e32e56f48e3d2a1c1375f0c7b3f8cd254c8b2bc010df8f8c1f0e8b6f11c21069

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 11:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

spacedeskWindowsVIEWER_v0945_BETA.msi
Size

2.5MB
MD5

af95f1be57b11a659822b7f2d882b0d8
SHA1

b6e9a49e77befc53dd0577f8a149f2e69649b08f
SHA256

e32e56f48e3d2a1c1375f0c7b3f8cd254c8b2bc010df8f8c1f0e8b6f11c21069
SHA512

c603ac6168fe7de7ddf78fb770e3ca8022d0d5e26c3956553726c11dc5a9cc8b7bf365c2538272d18662bcfa89347f23d429ec3c79d936b486c8d958821c567a
SSDEEP

24576:amq99RfkGFAYWRrVGPXp/DTkXzdV8UrdoFys1D56wQX+K5r83ffhOE2Z34KYJALb:4kGFvWfG/Zf26d56DNB8hnUITJcJoj

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2196	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2196	msiexec.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2196	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeSecurityPrivilege	2700	msiexec.exe
Token: SeCreateTokenPrivilege	2196	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2196	msiexec.exe
Token: SeLockMemoryPrivilege	2196	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2196	msiexec.exe
Token: SeMachineAccountPrivilege	2196	msiexec.exe
Token: SeTcbPrivilege	2196	msiexec.exe
Token: SeSecurityPrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeLoadDriverPrivilege	2196	msiexec.exe
Token: SeSystemProfilePrivilege	2196	msiexec.exe
Token: SeSystemtimePrivilege	2196	msiexec.exe
Token: SeProfSingleProcessPrivilege	2196	msiexec.exe
Token: SeIncBasePriorityPrivilege	2196	msiexec.exe
Token: SeCreatePagefilePrivilege	2196	msiexec.exe
Token: SeCreatePermanentPrivilege	2196	msiexec.exe
Token: SeBackupPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeShutdownPrivilege	2196	msiexec.exe
Token: SeDebugPrivilege	2196	msiexec.exe
Token: SeAuditPrivilege	2196	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2196	msiexec.exe
Token: SeChangeNotifyPrivilege	2196	msiexec.exe
Token: SeRemoteShutdownPrivilege	2196	msiexec.exe
Token: SeUndockPrivilege	2196	msiexec.exe
Token: SeSyncAgentPrivilege	2196	msiexec.exe
Token: SeEnableDelegationPrivilege	2196	msiexec.exe
Token: SeManageVolumePrivilege	2196	msiexec.exe
Token: SeImpersonatePrivilege	2196	msiexec.exe
Token: SeCreateGlobalPrivilege	2196	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2196	msiexec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\spacedeskWindowsVIEWER_v0945_BETA.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2196

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab1779.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1895.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit