2df688778a3506068c27ee752f1ca6d6690fec755a3ca02b8f84478252ab2027

Resubmissions

08/04/2024, 14:58

240408-scmmhaca56 8

03/04/2024, 19:45

240403-ygeeksag7v 8

Analysis

max time kernel
412s
max time network
1153s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
08/04/2024, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TruCheck_v3.03.70_b3647_Updater.exe
Size

195.7MB
MD5

719e9af110e7527608b8006f6290a29c
SHA1

74a0684bffc141503c55572c12eecba2a3d9e5a1
SHA256

29dc4464ba770c14edd38234dc1a26fc6a983212831ed653b50945be99153c12
SHA512

140e648a28ac5e7a3180f7f311f84ee0a393146f066d3d800d25efff9e5f278d97445117b10c28a382b45c5b345183bdf11fc5227d6e687dedbfc3b8372d87ae
SSDEEP

3145728:caSFaGTMXZ+IasZ4AR/gh6O6gx7AFaTzT6B7jdsOL9Nf0iVbSJNTRK:2aGwJ+TO496nU/nO7jdnky

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4596	UpdateTool.exe
1628	TruCheckSetup.exe

Loads dropped DLL 2 IoCs

pid	Process
4088	MsiExec.exe
4088	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
10	2692	msiexec.exe
11	2692	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3576	msiexec.exe
Token: SeShutdownPrivilege	2692	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2692	msiexec.exe
Token: SeCreateTokenPrivilege	2692	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2692	msiexec.exe
Token: SeLockMemoryPrivilege	2692	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2692	msiexec.exe
Token: SeMachineAccountPrivilege	2692	msiexec.exe
Token: SeTcbPrivilege	2692	msiexec.exe
Token: SeSecurityPrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeLoadDriverPrivilege	2692	msiexec.exe
Token: SeSystemProfilePrivilege	2692	msiexec.exe
Token: SeSystemtimePrivilege	2692	msiexec.exe
Token: SeProfSingleProcessPrivilege	2692	msiexec.exe
Token: SeIncBasePriorityPrivilege	2692	msiexec.exe
Token: SeCreatePagefilePrivilege	2692	msiexec.exe
Token: SeCreatePermanentPrivilege	2692	msiexec.exe
Token: SeBackupPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeShutdownPrivilege	2692	msiexec.exe
Token: SeDebugPrivilege	2692	msiexec.exe
Token: SeAuditPrivilege	2692	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2692	msiexec.exe
Token: SeChangeNotifyPrivilege	2692	msiexec.exe
Token: SeRemoteShutdownPrivilege	2692	msiexec.exe
Token: SeUndockPrivilege	2692	msiexec.exe
Token: SeSyncAgentPrivilege	2692	msiexec.exe
Token: SeEnableDelegationPrivilege	2692	msiexec.exe
Token: SeManageVolumePrivilege	2692	msiexec.exe
Token: SeImpersonatePrivilege	2692	msiexec.exe
Token: SeCreateGlobalPrivilege	2692	msiexec.exe
Token: SeCreateTokenPrivilege	2692	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2692	msiexec.exe
Token: SeLockMemoryPrivilege	2692	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2692	msiexec.exe
Token: SeMachineAccountPrivilege	2692	msiexec.exe
Token: SeTcbPrivilege	2692	msiexec.exe
Token: SeSecurityPrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeLoadDriverPrivilege	2692	msiexec.exe
Token: SeSystemProfilePrivilege	2692	msiexec.exe
Token: SeSystemtimePrivilege	2692	msiexec.exe
Token: SeProfSingleProcessPrivilege	2692	msiexec.exe
Token: SeIncBasePriorityPrivilege	2692	msiexec.exe
Token: SeCreatePagefilePrivilege	2692	msiexec.exe
Token: SeCreatePermanentPrivilege	2692	msiexec.exe
Token: SeBackupPrivilege	2692	msiexec.exe
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeShutdownPrivilege	2692	msiexec.exe
Token: SeDebugPrivilege	2692	msiexec.exe
Token: SeAuditPrivilege	2692	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2692	msiexec.exe
Token: SeChangeNotifyPrivilege	2692	msiexec.exe
Token: SeRemoteShutdownPrivilege	2692	msiexec.exe
Token: SeUndockPrivilege	2692	msiexec.exe
Token: SeSyncAgentPrivilege	2692	msiexec.exe
Token: SeEnableDelegationPrivilege	2692	msiexec.exe
Token: SeManageVolumePrivilege	2692	msiexec.exe
Token: SeImpersonatePrivilege	2692	msiexec.exe
Token: SeCreateGlobalPrivilege	2692	msiexec.exe
Token: SeCreateTokenPrivilege	2692	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2692	msiexec.exe
Token: SeLockMemoryPrivilege	2692	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2692	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1628	TruCheckSetup.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 4596	4176	TruCheck_v3.03.70_b3647_Updater.exe	79
PID 4176 wrote to memory of 4596	4176	TruCheck_v3.03.70_b3647_Updater.exe	79
PID 4596 wrote to memory of 1628	4596	UpdateTool.exe	84
PID 4596 wrote to memory of 1628	4596	UpdateTool.exe	84
PID 4596 wrote to memory of 1628	4596	UpdateTool.exe	84
PID 1628 wrote to memory of 2692	1628	TruCheckSetup.exe	85
PID 1628 wrote to memory of 2692	1628	TruCheckSetup.exe	85
PID 1628 wrote to memory of 2692	1628	TruCheckSetup.exe	85
PID 3576 wrote to memory of 4088	3576	msiexec.exe	86
PID 3576 wrote to memory of 4088	3576	msiexec.exe	86
PID 3576 wrote to memory of 4088	3576	msiexec.exe	86

