Analysis
-
max time kernel
141s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 17:30
Static task
static1
Behavioral task
behavioral1
Sample
HotspotShield-9.8.7-plain-773-PreActive.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
HotspotShield-9.8.7-plain-773-PreActive.exe
Resource
win10v2004-20240226-en
General
-
Target
HotspotShield-9.8.7-plain-773-PreActive.exe
-
Size
25.5MB
-
MD5
e7ff4977ea73d84aaf8e5de447489f20
-
SHA1
df200d238f5860279040a03eeb5eb0ab0afa7f08
-
SHA256
17b9f275942054333847e4584d794ed7429ad83b72038ff20e04161332095460
-
SHA512
46f3125e0c6d0e23de2cf665a70562e7685721b0e06fb50f204047cbb138b20d53603bd138798f0fd31bfcc4d2eb54e7e82385e2e9df4dd23d4ef6d97c52b584
-
SSDEEP
786432:94hCXFF1fPYah+tZGgX1ozNSq0gpxDcrX:6IXFF11+tZtlozNSq5peL
Malware Config
Signatures
-
Loads dropped DLL 10 IoCs
Processes:
MsiExec.exepid process 4580 MsiExec.exe 4580 MsiExec.exe 4580 MsiExec.exe 4580 MsiExec.exe 4580 MsiExec.exe 4580 MsiExec.exe 4580 MsiExec.exe 4580 MsiExec.exe 4580 MsiExec.exe 4580 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
HotspotShield-9.8.7-plain-773-PreActive.exemsiexec.exedescription ioc process File opened (read-only) \??\M: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\N: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\K: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\P: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\Y: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\X: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\G: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\T: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\U: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\L: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\V: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\I: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\Q: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\S: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\W: HotspotShield-9.8.7-plain-773-PreActive.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: HotspotShield-9.8.7-plain-773-PreActive.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exeHotspotShield-9.8.7-plain-773-PreActive.exedescription pid process Token: SeSecurityPrivilege 728 msiexec.exe Token: SeCreateTokenPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeAssignPrimaryTokenPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeLockMemoryPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeIncreaseQuotaPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeMachineAccountPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeTcbPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSecurityPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeTakeOwnershipPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeLoadDriverPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSystemProfilePrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSystemtimePrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeProfSingleProcessPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeIncBasePriorityPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeCreatePagefilePrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeCreatePermanentPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeBackupPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeRestorePrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeShutdownPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeDebugPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeAuditPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSystemEnvironmentPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeChangeNotifyPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeRemoteShutdownPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeUndockPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSyncAgentPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeEnableDelegationPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeManageVolumePrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeImpersonatePrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeCreateGlobalPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeCreateTokenPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeAssignPrimaryTokenPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeLockMemoryPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeIncreaseQuotaPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeMachineAccountPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeTcbPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSecurityPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeTakeOwnershipPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeLoadDriverPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSystemProfilePrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSystemtimePrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeProfSingleProcessPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeIncBasePriorityPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeCreatePagefilePrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeCreatePermanentPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeBackupPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeRestorePrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeShutdownPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeDebugPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeAuditPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSystemEnvironmentPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeChangeNotifyPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeRemoteShutdownPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeUndockPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeSyncAgentPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeEnableDelegationPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeManageVolumePrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeImpersonatePrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeCreateGlobalPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeCreateTokenPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeAssignPrimaryTokenPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeLockMemoryPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeIncreaseQuotaPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe Token: SeMachineAccountPrivilege 4292 HotspotShield-9.8.7-plain-773-PreActive.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
msiexec.exedescription pid process target process PID 728 wrote to memory of 4580 728 msiexec.exe MsiExec.exe PID 728 wrote to memory of 4580 728 msiexec.exe MsiExec.exe PID 728 wrote to memory of 4580 728 msiexec.exe MsiExec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HotspotShield-9.8.7-plain-773-PreActive.exe"C:\Users\Admin\AppData\Local\Temp\HotspotShield-9.8.7-plain-773-PreActive.exe"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4C73DB538693AAAE4D3270ACCEF7D6E9 C2⤵
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4212 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4292\i001upd.pngFilesize
50KB
MD59e3d2da837304d1e277568820bea4841
SHA168975bf7379ec097876d92154b6a7ce9f9394a15
SHA256dd4042ba64b4864526bf816035cc135c22ff125983edc0d7a7481afeb8633620
SHA5123e004395a0143cbca0196fb1910ad5aba312b031ef89fdf8f58243743fd20279db1aab6d202cb0bc39b4e357c66d1e3b55335f266124b58d1d8a37c2c9f9c4c7
-
C:\Users\Admin\AppData\Local\Temp\MSI3610.tmpFilesize
376KB
MD5c39daeba173815516c180ca4361f7895
SHA1db3ae54329834baa954569a35be5b947c86dc25e
SHA256a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc
SHA512e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929
-
C:\Users\Admin\AppData\Local\Temp\MSI3759.tmpFilesize
834KB
MD5b0b2090c4200fb19e335598969a40f26
SHA1e31d5533f85ef03dd8eb21723df14ff71586bb60
SHA256e16ce1f8a1b24d03353502af35fa159ab9962b4ecce8f3bb9dd4b075552505cd
SHA512177dad69d6773dab432a39a91f113949573caa3f3513e1e79361e9d74efe813746bd25a9101ec6436be7476cd77b663102d7ee138a01afbc902738e3ad75fce2
-
C:\Users\Admin\AppData\Local\Temp\MSI44BD.tmpFilesize
525KB
MD51c62521f4ade74fe465aaf61049c3634
SHA1758bd079f98c5f1153213a4c78ee25f89eb64fa6
SHA256ae5544ebfa8d92072562dcc4f3a6b48e77ab1a1e263e8e8dabebf6a627286f9e
SHA5124b58f0216f2dcfff69f3e668d09e21c0c85a7087a01621f43a787344afcf31d05644b9374b2ee4719b2ede0019d88083104f7a8122409c1ea961a9c5016262fd
-
C:\Users\Admin\AppData\Roaming\hss721.blogspot.com\Hotspot Shield 9.8.7 Pre-Active 9.8.7.11577\install\lockHotspot Shield 9.8.7.1155_New.msiFilesize
3.1MB
MD5cf4269c3d102e0135c4bd545f2afc873
SHA1f69374358a9d630e06f96bb4f689e273f57d4b4d
SHA256f188a500beef2b19c7371a18c075ad75ee56d455b140f108a43ee6f139c85888
SHA5127b49b99403e717a8ced8691104d34e395327b1f55bcfb739a95437ca53fb74247f321e4c5c9254504925185f9404a30a648f1817d1f708a208290b806a3caf21