c2c04f7a5b75da5fe87f100d9f8b92b340b66148dbef0c6314a54f2a8b8cb4cd

General

Target

MeTSetup (1).exe
Size

77.7MB
MD5

f0c83297881486535346fc2b7e12f1fd
SHA1

18c22e11378cca745750a9302e17495b48d6ce90
SHA256

c2c04f7a5b75da5fe87f100d9f8b92b340b66148dbef0c6314a54f2a8b8cb4cd
SHA512

f4cf463b428c4115eb5042db37e3896a039b916259951f64778f6aa6101941f187abe348b6f3e4f30746ceba6c003e76d8aa2266f2183f07f52606a2633277ee
SSDEEP

1572864:OGubpsnuEY7TBXuTCQlGuoeHxdEOH+PrJ+4YvQsD2s6FJ:OWnuEWVX+RlnDSOQhJ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 1 IoCs

pid	Process
3832	setup.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
16	3416	msiexec.exe
17	3416	msiexec.exe
20	3416	msiexec.exe
22	3416	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	setup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3832	setup.exe
3832	setup.exe
3832	setup.exe
3832	setup.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3416	msiexec.exe
Token: SeSecurityPrivilege	4168	msiexec.exe
Token: SeCreateTokenPrivilege	3416	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3416	msiexec.exe
Token: SeLockMemoryPrivilege	3416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3416	msiexec.exe
Token: SeMachineAccountPrivilege	3416	msiexec.exe
Token: SeTcbPrivilege	3416	msiexec.exe
Token: SeSecurityPrivilege	3416	msiexec.exe
Token: SeTakeOwnershipPrivilege	3416	msiexec.exe
Token: SeLoadDriverPrivilege	3416	msiexec.exe
Token: SeSystemProfilePrivilege	3416	msiexec.exe
Token: SeSystemtimePrivilege	3416	msiexec.exe
Token: SeProfSingleProcessPrivilege	3416	msiexec.exe
Token: SeIncBasePriorityPrivilege	3416	msiexec.exe
Token: SeCreatePagefilePrivilege	3416	msiexec.exe
Token: SeCreatePermanentPrivilege	3416	msiexec.exe
Token: SeBackupPrivilege	3416	msiexec.exe
Token: SeRestorePrivilege	3416	msiexec.exe
Token: SeShutdownPrivilege	3416	msiexec.exe
Token: SeDebugPrivilege	3416	msiexec.exe
Token: SeAuditPrivilege	3416	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3416	msiexec.exe
Token: SeChangeNotifyPrivilege	3416	msiexec.exe
Token: SeRemoteShutdownPrivilege	3416	msiexec.exe
Token: SeUndockPrivilege	3416	msiexec.exe
Token: SeSyncAgentPrivilege	3416	msiexec.exe
Token: SeEnableDelegationPrivilege	3416	msiexec.exe
Token: SeManageVolumePrivilege	3416	msiexec.exe
Token: SeImpersonatePrivilege	3416	msiexec.exe
Token: SeCreateGlobalPrivilege	3416	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3416	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 3832	1812	MeTSetup (1).exe	83
PID 1812 wrote to memory of 3832	1812	MeTSetup (1).exe	83
PID 1812 wrote to memory of 3832	1812	MeTSetup (1).exe	83
PID 3832 wrote to memory of 3416	3832	setup.exe	84
PID 3832 wrote to memory of 3416	3832	setup.exe	84
PID 3832 wrote to memory of 3416	3832	setup.exe	84

C:\Users\Admin\AppData\Local\Temp\MeTSetup (1).exe
"C:\Users\Admin\AppData\Local\Temp\MeTSetup (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\MET_SETUP_a04472\setup.exe
  setup.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\MET_a04500\setup.msi"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3416

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MET_SETUP_a04472\setup.exe

Filesize
77.4MB

MD5
67ce46f5508574cbeca12583960b4717

SHA1
96130fc87ad6657eb62adac61655613c9d267e6f

SHA256
4969f7f0653c2f9353a878be2577664d68110090ea503efffb75ff5e6cac820c

SHA512
d89d7cb7b0d1fdf198d8dd0f8cd900c353ef3359314e9a326e195f61eeb770c36d67b19e1eca2c6d92446f6eddc6a918002be589285c3c34ce387ed65696149e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MET_a04500\setup.msi

Filesize
43.9MB

MD5
80f780f89273fed90c84d7ba9901437d

SHA1
70106b845e69a69e9e98229a4a7942c1b77ec20d

SHA256
96e65c40e476ad1a6c32b4af0c1378fabb8f86577d7a6fbe984981fd460b0739

SHA512
f4b079a8cb53c0437aca51d77c5d8d8c915c142acff67043f25b563bfeafd735848a3d8c9e5c4231319a8e5b5dcc513512df7e44461967728a7e1f06cec277cf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads