a08acf97b669ad3896c129066e8afaea4173ff8e6d49256475adb07491dc160b

Analysis

max time kernel
13s
max time network
23s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22/05/2024, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Checker_legacybattle.exe
Size

17.6MB
MD5

b0ea56470940e14501f3de3704ee3dfd
SHA1

344a32cd672ae105a3d4d154c58c7c10345746a7
SHA256

a08acf97b669ad3896c129066e8afaea4173ff8e6d49256475adb07491dc160b
SHA512

ff3d9f9d9102f72daee17b86d30e6b6bb52c3b8b8f7f36e41d5bf656d3f1f8dc678bc41d446cde4519761942578bd16676dfe47797c7459cda3cd4420113708f
SSDEEP

393216:W0EjEDXajAA7ZNU5DanvweSC1abTNp83uQz9seZ2L/yj84e3km6Nsp:9Ewuj9785GITC1ancuctJsAsp

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe
3872	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	Checker_legacybattle.exe
File opened (read-only)	\??\R:	Checker_legacybattle.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	Checker_legacybattle.exe
File opened (read-only)	\??\H:	Checker_legacybattle.exe
File opened (read-only)	\??\L:	Checker_legacybattle.exe
File opened (read-only)	\??\Q:	Checker_legacybattle.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	Checker_legacybattle.exe
File opened (read-only)	\??\O:	Checker_legacybattle.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	Checker_legacybattle.exe
File opened (read-only)	\??\M:	Checker_legacybattle.exe
File opened (read-only)	\??\N:	Checker_legacybattle.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	Checker_legacybattle.exe
File opened (read-only)	\??\I:	Checker_legacybattle.exe
File opened (read-only)	\??\U:	Checker_legacybattle.exe
File opened (read-only)	\??\V:	Checker_legacybattle.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	Checker_legacybattle.exe
File opened (read-only)	\??\X:	Checker_legacybattle.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	Checker_legacybattle.exe
File opened (read-only)	\??\T:	Checker_legacybattle.exe
File opened (read-only)	\??\Z:	Checker_legacybattle.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	Checker_legacybattle.exe
File opened (read-only)	\??\W:	Checker_legacybattle.exe
File opened (read-only)	\??\Y:	Checker_legacybattle.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	960	msiexec.exe
Token: SeCreateTokenPrivilege	4656	Checker_legacybattle.exe
Token: SeAssignPrimaryTokenPrivilege	4656	Checker_legacybattle.exe
Token: SeLockMemoryPrivilege	4656	Checker_legacybattle.exe
Token: SeIncreaseQuotaPrivilege	4656	Checker_legacybattle.exe
Token: SeMachineAccountPrivilege	4656	Checker_legacybattle.exe
Token: SeTcbPrivilege	4656	Checker_legacybattle.exe
Token: SeSecurityPrivilege	4656	Checker_legacybattle.exe
Token: SeTakeOwnershipPrivilege	4656	Checker_legacybattle.exe
Token: SeLoadDriverPrivilege	4656	Checker_legacybattle.exe
Token: SeSystemProfilePrivilege	4656	Checker_legacybattle.exe
Token: SeSystemtimePrivilege	4656	Checker_legacybattle.exe
Token: SeProfSingleProcessPrivilege	4656	Checker_legacybattle.exe
Token: SeIncBasePriorityPrivilege	4656	Checker_legacybattle.exe
Token: SeCreatePagefilePrivilege	4656	Checker_legacybattle.exe
Token: SeCreatePermanentPrivilege	4656	Checker_legacybattle.exe
Token: SeBackupPrivilege	4656	Checker_legacybattle.exe
Token: SeRestorePrivilege	4656	Checker_legacybattle.exe
Token: SeShutdownPrivilege	4656	Checker_legacybattle.exe
Token: SeDebugPrivilege	4656	Checker_legacybattle.exe
Token: SeAuditPrivilege	4656	Checker_legacybattle.exe
Token: SeSystemEnvironmentPrivilege	4656	Checker_legacybattle.exe
