE
Token: SeRestorePrivilege	2628	MSIEXEC.EXE
Token: SeShutdownPrivilege	2628	MSIEXEC.EXE
Token: SeDebugPrivilege	2628	MSIEXEC.EXE
Token: SeAuditPrivilege	2628	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2628	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2628	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2628	MSIEXEC.EXE
Token: SeUndockPrivilege	2628	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2628	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2628	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2628	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2628	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2628	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2628	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2628	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2628	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2628	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2628	MSIEXEC.EXE
Token: SeTcbPrivilege	2628	MSIEXEC.EXE
Token: SeSecurityPrivilege	2628	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2628	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2628	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2628	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2628	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2628	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2628	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2628	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2628	MSIEXEC.EXE
Token: SeBackupPrivilege	2628	MSIEXEC.EXE
Token: SeRestorePrivilege	2628	MSIEXEC.EXE
Token: SeShutdownPrivilege	2628	MSIEXEC.EXE
Token: SeDebugPrivilege	2628	MSIEXEC.EXE
Token: SeAuditPrivilege	2628	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2628	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2628	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2628	MSIEXEC.EXE
Token: SeUndockPrivilege	2628	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2628	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2628	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2628	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2628	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2628	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2628	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2628	MSIEXEC.EXE
2628	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2536	2380	setup.exe	28
PID 2380 wrote to memory of 2536	2380	setup.exe	28
PID 2380 wrote to memory of 2536	2380	setup.exe	28
PID 2380 wrote to memory of 2536	2380	setup.exe	28
PID 2380 wrote to memory of 2536	2380	setup.exe	28
PID 2380 wrote to memory of 2536	2380	setup.exe	28
PID 2380 wrote to memory of 2536	2380	setup.exe	28
PID 2536 wrote to memory of 2628	2536	setup.exe	29
PID 2536 wrote to memory of 2628	2536	setup.exe	29
PID 2536 wrote to memory of 2628	2536	setup.exe	29
PID 2536 wrote to memory of 2628	2536	setup.exe	29
PID 2536 wrote to memory of 2628	2536	setup.exe	29
PID 2536 wrote to memory of 2628	2536	setup.exe	29
PID 2536 wrote to memory of 2628	2536	setup.exe	29
PID 2616 wrote to memory of 2480	2616	msiexec.exe	31
PID 2616 wrote to memory of 2480	2616	msiexec.exe	31
PID 2616 wrote to memory of 2480	2616	msiexec.exe	31
PID 2616 wrote to memory of 2480	2616	msiexec.exe	31
PID 2616 wrote to memory of 2480	2616	msiexec.exe	31
PID 2616 wrote to memory of 2480	2616	msiexec.exe	31
PID 2616 wrote to memory of 2480	2616	msiexec.exe	31
PID 2536 wrote to memory of 1688	2536	setup.exe	32
PID 2536 wrote to memory of 1688	2536	setup.exe	32
PID 2536 wrote to memory of 1688	2536	setup.exe	32
PID 2536 wrote to memory of 1688	2536	setup.exe	32

C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS\setup.exe
"C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\{CBE4C363-B939-4BD8-9413-08486388E213}\setup.exe
  C:\Users\Admin\AppData\Local\Temp\{CBE4C363-B939-4BD8-9413-08486388E213}\setup.exe /q"C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS\setup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{CBE4C363-B939-4BD8-9413-08486388E213}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\system32\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{45C7EAD5-A76E-4803-9ADF-38D8A95B4990}\Malvern Panalytical AMASS.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS" SETUPEXENAME="setup.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{CBE4C363-B939-4BD8-9413-08486388E213}"
    3⤵
    PID:1688

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E99FDCE9DE91ADC24EA01232C443FCC0 C
  2⤵
  - Loads dropped DLL
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Downloaded Installations\{45C7EAD5-A76E-4803-9ADF-38D8A95B4990}\Malvern Panalytical AMASS.msi

Filesize
1.8MB

MD5
17377045cd8a3bf5da4f433fcad10bd6

SHA1
c9e3bfb91b3f8aa08d60d68dde2da00f8f19c5e5

SHA256
325c2a2df3f1099712a665de2d71bbd9791fc71e7c580a5a249688bc49f6e01d

SHA512
c012bc10d3ed0bc677375eeeaf40c72115a329ed8d41e116a22c60ce904bad2707f8c5e07d5344d77710a11fad64a02bf5a68afae986ee90bd9b2852f35846ea

