e6564b70fa3d9a9e989ad7c1bb2b027f2e5447273c0bb64f84c7940828ecb0ed

Analysis

max time kernel
133s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe
Size

3.5MB
MD5

2e74d6fa9f7ad6604f4474d3a88df538
SHA1

94ddd1699392c49aea7f9a610ed5487ea5d30a07
SHA256

a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a
SHA512

38725af1c782e2378327ed536ff71e50b429b0fa1eca4299ddaee229ff16d9a18cebfcb44db81d799dfa19278e9f8d961598c1a94c15001be8c8c9daba2667f5
SSDEEP

98304:yHWz45HmcCm7AKb1UcPwX7fVhIdG9k3kKoN:yHWzG1IBnwu

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation setup.exe
Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

1384 setup.exe
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

4352 MsiExec.exe
4352 MsiExec.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	setup.exe

pid	process
1384	setup.exe

pid	process
4352	MsiExec.exe
4352	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1528	WMIC.exe
Token: SeSecurityPrivilege	1528	WMIC.exe
Token: SeTakeOwnershipPrivilege	1528	WMIC.exe
Token: SeLoadDriverPrivilege	1528	WMIC.exe
Token: SeSystemProfilePrivilege	1528	WMIC.exe
Token: SeSystemtimePrivilege	1528	WMIC.exe
Token: SeProfSingleProcessPrivilege	1528	WMIC.exe
Token: SeIncBasePriorityPrivilege	1528	WMIC.exe
Token: SeCreatePagefilePrivilege	1528	WMIC.exe
Token: SeBackupPrivilege	1528	WMIC.exe
Token: SeRestorePrivilege	1528	WMIC.exe
Token: SeShutdownPrivilege	1528	WMIC.exe
Token: SeDebugPrivilege	1528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1528	WMIC.exe
Token: SeRemoteShutdownPrivilege	1528	WMIC.exe
Token: SeUndockPrivilege	1528	WMIC.exe
Token: SeManageVolumePrivilege	1528	WMIC.exe
Token: 33	1528	WMIC.exe
Token: 34	1528	WMIC.exe
Token: 35	1528	WMIC.exe
Token: 36	1528	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1528	WMIC.exe
Token: SeSecurityPrivilege	1528	WMIC.exe
Token: SeTakeOwnershipPrivilege	1528	WMIC.exe
Token: SeLoadDriverPrivilege	1528	WMIC.exe
Token: SeSystemProfilePrivilege	1528	WMIC.exe
Token: SeSystemtimePrivilege	1528	WMIC.exe
Token: SeProfSingleProcessPrivilege	1528	WMIC.exe
Token: SeIncBasePriorityPrivilege	1528	WMIC.exe
Token: SeCreatePagefilePrivilege	1528	WMIC.exe
Token: SeBackupPrivilege	1528	WMIC.exe
Token: SeRestorePrivilege	1528	WMIC.exe
Token: SeShutdownPrivilege	1528	WMIC.exe
Token: SeDebugPrivilege	1528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1528	WMIC.exe
Token: SeRemoteShutdownPrivilege	1528	WMIC.exe
Token: SeUndockPrivilege	1528	WMIC.exe
Token: SeManageVolumePrivilege	1528	WMIC.exe
Token: 33	1528	WMIC.exe
Token: 34	1528	WMIC.exe
Token: 35	1528	WMIC.exe
Token: 36	1528	WMIC.exe
Token: SeSecurityPrivilege	1940	msiexec.exe
Token: SeShutdownPrivilege	2012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2012	msiexec.exe
Token: SeCreateTokenPrivilege	2012	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2012	msiexec.exe
Token: SeLockMemoryPrivilege	2012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2012	msiexec.exe
Token: SeMachineAccountPrivilege	2012	msiexec.exe
Token: SeTcbPrivilege	2012	msiexec.exe
Token: SeSecurityPrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeLoadDriverPrivilege	2012	msiexec.exe
Token: SeSystemProfilePrivilege	2012	msiexec.exe
Token: SeSystemtimePrivilege	2012	msiexec.exe
Token: SeProfSingleProcessPrivilege	2012	msiexec.exe
Token: SeIncBasePriorityPrivilege	2012	msiexec.exe
Token: SeCreatePagefilePrivilege	2012	msiexec.exe
Token: SeCreatePermanentPrivilege	2012	msiexec.exe
Token: SeBackupPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeShutdownPrivilege	2012	msiexec.exe
Token: SeDebugPrivilege	2012	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2012 msiexec.exe

pid	process
2012	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.execmd.execmd.exesetup.exemsiexec.exe

