Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2024 07:56
Static task
static1
Behavioral task
behavioral1
Sample
setup.msi
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
setup.msi
Resource
win10v2004-20240508-en
General
-
Target
setup.msi
-
Size
8.5MB
-
MD5
86a68878633d570e195609fe33640561
-
SHA1
5a5355a80750693493c4ff9d4184d3234ad62b73
-
SHA256
7a5d8ef1b6de2d300a6a3118426562e881577c85ab2d919f0337e4de0e9aaa92
-
SHA512
502f996aff0273aecd4256bd25b3bcd2187a2b44c1b26c0b64a622ae2d788328d8f8e9bbd8fa9119a0edb282d1737f8f502ecf69484a70b14fd287442630c1a9
-
SSDEEP
196608:zN7EYGIfVlhQ+gtODuwjWT6mPLJo/QkPM27rMr:z+3IfVlhQ+glwY6AW/h37rM
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid Process 15 4228 powershell.exe 16 4228 powershell.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gpg.exedescription pid Process procid_target PID 1656 set thread context of 1080 1656 gpg.exe 93 -
Drops file in Windows directory 14 IoCs
Processes:
msiexec.exedescription ioc Process File opened for modification C:\Windows\Installer\MSI4AC4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4BA1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5C01.tmp msiexec.exe File created C:\Windows\Installer\e574a6b.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{40687992-D47D-43B1-8A2C-57D30E7D9D88} msiexec.exe File created C:\Windows\Installer\e574a67.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI4C8E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4D1B.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\e574a67.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4B33.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4C10.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
gpg.exepid Process 1656 gpg.exe -
Loads dropped DLL 12 IoCs
Processes:
MsiExec.exegpg.exepid Process 4008 MsiExec.exe 4008 MsiExec.exe 4008 MsiExec.exe 4008 MsiExec.exe 4008 MsiExec.exe 4008 MsiExec.exe 1656 gpg.exe 1656 gpg.exe 1656 gpg.exe 1656 gpg.exe 1656 gpg.exe 1656 gpg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exemsiexec.exepid Process 4228 powershell.exe 4228 powershell.exe 4516 msiexec.exe 4516 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exepowershell.exedescription pid Process Token: SeShutdownPrivilege 928 msiexec.exe Token: SeIncreaseQuotaPrivilege 928 msiexec.exe Token: SeSecurityPrivilege 4516 msiexec.exe Token: SeCreateTokenPrivilege 928 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 928 msiexec.exe Token: SeLockMemoryPrivilege 928 msiexec.exe Token: SeIncreaseQuotaPrivilege 928 msiexec.exe Token: SeMachineAccountPrivilege 928 msiexec.exe Token: SeTcbPrivilege 928 msiexec.exe Token: SeSecurityPrivilege 928 msiexec.exe Token: SeTakeOwnershipPrivilege 928 msiexec.exe Token: SeLoadDriverPrivilege 928 msiexec.exe Token: SeSystemProfilePrivilege 928 msiexec.exe Token: SeSystemtimePrivilege 928 msiexec.exe Token: SeProfSingleProcessPrivilege 928 msiexec.exe Token: SeIncBasePriorityPrivilege 928 msiexec.exe Token: SeCreatePagefilePrivilege 928 msiexec.exe Token: SeCreatePermanentPrivilege 928 msiexec.exe Token: SeBackupPrivilege 928 msiexec.exe Token: SeRestorePrivilege 928 msiexec.exe Token: SeShutdownPrivilege 928 msiexec.exe Token: SeDebugPrivilege 928 msiexec.exe Token: SeAuditPrivilege 928 msiexec.exe Token: SeSystemEnvironmentPrivilege 928 msiexec.exe Token: SeChangeNotifyPrivilege 928 msiexec.exe Token: SeRemoteShutdownPrivilege 928 msiexec.exe Token: SeUndockPrivilege 928 msiexec.exe Token: SeSyncAgentPrivilege 