C:\Users\Admin\AppData\Local\Temp\TruCheck_v3.03.70_b3647_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\TruCheck_v3.03.70_b3647_Updater.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe
  "C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe" ud=true uf="Setup.exe PreInstallDriver=true"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe" PreInstallDriver=true
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.msi" PreInstallDriver=true
      4⤵
      Blocklisted process makes network request
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2692

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DE4FB1E0A82FF3E3D8A06FB8992A932A C
  2⤵
  - Loads dropped DLL
  PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI9D93.tmp

Filesize
221KB

MD5
911aa8d08b7ccab654e897b0e4439354

SHA1
4f4f16048deae47a2ff5b9849042f62ec51794bc

SHA256
ba56a2fa13e5dae48b6d74a8fa40f2f44473b386e71ba1e7ec2ded90ad56bb8b

SHA512
8aa11f26093e54a62c5390c64e218a8a57cd3374bbce8ecc243042dd8a2214ede1f3befa699837698c0bd42b9b4e011f95c62588b8bdd4da9aae12dabe4b46e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe

Filesize
384KB

MD5
776851d4a843a0717892e075d03f46ce

SHA1
71158f473006c4bbe7c0a5e969c0b346e0c57ac8

SHA256
3242c4e31b2158a950b66220ba6029138be0c00a4534c7e3c3c109cb882f239b

SHA512
57130f320b81da24c784d84b94d2968437f48a7a950944e4c5c31858741d2e31f33cd01992f36fd55b9fcd2fdd425b831da6b7a196bba4d9486d4a8f0aead7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.msi

Filesize
191.6MB

MD5
b42d32a276b782d58420ec171789ed34

SHA1
789505e6363e2fc9942e5b73df99884760273abf

SHA256
704f21dd7d649d9875b903727e232316dda3075feaf9f25efd46134af9c31839

SHA512
63741b75309f8f41a57bd9e1daa4f7e408a73de2d2fe19e2ef3b51dc7d0e1cc5b9d3ba2c2bc3250649992e693a206825081a6cf25badd93c12592c359ec61684

Download Submit
C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe

Filesize
59KB

MD5
d42b83e5e46d7cc78baf0fc96c9eb676

SHA1
f8749d8dcfc7e5ca8ae9c1c61cd07c69ba5179e8

SHA256
1d346380993baeddb1b36928497cc442415e05b761dd66296f85815b13091cb6

SHA512
bafd9284e3de19607cc64c2f1b4ec7d18906f49618aac246ae2ef103e36a918d7f6d0c8df7a45d11e36281dcd95da8b65add4e72228d97fd4f4c43de086b6508

Download Submit
memory/4596-20-0x00007FFDA8280000-0x00007FFDA8C21000-memory.dmp

Filesize
9.6MB

Download
memory/4596-32-0x000000001BAE0000-0x000000001BB7C000-memory.dmp

Filesize
624KB

Download
memory/4596-33-0x0000000001190000-0x0000000001198000-memory.dmp

Filesize
32KB

Download
memory/4596-34-0x00000000011A0000-0x00000000011B0000-memory.dmp

Filesize
64KB

Download
memory/4596-35-0x000000001F1B0000-0x000000001F212000-memory.dmp

Filesize
392KB

Download
memory/4596-31-0x000000001C6B0000-0x000000001CB7E000-memory.dmp

Filesize
4.8MB

Download
memory/4596-19-0x00000000011A0000-0x00000000011B0000-memory.dmp

Filesize
64KB

Download
memory/4596-41-0x00007FFDA8280000-0x00007FFDA8C21000-memory.dmp

Filesize
9.6MB

Download
memory/4596-18-0x00007FFDA8280000-0x00007FFDA8C21000-memory.dmp

Filesize
9.6MB

Download