Token: SeChangeNotifyPrivilege	4656	Checker_legacybattle.exe
Token: SeRemoteShutdownPrivilege	4656	Checker_legacybattle.exe
Token: SeUndockPrivilege	4656	Checker_legacybattle.exe
Token: SeSyncAgentPrivilege	4656	Checker_legacybattle.exe
Token: SeEnableDelegationPrivilege	4656	Checker_legacybattle.exe
Token: SeManageVolumePrivilege	4656	Checker_legacybattle.exe
Token: SeImpersonatePrivilege	4656	Checker_legacybattle.exe
Token: SeCreateGlobalPrivilege	4656	Checker_legacybattle.exe
Token: SeCreateTokenPrivilege	4656	Checker_legacybattle.exe
Token: SeAssignPrimaryTokenPrivilege	4656	Checker_legacybattle.exe
Token: SeLockMemoryPrivilege	4656	Checker_legacybattle.exe
Token: SeIncreaseQuotaPrivilege	4656	Checker_legacybattle.exe
Token: SeMachineAccountPrivilege	4656	Checker_legacybattle.exe
Token: SeTcbPrivilege	4656	Checker_legacybattle.exe
Token: SeSecurityPrivilege	4656	Checker_legacybattle.exe
Token: SeTakeOwnershipPrivilege	4656	Checker_legacybattle.exe
Token: SeLoadDriverPrivilege	4656	Checker_legacybattle.exe
Token: SeSystemProfilePrivilege	4656	Checker_legacybattle.exe
Token: SeSystemtimePrivilege	4656	Checker_legacybattle.exe
Token: SeProfSingleProcessPrivilege	4656	Checker_legacybattle.exe
Token: SeIncBasePriorityPrivilege	4656	Checker_legacybattle.exe
Token: SeCreatePagefilePrivilege	4656	Checker_legacybattle.exe
Token: SeCreatePermanentPrivilege	4656	Checker_legacybattle.exe
Token: SeBackupPrivilege	4656	Checker_legacybattle.exe
Token: SeRestorePrivilege	4656	Checker_legacybattle.exe
Token: SeShutdownPrivilege	4656	Checker_legacybattle.exe
Token: SeDebugPrivilege	4656	Checker_legacybattle.exe
Token: SeAuditPrivilege	4656	Checker_legacybattle.exe
Token: SeSystemEnvironmentPrivilege	4656	Checker_legacybattle.exe
Token: SeChangeNotifyPrivilege	4656	Checker_legacybattle.exe
Token: SeRemoteShutdownPrivilege	4656	Checker_legacybattle.exe
Token: SeUndockPrivilege	4656	Checker_legacybattle.exe
Token: SeSyncAgentPrivilege	4656	Checker_legacybattle.exe
Token: SeEnableDelegationPrivilege	4656	Checker_legacybattle.exe
Token: SeManageVolumePrivilege	4656	Checker_legacybattle.exe
Token: SeImpersonatePrivilege	4656	Checker_legacybattle.exe
Token: SeCreateGlobalPrivilege	4656	Checker_legacybattle.exe
Token: SeCreateTokenPrivilege	4656	Checker_legacybattle.exe
Token: SeAssignPrimaryTokenPrivilege	4656	Checker_legacybattle.exe
Token: SeLockMemoryPrivilege	4656	Checker_legacybattle.exe
Token: SeIncreaseQuotaPrivilege	4656	Checker_legacybattle.exe
Token: SeMachineAccountPrivilege	4656	Checker_legacybattle.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4656	Checker_legacybattle.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 3872	960	msiexec.exe	76
PID 960 wrote to memory of 3872	960	msiexec.exe	76
PID 960 wrote to memory of 3872	960	msiexec.exe	76

C:\Users\Admin\AppData\Local\Temp\Checker_legacybattle.exe
"C:\Users\Admin\AppData\Local\Temp\Checker_legacybattle.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4656

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 97F86894E32489ECE01EF059D3A394EE C
  2⤵
  - Loads dropped DLL
  PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4656\aboutbtn

Filesize
1KB

MD5
b51b54b77e9cbfdb1063f7487c1c07ec

SHA1
8a8a7036cfbc86a537447bf71b9f6795923db8b9

SHA256
9d7243c688264329a8cb9e22da00b651e0a9407741d722e03dd67cc8b3ee1335

SHA512
04cef1aa3a530e7f03054369450eb42f36bf45c13c7445adf450ec4635a8601447c5bb6e978b3adabe9021019644681bf1609539eb548dd50ada973aac0c6555

