Overview
overview
7Static
static
3TwingateWi...er.exe
windows7-x64
6TwingateWi...er.exe
windows10-2004-x64
6$PLUGINSDI...ck.exe
windows7-x64
1$PLUGINSDI...ck.exe
windows10-2004-x64
1$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...er.msi
windows7-x64
6$PLUGINSDI...er.msi
windows10-2004-x64
6$PLUGINSDI...64.exe
windows7-x64
4$PLUGINSDI...64.exe
windows10-2004-x64
4$PLUGINSDI...eb.exe
windows7-x64
7$PLUGINSDI...eb.exe
windows10-2004-x64
7$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Analysis
-
max time kernel
293s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 15:12
Static task
static1
Behavioral task
behavioral1
Sample
TwingateWindowsInstaller.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
TwingateWindowsInstaller.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/NetCoreCheck.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/NetCoreCheck.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/TwingateWindowsInstaller.msi
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/TwingateWindowsInstaller.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/dotnet-WindowsDesktop-x64.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/dotnet-WindowsDesktop-x64.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/ndp48-web.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/ndp48-web.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
TwingateWindowsInstaller.exe
-
Size
81.9MB
-
MD5
54be7fa22ab8bf77dd7f9b1f3edad379
-
SHA1
68e91f755c007e6f0be6b1b81f72f0a9aa5fd46f
-
SHA256
258c713562b0b18b8572a3d23c83d338b4c5cdb5fb421e47b78475ddd2cf7c06
-
SHA512
41cc86a7298b6a3454e2368935fddb0645555f18894c32471b72bf5023410d7d858d68accccb6901cd174ae1f4c729864e1ba356a3a79e0dee857cdd62a82631
-
SSDEEP
1572864:KYTufAs+mNKQHyPkQgM8KAsXNC3xCUH/3ivgHQeN0jRgXJN9HoRTFo0zS8Bw5rtY:KGDQHyPGM8CXU3Em/l30j65NSoqDy5xw
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 17 4040 msiexec.exe 20 4040 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 1220 NetCoreCheck.exe -
Loads dropped DLL 3 IoCs
pid Process 4808 TwingateWindowsInstaller.exe 4808 TwingateWindowsInstaller.exe 4068 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4040 msiexec.exe Token: SeIncreaseQuotaPrivilege 4040 msiexec.exe Token: SeSecurityPrivilege 392 msiexec.exe Token: SeCreateTokenPrivilege 4040 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4040 msiexec.exe Token: SeLockMemoryPrivilege 4040 msiexec.exe Token: SeIncreaseQuotaPrivilege 4040 msiexec.exe Token: SeMachineAccountPrivilege 4040 msiexec.exe Token: SeTcbPrivilege 4040 msiexec.exe Token: SeSecurityPrivilege 4040 msiexec.exe Token: SeTakeOwnershipPrivilege 4040 msiexec.exe Token: SeLoadDriverPrivilege 4040 msiexec.exe Token: SeSystemProfilePrivilege 4040 msiexec.exe Token: SeSystemtimePrivilege 4040 msiexec.exe Token: SeProfSingleProcessPrivilege 4040 msiexec.exe Token: SeIncBasePriorityPrivilege 4040 msiexec.exe Token: SeCreatePagefilePrivilege 4040 msiexec.exe Token: SeCreatePermanentPrivilege 4040 msiexec.exe Token: SeBackupPrivilege 4040 msiexec.exe Token: SeRestorePrivilege 4040 msiexec.exe Token: SeShutdownPrivilege 4040 msiexec.exe Token: SeDebugPrivilege 4040 msiexec.exe Token: SeAuditPrivilege 4040 msiexec.exe Token: SeSystemEnvironmentPrivilege 4040 msiexec.exe Token: SeChangeNotifyPrivilege 4040 msiexec.exe Token: SeRemoteShutdownPrivilege 4040 msiexec.exe Token: SeUndockPrivilege 4040 msiexec.exe Token: SeSyncAgentPrivilege 4040 msiexec.exe Token: SeEnableDelegationPrivilege 4040 msiexec.exe Token: SeManageVolumePrivilege 4040 msiexec.exe Token: SeImpersonatePrivilege 4040 msiexec.exe Token: SeCreateGlobalPrivilege 4040 msiexec.exe Token: SeCreateTokenPrivilege 4040 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4040 msiexec.exe Token: SeLockMemoryPrivilege 4040 msiexec.exe Token: SeIncreaseQuotaPrivilege 4040 msiexec.exe Token: SeMachineAccountPrivilege 4040 msiexec.exe Token: SeTcbPrivilege 4040 msiexec.exe Token: SeSecurityPrivilege 