fa33a79cef198b9720dcd8c28a345e5532a6bc8c9b79db6640a2a5f6ad56ef82

Analysis

max time kernel
367s
max time network
1576s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16/05/2024, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bindu Software/HASPUserSetup_7_80.exe
Size

19.5MB
MD5

c1f4bcd2e79bf609c180831a8df26784
SHA1

d9b0ff58fb0735779824ededa3fdab7df2a6cd23
SHA256

626e9acc1e697426d38de2f6474eaa350b60448523783fa1972d04eeb01106c2
SHA512

140b368b977750dc15fc264b48cef9927bf9817d56e461d312a08316b483b8c1e764a9ea21f4deaceef5f0eb5202490cd279b229e4b21e89b47e84f79cb7408f
SSDEEP

393216:qHFr8AWZrDWXYC84HB17Z7oTxnDSE8p33Fb3CzDMSzdPQ+c:qHF8/Z+ov4zI6p33x3CPMCpc

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
5072	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4880	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4880	MSIEXEC.EXE
Token: SeSecurityPrivilege	4104	msiexec.exe
Token: SeCreateTokenPrivilege	4880	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4880	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4880	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4880	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4880	MSIEXEC.EXE
Token: SeTcbPrivilege	4880	MSIEXEC.EXE
Token: SeSecurityPrivilege	4880	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4880	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4880	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4880	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4880	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4880	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4880	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4880	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4880	MSIEXEC.EXE
Token: SeBackupPrivilege	4880	MSIEXEC.EXE
Token: SeRestorePrivilege	4880	MSIEXEC.EXE
Token: SeShutdownPrivilege	4880	MSIEXEC.EXE
Token: SeDebugPrivilege	4880	MSIEXEC.EXE
Token: SeAuditPrivilege	4880	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4880	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4880	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4880	MSIEXEC.EXE
Token: SeUndockPrivilege	4880	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4880	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4880	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4880	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4880	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4880	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	4880	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4880	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4880	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4880	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4880	MSIEXEC.EXE
Token: SeTcbPrivilege	4880	MSIEXEC.EXE
Token: SeSecurityPrivilege	4880	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4880	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4880	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4880	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4880	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4880	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4880	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4880	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4880	MSIEXEC.EXE
Token: SeBackupPrivilege	4880	MSIEXEC.EXE
Token: SeRestorePrivilege	4880	MSIEXEC.EXE
Token: SeShutdownPrivilege	4880	MSIEXEC.EXE
Token: SeDebugPrivilege	4880	MSIEXEC.EXE
Token: SeAuditPrivilege	4880	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4880	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4880	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4880	MSIEXEC.EXE
Token: SeUndockPrivilege	4880	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4880	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4880	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4880	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4880	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4880	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	4880	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4880	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4880	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4880	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 4880	3192	HASPUserSetup_7_80.exe	74
PID 3192 wrote to memory of 4880	3192	HASPUserSetup_7_80.exe	74
PID 3192 wrote to memory of 4880	3192	HASPUserSetup_7_80.exe	74
PID 4104 wrote to memory of 5072	4104	msiexec.exe	77
PID 4104 wrote to memory of 5072	4104	msiexec.exe	77
PID 4104 wrote to memory of 5072	4104	msiexec.exe	77

C:\Users\Admin\AppData\Local\Temp\Bindu Software\HASPUserSetup_7_80.exe
"C:\Users\Admin\AppData\Local\Temp\Bindu Software\HASPUserSetup_7_80.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{10097D81-C0CA-453D-810B-C49F88553193}\HASP_Setup.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\Bindu Software" SETUPEXENAME="HASPUserSetup_7_80.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4880

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BDD7C65044BD0AF14222F04E98A75461 C
  2⤵
  - Loads dropped DLL
  PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIB630.tmp

Filesize
151KB

MD5
147b7f7427d9ffe61ea784c3b5e245c8

SHA1
2ccf676aa59561f0f30fcd04d5df48831054cb3e

SHA256
68653956ea7674ec9e8e643b573c9c8fbee00b7d07d4fc89fb0e233844c68683

SHA512
7a63e0d33d462fb73b6ec57ef2b1c4a21d873694e4d5e37f86b34fb33392d760d4c1d2aea313246a2618e2dd4537afcfc8006daebf8c1abc26435bc462d2b53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{10097D81-C0CA-453D-810B-C49F88553193}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{10097D81-C0CA-453D-810B-C49F88553193}\HASP_Setup.msi

Filesize
20.5MB

MD5
ff2353197e658645f1d540972216b5e5

SHA1
464dd70f4a15e7a0e984eeb5c3fd7024b4473454

SHA256
cfe77ae23d86f7911fc86b2e0462195a6079e56e181dbdd0381ba0d478028e57

SHA512
a8aa3c5b54235c4752432602a438059886f107f768b7e85724a44859fbac2d02f738579f445c1ccbb1e6528ae5a5e2986d3dde19ed70295337055177ca63bef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~9CDC.tmp

Filesize
4KB

MD5
da7adfa9a246f801a34ed5aa81ea39a7

SHA1
46aa321bac352b537eb1d92962fd0bbefb4dedca

SHA256
32094563c60c61069f37c5a2e8bfe5f7037d69c07254674760f7dd0122403067

SHA512
1524c19461c9d340cae58141f1cdbc45de97f976bbdf18f2130fd77b19210171655b9ca5e360c2b43f4d38b8a03f2d9b54772262294c2208812dc9cead029c84

Download Submit