43a74ae319c23351e49564d8ecd41d7e92e4929ed04a4108bc56397663d34c43

General

Target

setup.exe
Size

8.7MB
MD5

345813c2aa1466b30b8b621d81c19dda
SHA1

90ddb3ddcdfb70c4056ff0dd36a07a70675679d9
SHA256

1f15f86615fd19e933670c403a337546d5e7617d5937d65c3b46178c266132ab
SHA512

bb37d497f111a9a70bbd319c2bbc26d49139c2b7be95f7dc01f618a35c8d48a6202b1b3706d60d215616101be15a5b1864639d3e8f89820e2bd2d3d086ae261d
SSDEEP

196608:vLL3cLZWcdHG7WOoqSyUb9Mp9/UNZI8vYmZOF35mZ73vc8e6nC:HKPdDzngGI8vYp35mZ7/Ne6C

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

MSIEXEC.EXE

description	ioc	process
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

MSIEXEC.EXEmsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4404	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4404	MSIEXEC.EXE
Token: SeSecurityPrivilege	952	msiexec.exe
Token: SeCreateTokenPrivilege	4404	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4404	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4404	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4404	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4404	MSIEXEC.EXE
Token: SeTcbPrivilege	4404	MSIEXEC.EXE
Token: SeSecurityPrivilege	4404	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4404	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4404	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4404	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4404	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4404	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4404	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4404	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4404	MSIEXEC.EXE
Token: SeBackupPrivilege	4404	MSIEXEC.EXE
Token: SeRestorePrivilege	4404	MSIEXEC.EXE
Token: SeShutdownPrivilege	4404	MSIEXEC.EXE
Token: SeDebugPrivilege	4404	MSIEXEC.EXE
Token: SeAuditPrivilege	4404	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4404	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4404	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4404	MSIEXEC.EXE
Token: SeUndockPrivilege	4404	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4404	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4404	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4404	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4404	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4404	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

MSIEXEC.EXE

pid process

4404 MSIEXEC.EXE

pid	process
4404	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

setup.exe

description	pid	process	target process
PID 2296 wrote to memory of 4404	2296	setup.exe	MSIEXEC.EXE
PID 2296 wrote to memory of 4404	2296	setup.exe	MSIEXEC.EXE
PID 2296 wrote to memory of 4404	2296	setup.exe	MSIEXEC.EXE

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{70741812-5FBC-4592-B2AE-A47264EC9D2F}\PDF To Image Creator v2.3.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="setup.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4404

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Downloaded Installations\{70741812-5FBC-4592-B2AE-A47264EC9D2F}\PDF To Image Creator v2.3.msi

Filesize
8.8MB

MD5
5d4f1a04d9fdf6139e2fb73b958ed946

SHA1
29adebb81511c9f9af9f4ba3086875518317a520

SHA256
1463dfa7b16e6da27455777632b28b2f12a0b1100fe9ee5edb153e32b86bf949

SHA512
3dcf8c0ebcdc9fd21dc5feacd226980a20e1ff81c317451396faa2cbec793f2a3007ae2d34c555cc7b05f388c3cc2c87b14f75027c3de9655f35b9e6c5be01e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is22FA.tmp

Filesize
1KB

MD5
3752356878ad16609bb3a9837b0d248a

SHA1
d45518aa6d964a6b6b787a08c9c94f4d4e4ded49

SHA256
5fb72664715ff87cda54625287bfea0a26b07ae12a88855575272cc81c52269f

SHA512
9bec35e493519e1ff0bead113983327ebae88f8a8afcf4499bb670542b628d6ece0d7cece7426f78796ba7ce3872ec98ae280aa7cf28652f030fa01923e95052

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4BFA72E6-F551-4BAA-8B1F-B0B8386298CC}\0x0409.ini

Filesize
13KB

MD5
758747727e96a23c7c5a5bbb011656e4

SHA1
51cc637e7eb3451d6dfa9465d949d6dfb2cd65c9

SHA256
bad3b2e854149df9413f06e6c1c7b7c875545393877f59b59907f6b083ce5825

SHA512
21ff9d365beb1b7809b89d540f41bf330515f05f6211c8327be43baf1f050e46ecc1654b0696e7c82a2a803267e38d780ffd83dea7448861f6e3b84838685627

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4BFA72E6-F551-4BAA-8B1F-B0B8386298CC}\Setup.INI

Filesize
3KB

MD5
e84bcc3811fd20c9e8290a461d798f18

SHA1
cbc0d7039f7328b25d8bca55917eb83c5a8def5f

SHA256
895912a57e694520b00d4560fe8e243753e4e1b7e22f84b18f91d75d09ee49d3

SHA512
e7bfe482027c8da2fff1b73f21bdef3ec935f72e4bc919a39b44ed0e62c65d8a7101b7135da59fd74f6bd2509d516a3e1ac9eeff698747b589931f73beed106a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads