d314979381670be394531a78835a56e5e5894aa7aa43da36d86fcda97db2567b

Resubmissions

09-03-2024 00:10

240309-agetcabb6y 8

09-03-2024 00:06

240309-adr99sac64 8

Analysis

max time kernel
137s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AMASS 2.0/AMASS/setup.exe
Size

140.6MB
MD5

0d8889f0d96f1564f8b990a297e48d1b
SHA1

40d540ada5a734c711ddc8e1967816041dcc60d8
SHA256

94c303148b663e9b069a4254d3a5d858bd14f173e0366053a1c0a076b49a1bf9
SHA512

71caa952272355f290293edd571a3cea4d76f7c29efee5c17ceba8f68c30f2540b2b56835859b3856b5affb6f1b9fedf734c86f454c006f0edfda9c72625a123
SSDEEP

3145728:eRFAvw1IEslZM6FCb9ymhlU8JxRiQtppxCAbWxeTbBJyVcAG09vvF34lMsZl:DiSFFCEmVJxcQRxdbWxGb7yakvyxl

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1956	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
468	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3452	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3452	MSIEXEC.EXE
Token: SeSecurityPrivilege	4884	msiexec.exe
Token: SeCreateTokenPrivilege	3452	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3452	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3452	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3452	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3452	MSIEXEC.EXE
Token: SeTcbPrivilege	3452	MSIEXEC.EXE
Token: SeSecurityPrivilege	3452	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3452	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3452	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3452	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3452	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3452	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3452	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3452	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3452	MSIEXEC.EXE
Token: SeBackupPrivilege	3452	MSIEXEC.EXE
Token: SeRestorePrivilege	3452	MSIEXEC.EXE
Token: SeShutdownPrivilege	3452	MSIEXEC.EXE
Token: SeDebugPrivilege	3452	MSIEXEC.EXE
Token: SeAuditPrivilege	3452	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3452	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3452	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3452	MSIEXEC.EXE
Token: SeUndockPrivilege	3452	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3452	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3452	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3452	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3452	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3452	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	3452	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3452	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3452	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3452	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3452	MSIEXEC.EXE
Token: SeTcbPrivilege	3452	MSIEXEC.EXE
Token: SeSecurityPrivilege	3452	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3452	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3452	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3452	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3452	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3452	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3452	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3452	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3452	MSIEXEC.EXE
Token: SeBackupPrivilege	3452	MSIEXEC.EXE
Token: SeRestorePrivilege	3452	MSIEXEC.EXE
Token: SeShutdownPrivilege	3452	MSIEXEC.EXE
Token: SeDebugPrivilege	3452	MSIEXEC.EXE
Token: SeAuditPrivilege	3452	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3452	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3452	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3452	MSIEXEC.EXE
Token: SeUndockPrivilege	3452	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3452	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3452	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3452	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3452	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3452	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	3452	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3452	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3452	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3452	MSIEXEC.EXE
3452	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 1956	2480	setup.exe	91
PID 2480 wrote to memory of 1956	2480	setup.exe	91
PID 2480 wrote to memory of 1956	2480	setup.exe	91
PID 1956 wrote to memory of 3452	1956	setup.exe	102
PID 1956 wrote to memory of 3452	1956	setup.exe	102
PID 4884 wrote to memory of 468	4884	msiexec.exe	105
PID 4884 wrote to memory of 468	4884	msiexec.exe	105
PID 4884 wrote to memory of 468	4884	msiexec.exe	105
PID 1956 wrote to memory of 1044	1956	setup.exe	107
PID 1956 wrote to memory of 1044	1956	setup.exe	107
PID 1956 wrote to memory of 1044	1956	setup.exe	107

C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS\setup.exe
"C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\{0256E7C2-2887-44AC-9BA0-A62145D1B409}\setup.exe
  C:\Users\Admin\AppData\Local\Temp\{0256E7C2-2887-44AC-9BA0-A62145D1B409}\setup.exe /q"C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS\setup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{0256E7C2-2887-44AC-9BA0-A62145D1B409}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\system32\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{45C7EAD5-A76E-4803-9ADF-38D8A95B4990}\Malvern Panalytical AMASS.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS" SETUPEXENAME="setup.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{0256E7C2-2887-44AC-9BA0-A62145D1B409}"
    3⤵
    PID:1044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8B38FDD0B95EEA9BF8CA3E64C75A15BE C
  2⤵
  - Loads dropped DLL
  PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Downloaded Installations\{45C7EAD5-A76E-4803-9ADF-38D8A95B4990}\Malvern Panalytical AMASS.msi

Filesize
23.4MB

MD5
bdbe691c11c2a7ce58a2d4b6c7068e1f

SHA1
0e4379f0538dabfdb20ed09e542f63712935a2d4

SHA256
e6253dd41e15bcc0a54a67aea9de1f9c4b582d27d2f7069e01244c578cfb8bac

SHA512
53e8c40123b29353160c913c096aae42e58c2fa1e32af89e1b13d10896498053c8db8338a587149e69ec90416f331c4dde53dd8f6841b8ed183c7f3fa4da7acb

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{45C7EAD5-A76E-4803-9ADF-38D8A95B4990}\Malvern Panalytical AMASS.msi

Filesize
14.1MB

MD5
0876f9dc4bd9373da75a20d247ff02e6

SHA1
4883af156dd0f85c64267ea7dafd03eae40af776

SHA256
cd2cccd97717d82c8efa0f07d124a149deba9c2b9a8e3de5a7640cf065aa67de

SHA512
1792b32eff2c2a33361264db2827365c113358451e291d2d92a70fea80356c0d79af4da5e631248f10867d832fe85adad507b16798979ab056b81149909ad9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDD6.tmp

Filesize
165KB

MD5
b5adf92090930e725510e2aafe97434f

SHA1
eb9aff632e16fcb0459554979d3562dcf5652e21

SHA256
1f6f0d9f136bc170cfbc48a1015113947087ac27aed1e3e91673ffc91b9f390b

SHA512
1076165011e20c2686fb6f84a47c31da939fa445d9334be44bdaa515c9269499bd70f83eb5fcfa6f34cf7a707a828ff1b192ec21245ee61817f06a66e74ff509

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0256E7C2-2887-44AC-9BA0-A62145D1B409}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0256E7C2-2887-44AC-9BA0-A62145D1B409}\_ISMSIDEL.INI

Filesize
592B

MD5
dd2c7af55be211c17a52583a01000279

SHA1
98c1b702d74320c5111783fda9ea77e6175b6b7d

SHA256
39d5129df324c04fd4b1142ec3bd36d18255feec03bea495e95c597434e82a93

SHA512
e9eb41a4f58e0b910b2352c580aaa5a9e622ba49c4e73d615805f90f60e6e21fbb9e13aed8234a000b15a165ad8bb22af5a4b53606159d00c073bd3e3737c737

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0256E7C2-2887-44AC-9BA0-A62145D1B409}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0256E7C2-2887-44AC-9BA0-A62145D1B409}\setup.exe

Filesize
2.6MB

MD5
169b9c8d238de52939539231cede8248

SHA1
2f8e193a19e9f02cc5d36790547da54f4d6fc207

SHA256
8e675dcf0686101ea23e6901d9733c7f45e68711c95b477f5ed7632d01ac0193

SHA512
24089160842a93c2631b498460026f071dee8c8705013f67eee0d8d5ada16ab6e3aee1dff279d123dbbfdfd67d3de58b9c7c1f5f488c7bb7bcc1591466b59e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0256E7C2-2887-44AC-9BA0-A62145D1B409}\setup.exe

Filesize
2.4MB

MD5
c3c82f6dfca5aa227b788e2d5836a525

SHA1
d3db734a4677c530e1bf9ec84cb853287191092a

SHA256
bac51a11a50c7fe5571b40c7207934345b230d4a8bd18baedba6833f44312859

SHA512
b2a424b0ba67195b32a3ff7488ca3b840794940f00078eca4662b42a949c270cf844bdc4d960e8434d212a95985f374c9a56ff808543300d3251b734f1569301

Download Submit
C:\Users\Admin\AppData\Local\Temp\~9973.tmp

Filesize
5KB

MD5
dd495e2afa525e1db9450d2de7fc4745

SHA1
22cabae8a286d26af8aea8ea1dcfb946a0d9de47

SHA256
5425ac9206290d4bf84f8f49b442439bf44fe1bfdbbc18d7b486796261dce87e

SHA512
48cc7ec3b2e7ceebd586a13b1b5782d3d26c49b17be482b2733ae6d82f213c2f6654b63a88a4bb1e7d4dc381793944f6cb2384afca83a415956aef3b3f8152af

Download Submit