Analysis
-
max time kernel
133s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 23:45
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20231129-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
Setup.exe
-
Size
941KB
-
MD5
0e6a6b22e10a5e7ec041b27dfb028b21
-
SHA1
29df4fcc3392e0283ec0a117ae62d5cfc69034ed
-
SHA256
6ef5d2c1b0483e36a7d5bc8413189cb02303c111dbb9f74a8b78c50d0f25f7b9
-
SHA512
f01f1d5489bfbefd742f8fa1da6fa6caa4e194c748871ecef3874401484647ac5d4d9467a5d74b8d2c0e88ed3a1cfcbde63cb09da43ea0bc4735f1ffd2f87920
-
SSDEEP
12288:NditaBc8+n8KUbj3E/jsJoD4wT/VkPmyCPsjcVH/cONWNNNlqPK4gF2MpgXD4UQK:NdY7n8Kf/jsJonPK4g8JXD4UUy
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 3648 Msiexec.exe Token: SeIncreaseQuotaPrivilege 3648 Msiexec.exe Token: SeSecurityPrivilege 2872 msiexec.exe Token: SeCreateTokenPrivilege 3648 Msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3648 Msiexec.exe Token: SeLockMemoryPrivilege 3648 Msiexec.exe Token: SeIncreaseQuotaPrivilege 3648 Msiexec.exe Token: SeMachineAccountPrivilege 3648 Msiexec.exe Token: SeTcbPrivilege 3648 Msiexec.exe Token: SeSecurityPrivilege 3648 Msiexec.exe Token: SeTakeOwnershipPrivilege 3648 Msiexec.exe Token: SeLoadDriverPrivilege 3648 Msiexec.exe Token: SeSystemProfilePrivilege 3648 Msiexec.exe Token: SeSystemtimePrivilege 3648 Msiexec.exe Token: SeProfSingleProcessPrivilege 3648 Msiexec.exe Token: SeIncBasePriorityPrivilege 3648 Msiexec.exe Token: SeCreatePagefilePrivilege 3648 Msiexec.exe Token: SeCreatePermanentPrivilege 3648 Msiexec.exe Token: SeBackupPrivilege 3648 Msiexec.exe Token: SeRestorePrivilege 3648 Msiexec.exe Token: SeShutdownPrivilege 3648 Msiexec.exe Token: SeDebugPrivilege 3648 Msiexec.exe Token: SeAuditPrivilege 3648 Msiexec.exe Token: SeSystemEnvironmentPrivilege 3648 Msiexec.exe Token: SeChangeNotifyPrivilege 3648 Msiexec.exe Token: SeRemoteShutdownPrivilege 3648 Msiexec.exe Token: SeUndockPrivilege 3648 Msiexec.exe Token: SeSyncAgentPrivilege 3648 Msiexec.exe Token: SeEnableDelegationPrivilege 3648 Msiexec.exe Token: SeManageVolumePrivilege 3648 Msiexec.exe Token: SeImpersonatePrivilege 3648 Msiexec.exe Token: SeCreateGlobalPrivilege 3648 Msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3648 Msiexec.exe 3648 Msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 216 Setup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 216 wrote to memory of 3648 216 Setup.exe 84 PID 216 wrote to memory of 3648 216 Setup.exe 84 PID 216 wrote to memory of 3648 216 Setup.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Msiexec.exeMsiexec /I "" REBOOT=ReallySuppress /qb2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3648
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872