928 msiexec.exe Token: SeEnableDelegationPrivilege 928 msiexec.exe Token: SeManageVolumePrivilege 928 msiexec.exe Token: SeImpersonatePrivilege 928 msiexec.exe Token: SeCreateGlobalPrivilege 928 msiexec.exe Token: SeRestorePrivilege 4516 msiexec.exe Token: SeTakeOwnershipPrivilege 4516 msiexec.exe Token: SeRestorePrivilege 4516 msiexec.exe Token: SeTakeOwnershipPrivilege 4516 msiexec.exe Token: SeRestorePrivilege 4516 msiexec.exe Token: SeTakeOwnershipPrivilege 4516 msiexec.exe Token: SeRestorePrivilege 4516 msiexec.exe Token: SeTakeOwnershipPrivilege 4516 msiexec.exe Token: SeRestorePrivilege 4516 msiexec.exe Token: SeTakeOwnershipPrivilege 4516 msiexec.exe Token: SeRestorePrivilege 4516 msiexec.exe Token: SeTakeOwnershipPrivilege 4516 msiexec.exe Token: SeRestorePrivilege 4516 msiexec.exe Token: SeTakeOwnershipPrivilege 4516 msiexec.exe Token: SeDebugPrivilege 4228 powershell.exe Token: SeRestorePrivilege 4516 msiexec.exe Token: SeTakeOwnershipPrivilege 4516 msiexec.exe Token: SeRestorePrivilege 4516 msiexec.exe Token: SeTakeOwnershipPrivilege 4516 msiexec.exe Token: SeRestorePrivilege 4516 msiexec.exe Token: SeTakeOwnershipPrivilege 4516 msiexec.exe Token: SeRestorePrivilege 4516 msiexec.exe Token: SeTakeOwnershipPrivilege 4516 msiexec.exe Token: SeRestorePrivilege 4516 msiexec.exe Token: SeTakeOwnershipPrivilege 4516 msiexec.exe Token: SeRestorePrivilege 4516 msiexec.exe Token: SeTakeOwnershipPrivilege 4516 msiexec.exe Token: SeRestorePrivilege 4516 msiexec.exe Token: SeTakeOwnershipPrivilege 4516 msiexec.exe Token: SeRestorePrivilege 4516 msiexec.exe Token: SeTakeOwnershipPrivilege 4516 msiexec.exe Token: SeRestorePrivilege 4516 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid Process 928 msiexec.exe 928 msiexec.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
msiexec.exeMsiExec.exegpg.exedescription pid Process procid_target PID 4516 wrote to memory of 4008 4516 msiexec.exe 84 PID 4516 wrote to memory of 4008 4516 msiexec.exe 84 PID 4516 wrote to memory of 4008 4516 msiexec.exe 84 PID 4008 wrote to memory of 4228 4008 MsiExec.exe 85 PID 4008 wrote to memory of 4228 4008 MsiExec.exe 85 PID 4008 wrote to memory of 4228 4008 MsiExec.exe 85 PID 4516 wrote to memory of 1656 4516 msiexec.exe 91 PID 4516 wrote to memory of 1656 4516 msiexec.exe 91 PID 4516 wrote to memory of 1656 4516 msiexec.exe 91 PID 1656 wrote to memory of 1080 1656 gpg.exe 93 PID 1656 wrote to memory of 1080 1656 gpg.exe 93 PID 1656 wrote to memory of 1080 1656 gpg.exe 93 PID 1656 wrote to memory of 1080 1656 gpg.exe 93
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:928
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 86D1FCD26481CA5821B57A0FCDD260592⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss4EBF.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi4EAC.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr4EAD.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr4EAE.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
-
-
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe"C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1080
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD556ba654a24a4e3993067ebc33c64076e
SHA11385b360a999ba9ed9d0ea4ca49f3c57f483205a
SHA2567b640836eccfe29bb9abf5708cbcfff212fb14b4e615cd2d0f7d3e43ec2a1f70
SHA512fe6f8e650c9abcbaf0b86c15d9a1eeab65cdd0d8607e0aa3ae829f6ae3b26da7e36c88b283a4c45760fe45e02ab73c817726cc12b1023468cbb96bcdeaa49650
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
