5b774b42f4460f6e36b2fe9d186bf6ee176c2d8cc5a3bb4bd5e70cabe06f872f

General

Target

PlagiarismCheckerX_setup/PlagiarismCheckerX_2014.exe
Size

8.0MB
MD5

5d6b3212fd8fe262f7126f1a9621edd4
SHA1

f25a6b26714d21d4b4550cedc88b1278e8714ae2
SHA256

2b2ce96e79f71278da3786b133426ce1af2bfb5beaf9c3179f5b0e47d2e9b191
SHA512

4e7f023d2e2e327371029edacba598c5fb0c6081763be27e5390c0679b70385e973c0c8dcfc54c352ff33b89203d647ddb903c5d592e4092dafd6fb6f5755ffe
SSDEEP

196608:igJumoeavqlmOEX9ohNyR6HBlVGx/kXn0F6EEGkuG5KQ:gRvqlmdoldQ/k3Q6EEr4Q

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

MSIEXEC.EXE

description	ioc	process
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE

Drops file in System32 directory 1 IoCs

Processes:

MSIEXEC.EXE

description ioc process

File opened for modification C:\Windows\SysWOW64\MSCOMCTL.OCX MSIEXEC.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MSIEXEC.EXE

pid process

2464 MSIEXEC.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MSCOMCTL.OCX	MSIEXEC.EXE

pid	process
2464	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

MSIEXEC.EXEmsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2464	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2464	MSIEXEC.EXE
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeSecurityPrivilege	2300	msiexec.exe
Token: SeCreateTokenPrivilege	2464	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2464	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2464	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2464	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2464	MSIEXEC.EXE
Token: SeTcbPrivilege	2464	MSIEXEC.EXE
Token: SeSecurityPrivilege	2464	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2464	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2464	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2464	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2464	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2464	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2464	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2464	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2464	MSIEXEC.EXE
Token: SeBackupPrivilege	2464	MSIEXEC.EXE
Token: SeRestorePrivilege	2464	MSIEXEC.EXE
Token: SeShutdownPrivilege	2464	MSIEXEC.EXE
Token: SeDebugPrivilege	2464	MSIEXEC.EXE
Token: SeAuditPrivilege	2464	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2464	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2464	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2464	MSIEXEC.EXE
Token: SeUndockPrivilege	2464	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2464	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2464	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2464	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2464	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2464	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

MSIEXEC.EXE

pid process

2464 MSIEXEC.EXE

pid	process
2464	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

PlagiarismCheckerX_2014.exe

description	pid	process	target process
PID 1976 wrote to memory of 2464	1976	PlagiarismCheckerX_2014.exe	MSIEXEC.EXE
PID 1976 wrote to memory of 2464	1976	PlagiarismCheckerX_2014.exe	MSIEXEC.EXE
PID 1976 wrote to memory of 2464	1976	PlagiarismCheckerX_2014.exe	MSIEXEC.EXE
PID 1976 wrote to memory of 2464	1976	PlagiarismCheckerX_2014.exe	MSIEXEC.EXE
PID 1976 wrote to memory of 2464	1976	PlagiarismCheckerX_2014.exe	MSIEXEC.EXE
PID 1976 wrote to memory of 2464	1976	PlagiarismCheckerX_2014.exe	MSIEXEC.EXE
PID 1976 wrote to memory of 2464	1976	PlagiarismCheckerX_2014.exe	MSIEXEC.EXE

C:\Users\Admin\AppData\Local\Temp\PlagiarismCheckerX_setup\PlagiarismCheckerX_2014.exe
"C:\Users\Admin\AppData\Local\Temp\PlagiarismCheckerX_setup\PlagiarismCheckerX_2014.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\MSIEXEC.EXE
MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{DB506276-4248-4835-8656-D1E07DC45BCD}\Plagiarism Checker X.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\PlagiarismCheckerX_setup" SETUPEXENAME="PlagiarismCheckerX_2014.exe"
2⤵
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2464

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{DB506276-4248-4835-8656-D1E07DC45BCD}\0x0409.ini

Filesize
20KB

MD5
36affbd6ff77d1515cfc1c5e998fbaf9

SHA1
950d00ecc2e7fd2c48897814029e8eedf6397838

SHA256
fccc7f79d29318d8ae78850c262bac762c28858709a6e6cf3b62bcd2729a61e3

SHA512
2f29de86d486db783872581a43a834e5064d1488bc3f085ddc5a3287eb9ee8a4ce93d66f7b4965cafb3c4f06b38d4b0fcfdc0fcb1f99d61331a808e5d6011808

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DB506276-4248-4835-8656-D1E07DC45BCD}\Plagiarism Checker X.msi

Filesize
7.8MB

MD5
2dfc13927a65f857389a3bc857f40be6

SHA1
1712ce65a9b2d10ea75d9d9cacb46e7236b617b2

SHA256
9b991fc9ff6ac4c0adcb4c9e134f3d6193a59a70aa39f3cc872299e7e127e230

SHA512
8f54bbd2bb0cb96a29317517f9d46f64cdfc0bee750421c29b113ca8057b69aa6d83faa26a766dabc4a338822afda68fdcae686a968769d92e2b92e69e995d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1E0E.tmp

Filesize
4KB

MD5
47f3caa9b035e4af1601f3c230bc64bf

SHA1
fc3f2342e0c433a98602c9759006e2a3d250cd50

SHA256
93f665088b996ceefb2e565cb7cf040e88638f7f7003f77a8ac2f88f9b4179b5

SHA512
164e5384543a0fe64046bb31cbe391909f8d79ee1d85730b68c81ba6f778f7563a9986afc9c8c4800cf12ee72f693afc64f073c61e813ac21db9d38ea493de7d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads