Overview
overview
7Static
static
366816bc1d6...29.exe
windows7-x64
366816bc1d6...29.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$_5_/apps/...ck.exe
windows7-x64
1$_5_/apps/...ck.exe
windows10-2004-x64
1$_5_/apps/...ck.exe
windows7-x64
1$_5_/apps/...ck.exe
windows10-2004-x64
1$_5_/insta...64.msi
windows7-x64
6$_5_/insta...64.msi
windows10-2004-x64
6$_5_/insta...64.exe
windows7-x64
7$_5_/insta...64.exe
windows10-2004-x64
7$_5_/insta...64.exe
windows7-x64
6$_5_/insta...64.exe
windows10-2004-x64
6BezierCurv...ild.js
windows7-x64
1BezierCurv...ild.js
windows10-2004-x64
1BezierCurv...x.html
windows7-x64
1BezierCurv...x.html
windows10-2004-x64
1DS4Updater.exe
windows7-x64
1DS4Updater.exe
windows10-2004-x64
6DS4Windows.exe
windows7-x64
1DS4Windows.exe
windows10-2004-x64
1DS4Windows.exe
windows7-x64
1DS4Windows.exe
windows10-2004-x64
6DotNetProj...it.dll
windows7-x64
1DotNetProj...it.dll
windows10-2004-x64
1FakerInputDll.dll
windows7-x64
1FakerInputDll.dll
windows10-2004-x64
1Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29/04/2024, 01:13
Static task
static1
Behavioral task
behavioral1
Sample
66816bc1d6e87ea949e642c1869672e035cf36f113f1fb73f5a32b90d7605c29.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
66816bc1d6e87ea949e642c1869672e035cf36f113f1fb73f5a32b90d7605c29.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$_5_/apps/DriverUtilCheck.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
$_5_/apps/DriverUtilCheck.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$_5_/apps/NetCheck.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral12
Sample
$_5_/apps/NetCheck.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$_5_/installers/FakerInput_0.1.0_x64.msi
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
$_5_/installers/FakerInput_0.1.0_x64.msi
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$_5_/installers/HidHide_1.2.98_x64.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
$_5_/installers/HidHide_1.2.98_x64.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$_5_/installers/ViGEmBus_1.22.0_x64_x86_arm64.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral18
Sample
$_5_/installers/ViGEmBus_1.22.0_x64_x86_arm64.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
BezierCurveEditor/build.js
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral20
Sample
BezierCurveEditor/build.js
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
BezierCurveEditor/index.html
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
BezierCurveEditor/index.html
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
DS4Updater.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
DS4Updater.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
DS4Windows.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral26
Sample
DS4Windows.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
DS4Windows.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
DS4Windows.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
DotNetProjects.Wpf.Extended.Toolkit.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral30
Sample
DotNetProjects.Wpf.Extended.Toolkit.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
FakerInputDll.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral32
Sample
FakerInputDll.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
$_5_/installers/FakerInput_0.1.0_x64.msi
-
Size
1.0MB
-
MD5
ef89b82cfe6bc803693218d0b6a11c1f
-
SHA1
e424a3d497b897520629ad6d87a94b7e203fc4af
-
SHA256
30cf218b624740a91be4fcca3adfb4550ba8cc8f31ac9625fe39d238e64d13ea
-
SHA512
09d336db2cf49de68cd290dbe271e14fa5bcecc935ea040c4ef96d595f26fe279a9183b47bc3bd87d0e2668fa145b1e6a79653ab3168884227e0548bd20b195a
-
SSDEEP
24576:tfauHL0lGYMPJ7Uo2DD5iR80PFOP65xU/:tfHr0lIJ7zWwm0PFOy/U
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 3424 msiexec.exe Token: SeIncreaseQuotaPrivilege 3424 msiexec.exe Token: SeSecurityPrivilege 3932 msiexec.exe Token: SeCreateTokenPrivilege 3424 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3424 msiexec.exe Token: SeLockMemoryPrivilege 3424 msiexec.exe Token: SeIncreaseQuotaPrivilege 3424 msiexec.exe Token: SeMachineAccountPrivilege 3424 msiexec.exe Token: SeTcbPrivilege 3424 msiexec.exe Token: SeSecurityPrivilege 3424 msiexec.exe Token: SeTakeOwnershipPrivilege 3424 msiexec.exe Token: SeLoadDriverPrivilege 3424 msiexec.exe Token: SeSystemProfilePrivilege 3424 msiexec.exe Token: SeSystemtimePrivilege 3424 msiexec.exe Token: SeProfSingleProcessPrivilege 3424 msiexec.exe Token: SeIncBasePriorityPrivilege 3424 msiexec.exe Token: SeCreatePagefilePrivilege 3424 msiexec.exe Token: SeCreatePermanentPrivilege 3424 msiexec.exe Token: SeBackupPrivilege 3424 msiexec.exe Token: SeRestorePrivilege 3424 msiexec.exe Token: SeShutdownPrivilege 3424 msiexec.exe Token: SeDebugPrivilege 3424 msiexec.exe Token: SeAuditPrivilege 3424 msiexec.exe Token: SeSystemEnvironmentPrivilege 3424 msiexec.exe Token: SeChangeNotifyPrivilege 3424 msiexec.exe Token: SeRemoteShutdownPrivilege 3424 msiexec.exe Token: SeUndockPrivilege 3424 msiexec.exe Token: SeSyncAgentPrivilege 3424 msiexec.exe Token: SeEnableDelegationPrivilege 3424 msiexec.exe Token: SeManageVolumePrivilege 3424 msiexec.exe Token: SeImpersonatePrivilege 3424 msiexec.exe Token: SeCreateGlobalPrivilege 3424 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3424 msiexec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\$_5_\installers\FakerInput_0.1.0_x64.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3424
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3932