d314979381670be394531a78835a56e5e5894aa7aa43da36d86fcda97db2567b

Resubmissions

09/03/2024, 00:10

240309-agetcabb6y 8

09/03/2024, 00:06

240309-adr99sac64 8

Analysis

max time kernel
131s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AMASS 2.0/setup.exe
Size

2.6MB
MD5

f60f16734c6032efdb614b1cd8de7a00
SHA1

ec3d0f54233acf3bd583b3d1d89fde62c025bd0b
SHA256

26825915608783e7034d7cf12db64d4c78f70eac44c7351abedf843a8b483d8a
SHA512

5d0a017b7c7855676846b2d8df96445dea8943a3871f5aebea1eaf5028035bdb76cd57c5722739bcc9f79946e57dd0b8a946cad90f35bd472da3f87f9a721ce7
SSDEEP

1536:m1Sr1nt2W6tdC+pkzmzW6kgr8eHvPb5hmmVgZVptECqP6+UqXswm+mZEeD1uqpib:mAOSyJXZrsSGjC

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE

Executes dropped EXE 1 IoCs

pid	Process
2500	Setup.exe

Loads dropped DLL 3 IoCs

pid	Process
2676	Setup.exe
2500	Setup.exe
2624	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2768	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2768	MSIEXEC.EXE
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeSecurityPrivilege	1748	msiexec.exe
Token: SeCreateTokenPrivilege	2768	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2768	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2768	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2768	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2768	MSIEXEC.EXE
Token: SeTcbPrivilege	2768	MSIEXEC.EXE
Token: SeSecurityPrivilege	2768	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2768	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2768	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2768	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2768	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2768	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2768	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2768	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2768	MSIEXEC.EXE
Token: SeBackupPrivilege	2768	MSIEXEC.EXE
Token: SeRestorePrivilege	2768	MSIEXEC.EXE
Token: SeShutdownPrivilege	2768	MSIEXEC.EXE
Token: SeDebugPrivilege	2768	MSIEXEC.EXE
Token: SeAuditPrivilege	2768	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2768	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2768	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2768	MSIEXEC.EXE
Token: SeUndockPrivilege	2768	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2768	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2768	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2768	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2768	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2768	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2768	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2768	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2768	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2768	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2768	MSIEXEC.EXE
Token: SeTcbPrivilege	2768	MSIEXEC.EXE
Token: SeSecurityPrivilege	2768	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2768	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2768	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2768	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2768	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2768	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2768	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2768	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2768	MSIEXEC.EXE
Token: SeBackupPrivilege	2768	MSIEXEC.EXE
Token: SeRestorePrivilege	2768	MSIEXEC.EXE
Token: SeShutdownPrivilege	2768	MSIEXEC.EXE
Token: SeDebugPrivilege	2768	MSIEXEC.EXE
Token: SeAuditPrivilege	2768	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2768	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2768	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2768	MSIEXEC.EXE
Token: SeUndockPrivilege	2768	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2768	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2768	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2768	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2768	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2768	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2768	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2768	MSIEXEC.EXE
2768	MSIEXEC.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2928	setup.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2676	2928	setup.exe	30
PID 2928 wrote to memory of 2676	2928	setup.exe	30
PID 2928 wrote to memory of 2676	2928	setup.exe	30
PID 2928 wrote to memory of 2676	2928	setup.exe	30
PID 2928 wrote to memory of 2676	2928	setup.exe	30
PID 2928 wrote to memory of 2676	2928	setup.exe	30
PID 2928 wrote to memory of 2676	2928	setup.exe	30
PID 2676 wrote to memory of 2500	2676	Setup.exe	31
PID 2676 wrote to memory of 2500	2676	Setup.exe	31
PID 2676 wrote to memory of 2500	2676	Setup.exe	31
PID 2676 wrote to memory of 2500	2676	Setup.exe	31
PID 2676 wrote to memory of 2500	2676	Setup.exe	31
PID 2676 wrote to memory of 2500	2676	Setup.exe	31
PID 2676 wrote to memory of 2500	2676	Setup.exe	31
PID 2500 wrote to memory of 2768	2500	Setup.exe	32
PID 2500 wrote to memory of 2768	2500	Setup.exe	32
PID 2500 wrote to memory of 2768	2500	Setup.exe	32
PID 2500 wrote to memory of 2768	2500	Setup.exe	32
PID 2500 wrote to memory of 2768	2500	Setup.exe	32
PID 2500 wrote to memory of 2768	2500	Setup.exe	32
PID 2500 wrote to memory of 2768	2500	Setup.exe	32
PID 1748 wrote to memory of 2624	1748	msiexec.exe	34
PID 1748 wrote to memory of 2624	1748	msiexec.exe	34
PID 1748 wrote to memory of 2624	1748	msiexec.exe	34
PID 1748 wrote to memory of 2624	1748	msiexec.exe	34
PID 1748 wrote to memory of 2624	1748	msiexec.exe	34
PID 1748 wrote to memory of 2624	1748	msiexec.exe	34
PID 1748 wrote to memory of 2624	1748	msiexec.exe	34
PID 2500 wrote to memory of 1956	2500	Setup.exe	35
PID 2500 wrote to memory of 1956	2500	Setup.exe	35
PID 2500 wrote to memory of 1956	2500	Setup.exe	35
PID 2500 wrote to memory of 1956	2500	Setup.exe	35
PID 2500 wrote to memory of 1956	2500	Setup.exe	35
PID 2500 wrote to memory of 1956	2500	Setup.exe	35
PID 2500 wrote to memory of 1956	2500	Setup.exe	35