description	pid	process	target process
PID 1808 wrote to memory of 588	1808	a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe	cmd.exe
PID 1808 wrote to memory of 588	1808	a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe	cmd.exe
PID 1808 wrote to memory of 588	1808	a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe	cmd.exe
PID 588 wrote to memory of 852	588	cmd.exe	cmd.exe
PID 588 wrote to memory of 852	588	cmd.exe	cmd.exe
PID 588 wrote to memory of 852	588	cmd.exe	cmd.exe
PID 852 wrote to memory of 1404	852	cmd.exe	reg.exe
PID 852 wrote to memory of 1404	852	cmd.exe	reg.exe
PID 852 wrote to memory of 1404	852	cmd.exe	reg.exe
PID 588 wrote to memory of 1528	588	cmd.exe	WMIC.exe
PID 588 wrote to memory of 1528	588	cmd.exe	WMIC.exe
PID 588 wrote to memory of 1528	588	cmd.exe	WMIC.exe
PID 588 wrote to memory of 1384	588	cmd.exe	setup.exe
PID 588 wrote to memory of 1384	588	cmd.exe	setup.exe
PID 588 wrote to memory of 1384	588	cmd.exe	setup.exe
PID 1384 wrote to memory of 2012	1384	setup.exe	msiexec.exe
PID 1384 wrote to memory of 2012	1384	setup.exe	msiexec.exe
PID 1384 wrote to memory of 2012	1384	setup.exe	msiexec.exe
PID 1940 wrote to memory of 4352	1940	msiexec.exe	MsiExec.exe
PID 1940 wrote to memory of 4352	1940	msiexec.exe	MsiExec.exe
PID 1940 wrote to memory of 4352	1940	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe
"C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Release 2>nul
3⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Release
4⤵
PID:1404

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic product where name="FiatLink" call uninstall
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
Setup.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FiatLinkSetup.msi"
4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2012

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BF04A63C86FC14414E4723B0A10577B3 C
2⤵
- Loads dropped DLL
PID:4352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CheckNF.bat
Filesize
556B

MD5
1f4c5332b3e3f7668c6c0fbd730ef6f7

SHA1
f68d224c39e3d472a4cadfbad6f9f3a57ae6f643

SHA256
2f31c813c6d6c132fdfc1c09cf995944170db0a382f799d9dc32c249407e966c

SHA512
df673b727e5853716de4803d2ce98054a46dfdbcfbb7a7523e8fc34aa4c7fbd3354ea5990e6abf511606bf917c3e50e3bb5489a0f10572dd9aa1e9dea23818ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FiatLinkSetup.msi
Filesize
3.7MB

MD5
7c456cc375ef300f4232063f5d82fc0f

SHA1
3cdb11f579a225b7820250ea3f29ac39b2cecd87

SHA256
d968e60998886a88deed7e9286d4efb90107bc4a068d341cc8b8a2b958720f56

SHA512
13d95cae7ccfcd0d15f383b93f761b059628478f4d851148fc8a78fdadc04bf7f9b9f7cd7240b27acfbc3db5106eb20934093287ba8f22ed13ed07222904c019

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd
Filesize
598B

MD5
83a8232021f3f7690a57948dd1fd3f53

SHA1
785cab55143c51cf13714c7c3827e0324a767b62

SHA256
5bc380a39e687d214b52d425634db1490a44c4e56ae4be1658275a5282db00f0

SHA512
b9347fb089d2f81f61b40c830a578f47614e48da573ba318b020cc89dcfb65fd50a5dcfdba6e8bf6b5eb914ab441fd461db6ebadfa043b008e92018dee3383a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
Filesize
510KB

MD5
a71a3c02f397b830524176f5e7545723

SHA1
d15dfb49314fd2de949b223837b14e9156355122

SHA256
5a8925e95d243ffaeda81be2210fea56fa4e9626484cfadf59da95b485a17ddf

SHA512
a3ba63d54c6afc715bb1e28c90d678ca4f3db6ff8e6a572d984f9c9efaa0fd83a512226aba06a0bf1bdab9780cf922c212b7a9be2e134cec0d395916978b0bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8C71.tmp
Filesize
296KB

MD5
b05f77f77b0f12c6774adf5b1d039b44

SHA1
cbf3aa9477641cc0fc39fbecf0c3b6ff7dbb8487

SHA256
344efb1f63e5ca99558a5b45e8462188447fef13252213761b61a2825919e410

SHA512
f93470597cb77156188de0f5675ae1e4d9b09f3b2ff744ad43b96fb2418e2452624a128c656fd5b26b435ac5dc8efaaaab52ad5dc9dc03017f67d1438da04305

Download Submit