cab725c00d00615e88d945ca3fd8442eefb7be71353901c801911b46a1295316

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crypto Wallet Cracker 5.7/setup.exe
Size

542KB
MD5

486c49f2dd4e5683af1d047ffdfb5eeb
SHA1

d9101596b904fbd526cc11ba01f860b5bdd108f3
SHA256

091583602d7b6ef59fe5028c536ce89ea98d98c5c2b35cb09454f011478ed29c
SHA512

3ba696e559c700beb48f310c93beedd1110864df3f8b64da70f0a98adb1f1351e687d6f89c6b3c29a267a4d73a30a05bf8c0f6da3d751d81f04076343911fba5
SSDEEP

12288:mxrY9A/mSkf0FrgcdVm79QHpVEeMb01JQntLOC+Za:mpWA/mjf0s9QJVEem+

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2672	MsiExec.exe
2672	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
776	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	776	msiexec.exe
Token: SeIncreaseQuotaPrivilege	776	msiexec.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeSecurityPrivilege	2028	msiexec.exe
Token: SeCreateTokenPrivilege	776	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	776	msiexec.exe
Token: SeLockMemoryPrivilege	776	msiexec.exe
Token: SeIncreaseQuotaPrivilege	776	msiexec.exe
Token: SeMachineAccountPrivilege	776	msiexec.exe
Token: SeTcbPrivilege	776	msiexec.exe
Token: SeSecurityPrivilege	776	msiexec.exe
Token: SeTakeOwnershipPrivilege	776	msiexec.exe
Token: SeLoadDriverPrivilege	776	msiexec.exe
Token: SeSystemProfilePrivilege	776	msiexec.exe
Token: SeSystemtimePrivilege	776	msiexec.exe
Token: SeProfSingleProcessPrivilege	776	msiexec.exe
Token: SeIncBasePriorityPrivilege	776	msiexec.exe
Token: SeCreatePagefilePrivilege	776	msiexec.exe
Token: SeCreatePermanentPrivilege	776	msiexec.exe
Token: SeBackupPrivilege	776	msiexec.exe
Token: SeRestorePrivilege	776	msiexec.exe
Token: SeShutdownPrivilege	776	msiexec.exe
Token: SeDebugPrivilege	776	msiexec.exe
Token: SeAuditPrivilege	776	msiexec.exe
Token: SeSystemEnvironmentPrivilege	776	msiexec.exe
Token: SeChangeNotifyPrivilege	776	msiexec.exe
Token: SeRemoteShutdownPrivilege	776	msiexec.exe
Token: SeUndockPrivilege	776	msiexec.exe
Token: SeSyncAgentPrivilege	776	msiexec.exe
Token: SeEnableDelegationPrivilege	776	msiexec.exe
Token: SeManageVolumePrivilege	776	msiexec.exe
Token: SeImpersonatePrivilege	776	msiexec.exe
Token: SeCreateGlobalPrivilege	776	msiexec.exe
Token: SeCreateTokenPrivilege	776	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	776	msiexec.exe
Token: SeLockMemoryPrivilege	776	msiexec.exe
Token: SeIncreaseQuotaPrivilege	776	msiexec.exe
Token: SeMachineAccountPrivilege	776	msiexec.exe
Token: SeTcbPrivilege	776	msiexec.exe
Token: SeSecurityPrivilege	776	msiexec.exe
Token: SeTakeOwnershipPrivilege	776	msiexec.exe
Token: SeLoadDriverPrivilege	776	msiexec.exe
Token: SeSystemProfilePrivilege	776	msiexec.exe
Token: SeSystemtimePrivilege	776	msiexec.exe
Token: SeProfSingleProcessPrivilege	776	msiexec.exe
Token: SeIncBasePriorityPrivilege	776	msiexec.exe
Token: SeCreatePagefilePrivilege	776	msiexec.exe
Token: SeCreatePermanentPrivilege	776	msiexec.exe
Token: SeBackupPrivilege	776	msiexec.exe
Token: SeRestorePrivilege	776	msiexec.exe
Token: SeShutdownPrivilege	776	msiexec.exe
Token: SeDebugPrivilege	776	msiexec.exe
Token: SeAuditPrivilege	776	msiexec.exe
Token: SeSystemEnvironmentPrivilege	776	msiexec.exe
Token: SeChangeNotifyPrivilege	776	msiexec.exe
Token: SeRemoteShutdownPrivilege	776	msiexec.exe
Token: SeUndockPrivilege	776	msiexec.exe
Token: SeSyncAgentPrivilege	776	msiexec.exe
Token: SeEnableDelegationPrivilege	776	msiexec.exe
Token: SeManageVolumePrivilege	776	msiexec.exe
Token: SeImpersonatePrivilege	776	msiexec.exe
Token: SeCreateGlobalPrivilege	776	msiexec.exe
Token: SeCreateTokenPrivilege	776	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
776	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 776	868	setup.exe	28
PID 868 wrote to memory of 776	868	setup.exe	28
PID 868 wrote to memory of 776	868	setup.exe	28
PID 868 wrote to memory of 776	868	setup.exe	28
PID 868 wrote to memory of 776	868	setup.exe	28
PID 868 wrote to memory of 776	868	setup.exe	28
PID 868 wrote to memory of 776	868	setup.exe	28
PID 2028 wrote to memory of 2672	2028	msiexec.exe	30
PID 2028 wrote to memory of 2672	2028	msiexec.exe	30
PID 2028 wrote to memory of 2672	2028	msiexec.exe	30
PID 2028 wrote to memory of 2672	2028	msiexec.exe	30
PID 2028 wrote to memory of 2672	2028	msiexec.exe	30
PID 2028 wrote to memory of 2672	2028	msiexec.exe	30
PID 2028 wrote to memory of 2672	2028	msiexec.exe	30

C:\Users\Admin\AppData\Local\Temp\Crypto Wallet Cracker 5.7\setup.exe
"C:\Users\Admin\AppData\Local\Temp\Crypto Wallet Cracker 5.7\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\Crypto Wallet Cracker 5.7\Crypto Wallet Cracker 5.7.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:776

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9656467DA5244285CF53DE24E1D099B1 C
  2⤵
  - Loads dropped DLL
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI36A.tmp

Filesize
285KB

MD5
b77a2a2768b9cc78a71bbffb9812b978

SHA1
b70e27eb446fe1c3bc8ea03dabbee2739a782e04

SHA256
f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0

SHA512
a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57

Download Submit