74bf074b7cadce06a8633ec33a91a19ff31dcf2e48cad17b71fe44795f355b60

General

Target

VIPAccessSetup.exe
Size

15.2MB
MD5

4c9eefdf645daec351e2dcc24f23ce11
SHA1

5b448eebcabc9208df32ef4ba7794a7c5e3e6b5e
SHA256

74bf074b7cadce06a8633ec33a91a19ff31dcf2e48cad17b71fe44795f355b60
SHA512

08fb706095ef2f29fbd1deff303608194a88c214f9f04b678dd4200c10cfee74f138827fc9f0e14a8208ac955409de80c2e58821d92ab4c57334a5808b4b63b1
SSDEEP

393216:Qk9ENNSNeklpkbUvwhg1y3QSJg+NXcBNaWEaVZu:b9kSNnQbICOy3QSJLtrUO

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	4696	msiexec.exe
3	4696	msiexec.exe
4	4696	msiexec.exe
5	4696	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3652	install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4696	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4696	msiexec.exe
Token: SeSecurityPrivilege	4740	msiexec.exe
Token: SeCreateTokenPrivilege	4696	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4696	msiexec.exe
Token: SeLockMemoryPrivilege	4696	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4696	msiexec.exe
Token: SeMachineAccountPrivilege	4696	msiexec.exe
Token: SeTcbPrivilege	4696	msiexec.exe
Token: SeSecurityPrivilege	4696	msiexec.exe
Token: SeTakeOwnershipPrivilege	4696	msiexec.exe
Token: SeLoadDriverPrivilege	4696	msiexec.exe
Token: SeSystemProfilePrivilege	4696	msiexec.exe
Token: SeSystemtimePrivilege	4696	msiexec.exe
Token: SeProfSingleProcessPrivilege	4696	msiexec.exe
Token: SeIncBasePriorityPrivilege	4696	msiexec.exe
Token: SeCreatePagefilePrivilege	4696	msiexec.exe
Token: SeCreatePermanentPrivilege	4696	msiexec.exe
Token: SeBackupPrivilege	4696	msiexec.exe
Token: SeRestorePrivilege	4696	msiexec.exe
Token: SeShutdownPrivilege	4696	msiexec.exe
Token: SeDebugPrivilege	4696	msiexec.exe
Token: SeAuditPrivilege	4696	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4696	msiexec.exe
Token: SeChangeNotifyPrivilege	4696	msiexec.exe
Token: SeRemoteShutdownPrivilege	4696	msiexec.exe
Token: SeUndockPrivilege	4696	msiexec.exe
Token: SeSyncAgentPrivilege	4696	msiexec.exe
Token: SeEnableDelegationPrivilege	4696	msiexec.exe
Token: SeManageVolumePrivilege	4696	msiexec.exe
Token: SeImpersonatePrivilege	4696	msiexec.exe
Token: SeCreateGlobalPrivilege	4696	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4696	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 3652	2836	VIPAccessSetup.exe	81
PID 2836 wrote to memory of 3652	2836	VIPAccessSetup.exe	81
PID 2836 wrote to memory of 3652	2836	VIPAccessSetup.exe	81
PID 3652 wrote to memory of 4696	3652	install.exe	85
PID 3652 wrote to memory of 4696	3652	install.exe	85
PID 3652 wrote to memory of 4696	3652	install.exe	85

C:\Users\Admin\AppData\Local\Temp\VIPAccessSetup.exe
"C:\Users\Admin\AppData\Local\Temp\VIPAccessSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\VIPSetup.msi" TRANSFORMS=1033.mst /lv "C:\Users\Admin\AppData\Local\Temp\VIPSetup.log"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4696

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\1033.mst

Filesize
20KB

MD5
738b1c1da7f4c322c16bf9af507c4261

SHA1
98c2db1fe49b1da583d413fef5046d9b0b2f1cb3

SHA256
6cd35d4186e066775b2b99d9be49d8ac8e1eda66325871a61ecc42c28f62236c

SHA512
6caac39ac635991208f37e577cbdcf4157407f0d3e73ad35a9049498e2ebd6bf980f2e3fa90da41df03b8ccac7ef51b6d6bb1dbc8a8f3f48cbfa5782de7bc147

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\1040.mst

Filesize
108KB

MD5
8b1f7d2e166df7c5a594889b58405ed4

SHA1
14d32e5c1abce3f56a2183a84c88dc494b3539bd

SHA256
d956cd3de13084fa15c12f477740184ad12360d1f4d45c56540da70c6a90c996

SHA512
13ab59fa0dfe6046ca4accf17dec23b4cdce26cd35c64ee6d1228f5469dfb96a3861ee6e74ec27209dc30abc52e133c76ea117cab75d39f6f499e9cef3b7e1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\VIPSetup.msi

Filesize
3.5MB

MD5
5b3a137a191bd1aa572712b76518f04a

SHA1
d62897038a98d44ca2500b8831404ac1f0ab94c1

SHA256
4d5a93d3180384802e73ec56d693b695dfbdb16e0b764bb380bd33b788bead3f

SHA512
67826df3c57cea677a1911f7c0bc7eb721262142245ee70aa6ca5dcff0be0564799e83e11999c0549d21824dd35f273fc6c526486d4acbd577f3339076266421

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe

Filesize
502KB

MD5
0c1d13aed68a7cccab3fe21c15ba0152

SHA1
33384dac20bf94aff6507b0d32a33c1fd4103e3b

SHA256
8a269d55860f8b71dc0eaa2958b133e9fda9277d73f29e3bbbfc29e4fe8435a5

SHA512
bc10071360320ebb816cd32ac1af811f4c05cdedecad1b4e495c56c23a0b7c93c1e9af8e1127c3e652a0333cc833d23cf6a6e1c146f8a4f2a23007219539ea91

Download Submit

Analysis

Sharing