17b9f275942054333847e4584d794ed7429ad83b72038ff20e04161332095460

General

Target

HotspotShield-9.8.7-plain-773-PreActive.exe
Size

25.5MB
MD5

e7ff4977ea73d84aaf8e5de447489f20
SHA1

df200d238f5860279040a03eeb5eb0ab0afa7f08
SHA256

17b9f275942054333847e4584d794ed7429ad83b72038ff20e04161332095460
SHA512

46f3125e0c6d0e23de2cf665a70562e7685721b0e06fb50f204047cbb138b20d53603bd138798f0fd31bfcc4d2eb54e7e82385e2e9df4dd23d4ef6d97c52b584
SSDEEP

786432:94hCXFF1fPYah+tZGgX1ozNSq0gpxDcrX:6IXFF11+tZtlozNSq5peL

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

Processes:

MsiExec.exe

pid	process
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe
4580	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HotspotShield-9.8.7-plain-773-PreActive.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\M:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\N:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\K:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\P:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\Y:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\X:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\G:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\T:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\U:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\L:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\V:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\I:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\Q:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\S:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\W:	HotspotShield-9.8.7-plain-773-PreActive.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	HotspotShield-9.8.7-plain-773-PreActive.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeHotspotShield-9.8.7-plain-773-PreActive.exe

description	pid	process
Token: SeSecurityPrivilege	728	msiexec.exe
Token: SeCreateTokenPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeAssignPrimaryTokenPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeLockMemoryPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeIncreaseQuotaPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeMachineAccountPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeTcbPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeSecurityPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeTakeOwnershipPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeLoadDriverPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeSystemProfilePrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeSystemtimePrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeProfSingleProcessPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeIncBasePriorityPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeCreatePagefilePrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeCreatePermanentPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeBackupPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeRestorePrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeShutdownPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeDebugPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeAuditPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeSystemEnvironmentPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeChangeNotifyPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeRemoteShutdownPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeUndockPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeSyncAgentPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeEnableDelegationPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeManageVolumePrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeImpersonatePrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeCreateGlobalPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeCreateTokenPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeAssignPrimaryTokenPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeLockMemoryPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeIncreaseQuotaPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeMachineAccountPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeTcbPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeSecurityPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeTakeOwnershipPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeLoadDriverPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeSystemProfilePrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeSystemtimePrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeProfSingleProcessPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeIncBasePriorityPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeCreatePagefilePrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeCreatePermanentPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeBackupPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeRestorePrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeShutdownPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeDebugPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeAuditPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeSystemEnvironmentPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeChangeNotifyPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeRemoteShutdownPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeUndockPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeSyncAgentPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeEnableDelegationPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeManageVolumePrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeImpersonatePrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeCreateGlobalPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeCreateTokenPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeAssignPrimaryTokenPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeLockMemoryPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeIncreaseQuotaPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe
Token: SeMachineAccountPrivilege	4292	HotspotShield-9.8.7-plain-773-PreActive.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 728 wrote to memory of 4580	728	msiexec.exe	MsiExec.exe
PID 728 wrote to memory of 4580	728	msiexec.exe	MsiExec.exe
PID 728 wrote to memory of 4580	728	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\HotspotShield-9.8.7-plain-773-PreActive.exe
"C:\Users\Admin\AppData\Local\Temp\HotspotShield-9.8.7-plain-773-PreActive.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4C73DB538693AAAE4D3270ACCEF7D6E9 C
2⤵
- Loads dropped DLL
PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4212 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:4360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4292\i001upd.png
Filesize
50KB

MD5
9e3d2da837304d1e277568820bea4841

SHA1
68975bf7379ec097876d92154b6a7ce9f9394a15

SHA256
dd4042ba64b4864526bf816035cc135c22ff125983edc0d7a7481afeb8633620

SHA512
3e004395a0143cbca0196fb1910ad5aba312b031ef89fdf8f58243743fd20279db1aab6d202cb0bc39b4e357c66d1e3b55335f266124b58d1d8a37c2c9f9c4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3610.tmp
Filesize
376KB

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3759.tmp
Filesize
834KB

MD5
b0b2090c4200fb19e335598969a40f26

SHA1
e31d5533f85ef03dd8eb21723df14ff71586bb60

SHA256
e16ce1f8a1b24d03353502af35fa159ab9962b4ecce8f3bb9dd4b075552505cd

SHA512
177dad69d6773dab432a39a91f113949573caa3f3513e1e79361e9d74efe813746bd25a9101ec6436be7476cd77b663102d7ee138a01afbc902738e3ad75fce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI44BD.tmp
Filesize
525KB

MD5
1c62521f4ade74fe465aaf61049c3634

SHA1
758bd079f98c5f1153213a4c78ee25f89eb64fa6

SHA256
ae5544ebfa8d92072562dcc4f3a6b48e77ab1a1e263e8e8dabebf6a627286f9e

SHA512
4b58f0216f2dcfff69f3e668d09e21c0c85a7087a01621f43a787344afcf31d05644b9374b2ee4719b2ede0019d88083104f7a8122409c1ea961a9c5016262fd

Download Submit
C:\Users\Admin\AppData\Roaming\hss721.blogspot.com\Hotspot Shield 9.8.7 Pre-Active 9.8.7.11577\install\lockHotspot Shield 9.8.7.1155_New.msi
Filesize
3.1MB

MD5
cf4269c3d102e0135c4bd545f2afc873

SHA1
f69374358a9d630e06f96bb4f689e273f57d4b4d

SHA256
f188a500beef2b19c7371a18c075ad75ee56d455b140f108a43ee6f139c85888

SHA512
7b49b99403e717a8ced8691104d34e395327b1f55bcfb739a95437ca53fb74247f321e4c5c9254504925185f9404a30a648f1817d1f708a208290b806a3caf21

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads