5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df

General

Target

5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df.exe
Size

8.7MB
MD5

9e8f3c4a4c31ec0f1c6849780a0b0b95
SHA1

bb5fa3354b6eb27b71f1e560eb1b58b1207b8bf2
SHA256

5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df
SHA512

100f285bf664612dd9544133c36edc6b3edb85e872d510e25ce898ae27c48ac21cf150abf4dc6951935538835d6ae8331229591294e26979bd030ef7db8f17a7
SSDEEP

196608:GqA0V4083MMeWhk5gGrC8tbXUD9VZg+Z6Tekrw1t2HTI:HVb88M3k5gGrC8dszg+e9lHTI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4116	5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3720	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3720	MSIEXEC.EXE
Token: SeSecurityPrivilege	4328	msiexec.exe
Token: SeCreateTokenPrivilege	3720	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3720	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3720	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3720	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3720	MSIEXEC.EXE
Token: SeTcbPrivilege	3720	MSIEXEC.EXE
Token: SeSecurityPrivilege	3720	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3720	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3720	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3720	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3720	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3720	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3720	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3720	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3720	MSIEXEC.EXE
Token: SeBackupPrivilege	3720	MSIEXEC.EXE
Token: SeRestorePrivilege	3720	MSIEXEC.EXE
Token: SeShutdownPrivilege	3720	MSIEXEC.EXE
Token: SeDebugPrivilege	3720	MSIEXEC.EXE
Token: SeAuditPrivilege	3720	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3720	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3720	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3720	MSIEXEC.EXE
Token: SeUndockPrivilege	3720	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3720	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3720	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3720	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3720	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3720	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3720	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 4116	3928	5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df.exe	92
PID 3928 wrote to memory of 4116	3928	5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df.exe	92
PID 3928 wrote to memory of 4116	3928	5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df.exe	92
PID 4116 wrote to memory of 3720	4116	5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df.exe	93
PID 4116 wrote to memory of 3720	4116	5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df.exe	93
PID 4116 wrote to memory of 3720	4116	5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df.exe	93

C:\Users\Admin\AppData\Local\Temp\5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df.exe
"C:\Users\Admin\AppData\Local\Temp\5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Users\Admin\AppData\Local\Temp\{00C662AD-D656-4A9F-A263-66AA76B08EAB}\5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df.exe
  C:\Users\Admin\AppData\Local\Temp\{00C662AD-D656-4A9F-A263-66AA76B08EAB}\5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df.exe /q"C:\Users\Admin\AppData\Local\Temp\5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{00C662AD-D656-4A9F-A263-66AA76B08EAB}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{1C67A31E-2BEB-4874-B85A-FE0E3917CF9A}\AX_Series_MP_Install.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3720

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Downloaded Installations\{1C67A31E-2BEB-4874-B85A-FE0E3917CF9A}\AX_Series_MP_Install.msi

Filesize
8.2MB

MD5
8b570bd93b215bf22b128586a9aadb6a

SHA1
d6df1d59f56902a5bf042ab012ae6fa62a451228

SHA256
c35794a921dfce368efb02c1a39f39abb092d4bd0e5565a5067a438a73cbc8f9

SHA512
82632a6c7d8e28c4462f961b8b737ecf64f3cf7ef33321a60c4a290f2e45cea78339b3b6a0f1186c7660b2f4b702650fdb6b15c397a0ac5ed387753f44ae1834

Download Submit
C:\Users\Admin\AppData\Local\Temp\{00C662AD-D656-4A9F-A263-66AA76B08EAB}\0x0409.ini

Filesize
22KB

MD5
1196f20ca8bcaa637625e6a061d74c9e

SHA1
d0946b58676c9c6e57645dbcffc92c61eca3b274

SHA256
cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29

SHA512
75e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{00C662AD-D656-4A9F-A263-66AA76B08EAB}\5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df.exe

Filesize
8.7MB

MD5
9e8f3c4a4c31ec0f1c6849780a0b0b95

SHA1
bb5fa3354b6eb27b71f1e560eb1b58b1207b8bf2

SHA256
5288044798930c99df13246e23d6577f938ace554bd7208d10e55ff7b1f003df

SHA512
100f285bf664612dd9544133c36edc6b3edb85e872d510e25ce898ae27c48ac21cf150abf4dc6951935538835d6ae8331229591294e26979bd030ef7db8f17a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{00C662AD-D656-4A9F-A263-66AA76B08EAB}\_ISMSIDEL.INI

Filesize
828B

MD5
b8a810163d3bfceefa2d48b50e02d5c4

SHA1
fe7a5827aa4dad29845d2e092ce1d81de74a5f34

SHA256
9cb5145a529d13c5ead21c35e42497bb52fdf265a32746bddef1e02531bc461e

SHA512
8ed8744997d70918a3bac27bdfde3d1796a2012cc2b284b936df12347241321938faf2ddbd1c6da52f74d514209f1d4d9bdfc692832e49f2ca89716506dc583d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5689.tmp

Filesize
5KB

MD5
e253c3106e9852f8a3a18b3357ceeb0a

SHA1
034cb1cd1605284cb1159691e56060b5207a7940

SHA256
53ceda887053637680a68fb3b2d5d274eb6f69b65c4b962fb3057d8a7e41c9d8

SHA512
105bd2feec9d1a87bc449139208d62e5263164507477656fce14482b12262449e58f1624f6be627488bc201baf0f2115483ec6cb2bf8fd516cb3615c239b5864

Download Submit

Analysis

Sharing