d49ed964715bf45ffba6d1d56e564864d958814f721a646bc7f7d48fe43ebcfb

General

Target

Web Data Miner 5.2.3.33 Multilingual/web-data-miner.exe
Size

8.8MB
MD5

326b7fac3b8b8829eb909738dc5ba848
SHA1

c239bc68aceb1a7404a99571d641d3b6d17fcbb5
SHA256

700d3a600e9ce48d885f02e72844aada2b66f4286b4a41da9ed3c65fb64c02d9
SHA512

b1ab6a20e19a8f7231386bbb533565e9e21802b184c087ca17a1ff402568757a115eeeb8c6906f89f4423ebf45d10543782d662d499aee76a2fd8519e4a3e9f3
SSDEEP

196608:BG0DNw3Ovajel1vEEBhmWYqFdQejq7Oc/6uF6Kbf:HDaiD84TFuUqKc/6uFx

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
16	4692	MSIEXEC.EXE
19	4692	MSIEXEC.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4692	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4692	MSIEXEC.EXE
Token: SeSecurityPrivilege	3312	msiexec.exe
Token: SeCreateTokenPrivilege	4692	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4692	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4692	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4692	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4692	MSIEXEC.EXE
Token: SeTcbPrivilege	4692	MSIEXEC.EXE
Token: SeSecurityPrivilege	4692	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4692	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4692	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4692	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4692	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4692	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4692	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4692	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4692	MSIEXEC.EXE
Token: SeBackupPrivilege	4692	MSIEXEC.EXE
Token: SeRestorePrivilege	4692	MSIEXEC.EXE
Token: SeShutdownPrivilege	4692	MSIEXEC.EXE
Token: SeDebugPrivilege	4692	MSIEXEC.EXE
Token: SeAuditPrivilege	4692	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4692	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4692	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4692	MSIEXEC.EXE
Token: SeUndockPrivilege	4692	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4692	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4692	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4692	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4692	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4692	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4692	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 4692	2240	web-data-miner.exe	90
PID 2240 wrote to memory of 4692	2240	web-data-miner.exe	90
PID 2240 wrote to memory of 4692	2240	web-data-miner.exe	90

C:\Users\Admin\AppData\Local\Temp\Web Data Miner 5.2.3.33 Multilingual\web-data-miner.exe
"C:\Users\Admin\AppData\Local\Temp\Web Data Miner 5.2.3.33 Multilingual\web-data-miner.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{558B4636-10DE-4371-A1EE-C2FFC0AE44D0}\Web Data Miner.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\Web Data Miner 5.2.3.33 Multilingual" SETUPEXENAME="web-data-miner.exe"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4692

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1320 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Downloaded Installations\{558B4636-10DE-4371-A1EE-C2FFC0AE44D0}\Web Data Miner.msi

Filesize
5.9MB

MD5
6a825caf323b3984266f4c5a91d31680

SHA1
381c221aad5e7f243057f3904809f37b7663330d

SHA256
c322cc6c82ca24edbdba2d7e38dfa19adc1da7abf7190dc77950f537134618dd

SHA512
c3543908bc93e06ae588c1e4b2e627fe1b0d03ac046b49bd00f501b414d1c432c35fcf3a20af9b3daa10f488b6488d9aed9f203b5d13a7cf02e8f845bd992732

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2BCA2719-D506-47A0-97C2-06F17A44A196}\0x0409.ini

Filesize
21KB

MD5
8586214463bd73e1c2716113e5bd3e13

SHA1
f02e3a76fd177964a846d4aa0a23f738178db2be

SHA256
089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54

SHA512
309200f38d0e29c9aaa99bb6d95f4347f8a8c320eb65742e7c539246ad9b759608bd5151d1c5d1d05888979daa38f2b6c3bf492588b212b583b8adbe81fa161b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~F5.tmp

Filesize
5KB

MD5
93aa3dec6071d944315a322a5b9d10e5

SHA1
961f525746049742f2b20401c66855633ee4dc2a

SHA256
4bfe580511ef26dd34dcac9adac270f93a986cfeeb54be5c37fd2e6573f80e48

SHA512
d3275bafa180cc0541001cd0307caa71d43f1907e458aaff0c732ffbd510912fcc70d39e761c3f8f52796b72ec5d8e45232e6828ec05861bcf59f14c1071fff3

Download Submit

Analysis

Sharing