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{45C7EAD5-A76E-4803-9ADF-38D8A95B4990}\Malvern Panalytical AMASS.msi

Filesize
962KB

MD5
1b5af97c64043d0fdb2fa6854d844baf

SHA1
02219242664fca02e05502bcc3ec8ba315193af5

SHA256
c40056f26345cdf2438363d7137dbf383452277228be7367e99cf72be4f57ad7

SHA512
f574bfa09894dbbd907047fa4c25f7d751112ffbbc5f58f6bfd533bca5eea792e0577aa48edeb0ee24ba3a0d1495149903647350b4dfb50cc3a6922e43043ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CBE4C363-B939-4BD8-9413-08486388E213}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CBE4C363-B939-4BD8-9413-08486388E213}\_ISMSIDEL.INI

Filesize
592B

MD5
4ccc8abc55fb774c6624c90bd92e6c95

SHA1
b286cbfef49db44e8c66ca58060a3cb212c62bbd

SHA256
c306755cfb7216d141808c3ff9f3e09d54ecff6adeef964b0ad6f4ebe5101812

SHA512
f408afb185398520c6a16e73f30303f0294e80eda794c065bb648b9a29dc253ec2b7560eb80f8c42db1544b51ec4d56de67250ea5418f015105c9f4437e7e18f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CBE4C363-B939-4BD8-9413-08486388E213}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CBE4C363-B939-4BD8-9413-08486388E213}\setup.exe

Filesize
273KB

MD5
bba1273997cddecfa2987a5427aefebf

SHA1
bf1accd53704ea217bc6c02a37b98a6a4709f2d0

SHA256
3c2899a052168cb569e937be11d7d7a41f009a13d12267829764d468b05f788b

SHA512
5b04385b70f57cbc176a53faab1e743c0f3483cae41a8ed2bf21b0179187d3f08daf75e6a49ce3e84f46d3d713db2fa76310bb249ae4cdd4f576f56fde680e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CBE4C363-B939-4BD8-9413-08486388E213}\setup.exe

Filesize
150KB

MD5
ba642976eb239883a3e5ddafb3f94679

SHA1
89f9885bb6ce15cab5f7508a8e45db05c639f28d

SHA256
e1f417b3f551d01e6d7b6ab8ae8c2694aa54a1567c03c3d5ce23ec1e02e3d1b3

SHA512
c1b3b5ea8d4b157ac639200d50fba2e8f490b0c08fb894bf0d3e0db104a4b574de92d95f521e6635e12d373b2e454908c6fdb6a4fec452ddc85f5cab1b75273f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1A08.tmp

Filesize
5KB

MD5
dd495e2afa525e1db9450d2de7fc4745

SHA1
22cabae8a286d26af8aea8ea1dcfb946a0d9de47

SHA256
5425ac9206290d4bf84f8f49b442439bf44fe1bfdbbc18d7b486796261dce87e

SHA512
48cc7ec3b2e7ceebd586a13b1b5782d3d26c49b17be482b2733ae6d82f213c2f6654b63a88a4bb1e7d4dc381793944f6cb2384afca83a415956aef3b3f8152af

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2FA8.tmp

Filesize
165KB

MD5
b5adf92090930e725510e2aafe97434f

SHA1
eb9aff632e16fcb0459554979d3562dcf5652e21

SHA256
1f6f0d9f136bc170cfbc48a1015113947087ac27aed1e3e91673ffc91b9f390b

SHA512
1076165011e20c2686fb6f84a47c31da939fa445d9334be44bdaa515c9269499bd70f83eb5fcfa6f34cf7a707a828ff1b192ec21245ee61817f06a66e74ff509

Download Submit
\Users\Admin\AppData\Local\Temp\{CBE4C363-B939-4BD8-9413-08486388E213}\setup.exe

Filesize
1.4MB

MD5
a328919b9e663805ef5dd6d4a118eb33

SHA1
1aed4e24fe6d49083423d313acbbdc561e933ac2

SHA256
ace4a542b4e72f83fabaa4a27748219b94860a84e465e412807be81bf57ed1c1

SHA512
426d650d2209893202b883e0a3beaf51501fd042bb1c1d87c35326270e2f7fb8efa2d9e0c6ba7ec1f5198f78bc8396c84195d8359073a0382042ed5e3495c3de

Download Submit