60B
MD5eb0046beb949b23b97dccd59c4b8f131
SHA1c084a9c15a323cd51d24122681a494e52577487f
SHA256b6594a624b47bcac9a314993f15693e5da2a747adeccff4a996f4ab4491d5467
SHA5128dfdbf11e27242ab14b0997637a9c3deb47d345183c306e0a9b6d62099f4b341dec49f8369bec7ef839e4003d8c7a86267646c9f7c28b8fe9456c3c69b2aeab0
-
Filesize
6KB
MD530c30ef2cb47e35101d13402b5661179
SHA125696b2aab86a9233f19017539e2dd83b2f75d4e
SHA25653094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458
-
Filesize
542B
MD5753240f3d0c58563dcba1244db69b0d7
SHA14a0f248fccc2431ece50f717cbf80f6681504932
SHA256e77dbd670eaa228e96cb8ab002b0aa7f55a78779fb58754436ec691e6de14e5a
SHA51203987837557d6342280d7871b19472e7c05cabc203824081f6fff38083ecef2da8135642644b598b21ee294816d1ed22d0573db04e5c739b2b08c28f7c441ae9
-
Filesize
1.3MB
MD535365d3713500bde4e2e1422c54f04fa
SHA10b24b1de060caa7be51404d82da5fef05958a1da
SHA2565f7e7bb9b2e73abda7e46bfb8b266dbbb7fd3b87ebb253d842ffcfb56f1efe19
SHA5123e276b947220e56da8798245e9e7a16c9899a3842658ef409518968b137474cba7f13955287d1ff2fa7f929dc3ce75a8fd4c1f5fe58e6edb9e89986080aad375
-
Filesize
154KB
MD5a2dd12a8ecef27ca0e524e9bb4bdb8f5
SHA1a4f5718c8bc1cc1fba49332d767ad296f7156dbc
SHA256e54d43ae67352ceb170ece1fc1a219de9baf70cb71c1bf85a6c52858e2ca0ada
SHA512b35101d5454db885e4f47333365f3d3ce6ed20b94fb75f6965c6e04116967fb5179abaff92a2c20d47b634e81f5ac53e5e1f3def570dd95ae66a3663c0b1ea2c
-
Filesize
1.1MB
MD5f74e6b15bbb4d3a8decb9fe17175d056
SHA120a67c7d020bce3adcbd34cb0044771ae0bcb2ba
SHA25650235ec9328d759d9adceb1224999bcf5d602594b2c6260c4f793b84c533e6d3
SHA5125c896a916537cbf6e4f6c995a240b3e651356e5a5fc549058cc60892c5905e64a3fd78cf0998149ca88f474f9ce78c94ea398bd245735a1b242f497adb44bbf4
-
Filesize
245KB
MD572498f59c8c580707a0a3839c332f51b
SHA1fb09b912912610d243066cc8b71435f689e6a449
SHA25651b69b17a15a4c8df35e81b9eef8b3c8eb914e8208f0ebbe9713661583cddf4d
SHA512116956f25484e01236e5aaac2693e78dbc98e47580ac535a49582e21d69602be23f53f45945b0e94b2b0cf2825832a3e1c1f647302bd7b8398794f5579a0e022
-
Filesize
40KB
MD5b7b148054a2818699d93f96139b4d0d0
SHA10a5187b37bd84c19a7d2d84f328fa0adbc75123c
SHA25625fb8e6bb4ebd62bfa478691261ea2e9486020ef52084dad0fc5ea417338d915
SHA5124f9938a2fb9f6c81cf0dc5d98ecda955e101b5fd52cc43fd58f0072f5ed914c0ef966cd0666c3bcc32f70d52847a5caedea40de86db28c94c8ebd35b366552c1
-
Filesize
1.2MB
MD50381964390751461a5d79d26ca7cedaa
SHA13b17b9dca5060f9b22920737165a6bd1de5e8941
SHA2567b307806698bfe2b8a81cf0d04cfd0df4a9916cba30707ce3934b9ee06bd75da
SHA512381e6c2d49016ca2c4435526eb2ac4997f0c43c9bbe3ce56bc0ade3b5cc14677101c1297bbf2a10cec16242124a9246ca5e46003512719dc8360af007fb79b05
-
Filesize
141KB
MD58f4cdaed2399204619310cd76fd11056
SHA10f06ef5acde4f1e99a12cfc8489c1163dba910d1
SHA256df14c4dcb9793a1298c3ef531299479c8bea32a9e8124355e6d3ba6b15416213
SHA5123d1e0453f10bece7b65fee3806bce9e36e2c526daa72d66774ed47684a591a978a80894b1643709e76db0adcf6f2dca189aa6413786a9b70c742ceaeec5b80dc
-
Filesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
Filesize
758KB
MD5fb4665320c9da54598321c59cc5ed623
SHA189e87b3cc569edd26b5805244cfacb2f9c892bc7
SHA2569fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59
SHA512b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf
-
Filesize
8.5MB
MD586a68878633d570e195609fe33640561
SHA15a5355a80750693493c4ff9d4184d3234ad62b73
SHA2567a5d8ef1b6de2d300a6a3118426562e881577c85ab2d919f0337e4de0e9aaa92
SHA512502f996aff0273aecd4256bd25b3bcd2187a2b44c1b26c0b64a622ae2d788328d8f8e9bbd8fa9119a0edb282d1737f8f502ecf69484a70b14fd287442630c1a9