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4656\background

Filesize
2KB

MD5
9e23da7c3cd3fb8113e698a12a3d3047

SHA1
6d021109495d77a53afe101f2b03a4da847e6d99

SHA256
b671008e5d4a15409051d7b3d2aa40f7c028e1dab5876c2882976793abb9356c

SHA512
65e885984681cee190764515f61bb8da3c29463b87f4371fff27ae4c4089af46c9b98910a847ec29d7368160d6aaf841fb93f1347c9abc47bce5cf997c8b4ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4656\buttonimgs

Filesize
1KB

MD5
6956ac5e9d5e47daeb7d147d67d9e526

SHA1
427449cf08f0c78f1bf3850565201991828e278c

SHA256
f8f4efdb34b00775638c95568761c93436812af56c8f41116f2f92a987ca9ae0

SHA512
a82f9d199e36dfcdad7393761d1cf541d67b0b70d4b31cf71ad38dab3e95b351143c1aff4adea3207d1fd1e9c3523e9b7e3cea37cb61f9f2845894c60327651c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4656\checkernewicon.png

Filesize
3KB

MD5
b1618ec6d5e7c1e293cb36ab87371615

SHA1
a9c47241b1378bca3b541abb07aeb4b1feb0ccf4

SHA256
76adccd20b35ba40b9be5ac4194941625826084f32a9c7c07090708946fc39c5

SHA512
a45e20225fe4d5989f6f8891274a8ed07f27c2b33545458f36bbb3356124fbf83c6d1523155b4830e6bb78a96e4fd282a7f43ec3d3ce77fe488f8640ff49da2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF12C.tmp

Filesize
709KB

MD5
eb7811666ac7be6477e23af68511424f

SHA1
1623579c5a3710dcc694a2fd49defa27d56d9175

SHA256
ad706739b04256b9215e80d2d030863a37f0d7fd0e4071d0a3a73d6704d8bd8f

SHA512
3055baa15c92f476513c66a423043dc4b8c5f83f47643ad77665d6a2f823f4655bf4ae241d8af4bc34d53630df1c35989f0b11b934a631960668fcc7a8c81a7b

Download Submit
C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\install\51B5780\SandeLLoCHECKER_Installer.msi

Filesize
4.7MB

MD5
69d9a69f84bc67feed975148b9e2ec7c

SHA1
b4cd30ae6c20a0a5297589a4739d9b5a3fc5154f

SHA256
2fc0bc7675b71742b759f44f00e23662f28ad3d04cc5e2956428e57cb61d55b7

SHA512
63b5c471d372611b3936f9f2dba302b95490719f228b7362c99957162f92fb4fb31d82dc5c6a55cf1f793dca9f321d601439c7f61aa94c11cc25302e365a428f

Download Submit
\Users\Admin\AppData\Local\Temp\MSIEB5C.tmp

Filesize
587KB

MD5
9e0aef52f6c03b2fea067342d9d4f22f

SHA1
d4431a858c8a7a79315829ec7aa82e838c2714f4

SHA256
42b8adafcb4e8496d9822a0c504f449e56456528a9251c153381d3f63d197e5b

SHA512
42858a6695d7906b3df4dc97f3b1fac737633a51ffb52e8ec8eddeb21f8cdb53c199bb698e54c4a931155eafd879de6fff114b84f298c84436b776e286ebeeb1

Download Submit
\Users\Admin\AppData\Local\Temp\MSIEE2E.tmp

Filesize
1.1MB

MD5
c04ed00ddcb3518e8cf6db24db294a50

SHA1
cc98cc3ab9c4371f85ea227d9f761bab4aa76baa

SHA256
3c21e1f3bb3ebeb5f0ff68658db8abd18b62f8b195288c4bf87936fc51f8ae9e

SHA512
736946a3130f294878ea51145960017babcc1b8ac2c96afd8b9e2a4d120f173afb84bbd04b6f0113f286d4bc671befecd4e92c582f1de1a0d5bc8738c3cae9c5

Download Submit