ae5a608d1f60cd2a180c3f2f49304deb00d2082762e22614f88312a8f121214a

General

Target

NotifyConnect.exe
Size

13.8MB
MD5

27a948607ab53fe815617effb81600d1
SHA1

86a50ff946d264cd717de00d440cfd224ed46894
SHA256

ae5a608d1f60cd2a180c3f2f49304deb00d2082762e22614f88312a8f121214a
SHA512

b0f55ba415d66a958150546f7153ace1ed2478ce26b52d1f6b092d7bc746ca2f8a3305830ab026820ff70c8fb74ac38489192ffdd11645c5e3d442d892cfef0d
SSDEEP

196608:HMwAeseEJOAQPDt8sFXOQdJrsBemmRjHlmxi1sfZafCFYLM9ltd5Cxzgx:zkeJAaesFXOQoAzDr17LtzM

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	416	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	416	MSIEXEC.EXE
Token: SeSecurityPrivilege	3940	msiexec.exe
Token: SeCreateTokenPrivilege	416	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	416	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	416	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	416	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	416	MSIEXEC.EXE
Token: SeTcbPrivilege	416	MSIEXEC.EXE
Token: SeSecurityPrivilege	416	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	416	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	416	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	416	MSIEXEC.EXE
Token: SeSystemtimePrivilege	416	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	416	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	416	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	416	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	416	MSIEXEC.EXE
Token: SeBackupPrivilege	416	MSIEXEC.EXE
Token: SeRestorePrivilege	416	MSIEXEC.EXE
Token: SeShutdownPrivilege	416	MSIEXEC.EXE
Token: SeDebugPrivilege	416	MSIEXEC.EXE
Token: SeAuditPrivilege	416	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	416	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	416	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	416	MSIEXEC.EXE
Token: SeUndockPrivilege	416	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	416	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	416	MSIEXEC.EXE
Token: SeManageVolumePrivilege	416	MSIEXEC.EXE
Token: SeImpersonatePrivilege	416	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	416	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
416	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 416	2156	NotifyConnect.exe	95
PID 2156 wrote to memory of 416	2156	NotifyConnect.exe	95
PID 2156 wrote to memory of 416	2156	NotifyConnect.exe	95

C:\Users\Admin\AppData\Local\Temp\NotifyConnect.exe
"C:\Users\Admin\AppData\Local\Temp\NotifyConnect.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{9BFCC852-4EA8-490A-A17D-5E65A0AE354D}\MdConnect_Desktop.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="NotifyConnect.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:416

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Downloaded Installations\{9BFCC852-4EA8-490A-A17D-5E65A0AE354D}\MdConnect_Desktop.msi

Filesize
12.6MB

MD5
83a1ed13432968c61108e522d0fac3cd

SHA1
06d41510d5db19e89146d401519051fb695d406c

SHA256
30703630ebc5bce5c7fbf3424a4186f7d0c74500560ab939dfac3430ca94ec01

SHA512
0297fb17445b57407c98cdd4c55779c1d8973122e42ec63aacf63720845c7adf158cd0950a1960768f1426cb311b92877a0ed363037d520679190207f4a77f16

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{9BFCC852-4EA8-490A-A17D-5E65A0AE354D}\MdConnect_Desktop.msi

Filesize
13.7MB

MD5
16cbe8c063e2571a14885fcb465f470c

SHA1
f02b7ffbfe4313585a3eab98aecf38246a69ce32

SHA256
7ac1f4f46846ea1dc120802a8ff3d8b129ee579f2a8ef4f8885842530636d117

SHA512
4186bfae917f1eb9dd4679ce228f3efbbe9340c1c871f4c160e262cf8f40653b73f5488d7b87701e46c0004a03c4034d4ebfe6eb2235ff38e453072578f5969e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is78A1.tmp

Filesize
1KB

MD5
4703a131510955e0e14974f0bcc626b2

SHA1
69b710fccb792684a5694b69a0e86d4e3c7eae9c

SHA256
5006934220d17a4b5f02f3cdc607acd222420a68aef3ea4fc46a1c6ce93158b3

SHA512
126eb7a227e73edc4c2065c4bfff47402857b3aa0dfe8770b79fe7ba8f4d5c44c32d414f0cadfcdcf53f141b3f1da72a06e70eda00944a1e2fd5e55058aa4998

Download Submit
C:\Users\Admin\AppData\Local\Temp\{11753C80-F73E-49F6-8C57-01B8365C6FCA}\0x0416.ini

Filesize
14KB

MD5
69f04b48601cd07f01cf4f6e364ecdb8

SHA1
5d8260e533fdc9576f33a1f013f3739c144ad612

SHA256
3a56a6e10eec747b4e1c0b4bae2aa8d3eaff840254ab23c9748512777adb1159

SHA512
6eaa7ced5299d7e1e5068d3fa4b2a0d31a40ad02e71e646ed40e4bb339e36f36a5dec50936e851d7ec3d871c47ccb42119e5233c3bee1b3d8c2fe276e3d3018a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{11753C80-F73E-49F6-8C57-01B8365C6FCA}\Setup.INI

Filesize
2KB

MD5
435628c19ba43f37335682223fa05e32

SHA1
d5a4e945926654f68b0ef2bc4d06248233e27600

SHA256
44c9fec2539858c2a12366571a20991559398548890d8c97fc3aec9d612ff832

SHA512
566c19d4a1f47ad1320266fed3cf2fae7de3caf6cbf4d814eab78dadc72b824633265648235c5260a14b4bb3291f56b6a5dc621244617be248ec7a9b219346bb

Download Submit

Analysis

Sharing