4040 msiexec.exe Token: SeTakeOwnershipPrivilege 4040 msiexec.exe Token: SeLoadDriverPrivilege 4040 msiexec.exe Token: SeSystemProfilePrivilege 4040 msiexec.exe Token: SeSystemtimePrivilege 4040 msiexec.exe Token: SeProfSingleProcessPrivilege 4040 msiexec.exe Token: SeIncBasePriorityPrivilege 4040 msiexec.exe Token: SeCreatePagefilePrivilege 4040 msiexec.exe Token: SeCreatePermanentPrivilege 4040 msiexec.exe Token: SeBackupPrivilege 4040 msiexec.exe Token: SeRestorePrivilege 4040 msiexec.exe Token: SeShutdownPrivilege 4040 msiexec.exe Token: SeDebugPrivilege 4040 msiexec.exe Token: SeAuditPrivilege 4040 msiexec.exe Token: SeSystemEnvironmentPrivilege 4040 msiexec.exe Token: SeChangeNotifyPrivilege 4040 msiexec.exe Token: SeRemoteShutdownPrivilege 4040 msiexec.exe Token: SeUndockPrivilege 4040 msiexec.exe Token: SeSyncAgentPrivilege 4040 msiexec.exe Token: SeEnableDelegationPrivilege 4040 msiexec.exe Token: SeManageVolumePrivilege 4040 msiexec.exe Token: SeImpersonatePrivilege 4040 msiexec.exe Token: SeCreateGlobalPrivilege 4040 msiexec.exe Token: SeCreateTokenPrivilege 4040 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4040 msiexec.exe Token: SeLockMemoryPrivilege 4040 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4040 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4808 wrote to memory of 1220 4808 TwingateWindowsInstaller.exe 92 PID 4808 wrote to memory of 1220 4808 TwingateWindowsInstaller.exe 92 PID 4808 wrote to memory of 4040 4808 TwingateWindowsInstaller.exe 94 PID 4808 wrote to memory of 4040 4808 TwingateWindowsInstaller.exe 94 PID 4808 wrote to memory of 4040 4808 TwingateWindowsInstaller.exe 94 PID 392 wrote to memory of 4068 392 msiexec.exe 97 PID 392 wrote to memory of 4068 392 msiexec.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\TwingateWindowsInstaller.exe"C:\Users\Admin\AppData\Local\Temp\TwingateWindowsInstaller.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\nsi346F.tmp\NetCoreCheck.exe"C:\Users\Admin\AppData\Local\Temp\nsi346F.tmp\NetCoreCheck.exe" -n Microsoft.WindowsDesktop.App -v 6.0.02⤵
- Executes dropped EXE
PID:1220
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /I "C:\Users\Admin\AppData\Local\Temp\nsi346F.tmp\TwingateWindowsInstaller.msi"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4040
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding E8FECEA996E0B628F8DCAA4C41C446E9 C2⤵
- Loads dropped DLL
PID:4068
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:4500
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵PID:2476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143KB
MD59bfd64145dd0d1ddb2ca2ad9fdafb284
SHA152a6bb2fd4bc52d6362392125427ada2df84bfd5
SHA25640556d398d350df55db2015fe539dd976ceb735fc9d19cd460565c678114ec69
SHA512f858a7b61b5c98ccf134d4a33b93027928afd322828b222f4d48c1948b9f5a7ab1b8532db56490dc54e9c97d64bdb679b3a1dc1304ce7ebcce608647ac901b88
-
Filesize
142KB
MD55f6469960e0016d44be090160b889077
SHA1114b94c1401d039903e5e8b11cacbb737230365a
SHA256cb5714eb1f8b3938233823f465173c45ccef73e5b0ee122391853a3f2a305294
SHA512a3cacbab7a8a2b0a914b2eb6043f20e60761dbedfefa12fa5353d326370c087845a9eed2024675284449bbcbb8510da72b8832114f003dd2473b45357cf5c670
-
Filesize
12KB
MD54add245d4ba34b04f213409bfe504c07
SHA1ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA2569111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA5121bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
-
Filesize
27.0MB
MD53974c25fcade33b85f27d2770ed5ff87
SHA113a04128d62654e53e6d2b29c6ff3205c717f189
SHA2565c0292d6ae44e7fe2949a12170d820f7ee8fb091f508717a7c9bbddf876e97ab
SHA512018a49d3183a43a54f185b0de55aefe8cccacf17fd5d7ddc65e937945c25cc9741e8c62177c2187002b58c8875d945093e1cd2859667efa50af46dbdb94065ca
-
Filesize
7KB
MD5b4579bc396ace8cafd9e825ff63fe244
SHA132a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c
SHA25601e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b
SHA5123a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a