C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\setup.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS\Setup.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\{88DD03B6-C177-4FCC-8490-4EDB2EC99FAC}\Setup.exe
    C:\Users\Admin\AppData\Local\Temp\{88DD03B6-C177-4FCC-8490-4EDB2EC99FAC}\Setup.exe /q"C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS\Setup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{88DD03B6-C177-4FCC-8490-4EDB2EC99FAC}" /IS_temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\system32\MSIEXEC.EXE
      "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{45C7EAD5-A76E-4803-9ADF-38D8A95B4990}\Malvern Panalytical AMASS.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\AMASS 2.0\AMASS" SETUPEXENAME="Setup.exe"
      4⤵
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2768
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{88DD03B6-C177-4FCC-8490-4EDB2EC99FAC}"
      4⤵
      PID:1956

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24054289BB9957E9D0F332DB965F71BA C
  2⤵
  - Loads dropped DLL
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Downloaded Installations\{45C7EAD5-A76E-4803-9ADF-38D8A95B4990}\Malvern Panalytical AMASS.msi

Filesize
1.1MB

MD5
e146b5e83a5e2ea3723a64686d3feaec

SHA1
a5ddd7b2527426e3298726de657105abd8e4e012

SHA256
c6bdbc6eacad3c7f51f7747511de712db59c823e7a78136966ae7715ea796be8

SHA512
f77b3dde73d2b2ae51cc01b0055acf0360409b5f41a7c4be67b3b5c3fd44798b616ec034f81c2d41f5ba618a26ad1ac1fb93a8a1b134907f916752f24d995de9

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{45C7EAD5-A76E-4803-9ADF-38D8A95B4990}\Malvern Panalytical AMASS.msi

Filesize
3.0MB

MD5
b518ca45a256a2bf882cffc238ff2f58

SHA1
9c12982bfc80e497bcfa04380cc9d8e91ba947fc

SHA256
36e4cde5b2c2d3b34f447bb2d80ce332695bce2125ae98692b014a213ec13581

SHA512
72d8c8e12594fb69dcdba407c4b0f1abed6e66c4cccd22522fd0c2da87bc4899332e69b6e1792dd6c1ff62739bb42223c4ce4fdf1203637481114a481a3f270c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{88DD03B6-C177-4FCC-8490-4EDB2EC99FAC}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{88DD03B6-C177-4FCC-8490-4EDB2EC99FAC}\Setup.exe

Filesize
2.1MB

MD5
9ac0afc9cef03adc56c0be169ae66ec4

SHA1
770e7639b68fa471058bfec56eba38e9c2349479

SHA256
6db0d6f582c10597c878967d4b4249d4819b224985de71809c176459a576764f

SHA512
878ed6cd4815d33d3b3c9616aa65c41f5ad1e419ba64848cb847a753385f54bdeaf97dc8851d8b93683e0c67e786d27644f5875a7e4f299db92210a2f6404346

Download Submit
C:\Users\Admin\AppData\Local\Temp\{88DD03B6-C177-4FCC-8490-4EDB2EC99FAC}\Setup.exe

Filesize
1.9MB

MD5
08944f651bf9dcfb37ac8ce5798f9cab

SHA1
4f0d087de6cf04d0fa70d413da07800a9d03faa1

SHA256
40d086adb0e26ae758033c4863d5a2132ce94dac6370d64291ff86589c7b9f6e

SHA512
a95fc90bc64713ce0b1a5150cd70275d2f9152fca585b818d3eeac9bddf746f55de0e3dd86e240f5a5a51b0762b7086ba9a72eb3f62539679b2510d40cf404bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{88DD03B6-C177-4FCC-8490-4EDB2EC99FAC}\_ISMSIDEL.INI

Filesize
592B

MD5
022c89f9d1da3c317c637f726f1a42b9

SHA1
e9c724106792a518b17ac3fbf296f906946baf92

SHA256
72f85938a4ed87c114d4ae409831bdd20ba5cdc8f2d69240c313493052ee6090

SHA512
dbcef715347306f9883a46ed8c14e419ce386964d4ae443acda48daa2497bccfffdd01f97dafd207ce544668052c62a37b9e8d8a4f256e91745c33f1adb28998

Download Submit
C:\Users\Admin\AppData\Local\Temp\{88DD03B6-C177-4FCC-8490-4EDB2EC99FAC}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~9494.tmp

Filesize
5KB

MD5
dd495e2afa525e1db9450d2de7fc4745

SHA1
22cabae8a286d26af8aea8ea1dcfb946a0d9de47

SHA256
5425ac9206290d4bf84f8f49b442439bf44fe1bfdbbc18d7b486796261dce87e

SHA512
48cc7ec3b2e7ceebd586a13b1b5782d3d26c49b17be482b2733ae6d82f213c2f6654b63a88a4bb1e7d4dc381793944f6cb2384afca83a415956aef3b3f8152af

Download Submit
\Users\Admin\AppData\Local\Temp\MSIA9C7.tmp

Filesize
165KB

MD5
b5adf92090930e725510e2aafe97434f

SHA1
eb9aff632e16fcb0459554979d3562dcf5652e21

SHA256
1f6f0d9f136bc170cfbc48a1015113947087ac27aed1e3e91673ffc91b9f390b

SHA512
1076165011e20c2686fb6f84a47c31da939fa445d9334be44bdaa515c9269499bd70f83eb5fcfa6f34cf7a707a828ff1b192ec21245ee61817f06a66e74ff509

Download Submit
\Users\Admin\AppData\Local\Temp\{88DD03B6-C177-4FCC-8490-4EDB2EC99FAC}\Setup.exe

Filesize
2.5MB

MD5
deb14fd6bf20ed51c69b8cccda413fe7

SHA1
f60974045964ccc3a407f40107b7fca8d4f8c123

SHA256
2e1c0a70c9f5d420ad8516e9e344a1842b9a69c8525384ec1f22170fb0290ff1

SHA512
07ceb7054056044d3a43e072e802d1147656cfd325a9e79e9f57fcd0de95061f781ca94611f18647e3ad28752ade4e504f871bdafb5af63b906175881ededc1b

Download Submit
\Users\Admin\AppData\Local\Temp\{88DD03B6-C177-4FCC-8490-4EDB2EC99FAC}\Setup.exe

Filesize
1.3MB

MD5
05f8d63d882f4a7fb216577636922083

SHA1
0582464ea4616ec25d7b2e9fa542efb7b18140ec

SHA256
2e0af1b5e30817144bf9e3c7aef5ce95bc251d656a728263028ae9c85a51b18f

SHA512
5de98bfef2a71d09c4431275269a34e4e6b48909bd60db980de3d778832c030aa589575f0eacb8f47b28b9fd96d555904d11a219acc21c39594020f6476b7d32

Download Submit