a08acf97b669ad3896c129066e8afaea4173ff8e6d49256475adb07491dc160b

Analysis

max time kernel
2s
max time network
5s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
22/05/2024, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Checker_legacybattle.exe
Size

17.6MB
MD5

b0ea56470940e14501f3de3704ee3dfd
SHA1

344a32cd672ae105a3d4d154c58c7c10345746a7
SHA256

a08acf97b669ad3896c129066e8afaea4173ff8e6d49256475adb07491dc160b
SHA512

ff3d9f9d9102f72daee17b86d30e6b6bb52c3b8b8f7f36e41d5bf656d3f1f8dc678bc41d446cde4519761942578bd16676dfe47797c7459cda3cd4420113708f
SSDEEP

393216:W0EjEDXajAA7ZNU5DanvweSC1abTNp83uQz9seZ2L/yj84e3km6Nsp:9Ewuj9785GITC1ancuctJsAsp

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 16 IoCs

pid	Process
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe
5040	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Checker_legacybattle.exe
File opened (read-only)	\??\W:	Checker_legacybattle.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	Checker_legacybattle.exe
File opened (read-only)	\??\J:	Checker_legacybattle.exe
File opened (read-only)	\??\K:	Checker_legacybattle.exe
File opened (read-only)	\??\O:	Checker_legacybattle.exe
File opened (read-only)	\??\P:	Checker_legacybattle.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	Checker_legacybattle.exe
File opened (read-only)	\??\V:	Checker_legacybattle.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	Checker_legacybattle.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	Checker_legacybattle.exe
File opened (read-only)	\??\X:	Checker_legacybattle.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	Checker_legacybattle.exe
File opened (read-only)	\??\T:	Checker_legacybattle.exe
File opened (read-only)	\??\U:	Checker_legacybattle.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	Checker_legacybattle.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	Checker_legacybattle.exe
File opened (read-only)	\??\I:	Checker_legacybattle.exe
File opened (read-only)	\??\L:	Checker_legacybattle.exe
File opened (read-only)	\??\R:	Checker_legacybattle.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	Checker_legacybattle.exe
File opened (read-only)	\??\M:	Checker_legacybattle.exe
File opened (read-only)	\??\Y:	Checker_legacybattle.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Control Panel\Colors	Checker_legacybattle.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3048	msiexec.exe
Token: SeCreateTokenPrivilege	2092	Checker_legacybattle.exe
Token: SeAssignPrimaryTokenPrivilege	2092	Checker_legacybattle.exe
Token: SeLockMemoryPrivilege	2092	Checker_legacybattle.exe
Token: SeIncreaseQuotaPrivilege	2092	Checker_legacybattle.exe
Token: SeMachineAccountPrivilege	2092	Checker_legacybattle.exe
Token: SeTcbPrivilege	2092	Checker_legacybattle.exe
Token: SeSecurityPrivilege	2092	Checker_legacybattle.exe
Token: SeTakeOwnershipPrivilege	2092	Checker_legacybattle.exe
Token: SeLoadDriverPrivilege	2092	Checker_legacybattle.exe
Token: SeSystemProfilePrivilege	2092	Checker_legacybattle.exe
Token: SeSystemtimePrivilege	2092	Checker_legacybattle.exe
Token: SeProfSingleProcessPrivilege	2092	Checker_legacybattle.exe
Token: SeIncBasePriorityPrivilege	2092	Checker_legacybattle.exe
Token: SeCreatePagefilePrivilege	2092	Checker_legacybattle.exe
Token: SeCreatePermanentPrivilege	2092	Checker_legacybattle.exe
Token: SeBackupPrivilege	2092	Checker_legacybattle.exe
Token: SeRestorePrivilege	2092	Checker_legacybattle.exe
Token: SeShutdownPrivilege	2092	Checker_legacybattle.exe
Token: SeDebugPrivilege	2092	Checker_legacybattle.exe
Token: SeAuditPrivilege	2092	Checker_legacybattle.exe
Token: SeSystemEnvironmentPrivilege	2092	Checker_legacybattle.exe
Token: SeChangeNotifyPrivilege	2092	Checker_legacybattle.exe
Token: SeRemoteShutdownPrivilege	2092	Checker_legacybattle.exe
Token: SeUndockPrivilege	2092	Checker_legacybattle.exe
Token: SeSyncAgentPrivilege	2092	Checker_legacybattle.exe
Token: SeEnableDelegationPrivilege	2092	Checker_legacybattle.exe
Token: SeManageVolumePrivilege	2092	Checker_legacybattle.exe
Token: SeImpersonatePrivilege	2092	Checker_legacybattle.exe
Token: SeCreateGlobalPrivilege	2092	Checker_legacybattle.exe
Token: SeCreateTokenPrivilege	2092	Checker_legacybattle.exe
Token: SeAssignPrimaryTokenPrivilege	2092	Checker_legacybattle.exe
Token: SeLockMemoryPrivilege	2092	Checker_legacybattle.exe
Token: SeIncreaseQuotaPrivilege	2092	Checker_legacybattle.exe
Token: SeMachineAccountPrivilege	2092	Checker_legacybattle.exe
Token: SeTcbPrivilege	2092	Checker_legacybattle.exe
Token: SeSecurityPrivilege	2092	Checker_legacybattle.exe
Token: SeTakeOwnershipPrivilege	2092	Checker_legacybattle.exe
Token: SeLoadDriverPrivilege	2092	Checker_legacybattle.exe
Token: SeSystemProfilePrivilege	2092	Checker_legacybattle.exe
Token: SeSystemtimePrivilege	2092	Checker_legacybattle.exe
Token: SeProfSingleProcessPrivilege	2092	Checker_legacybattle.exe
Token: SeIncBasePriorityPrivilege	2092	Checker_legacybattle.exe
Token: SeCreatePagefilePrivilege	2092	Checker_legacybattle.exe
Token: SeCreatePermanentPrivilege	2092	Checker_legacybattle.exe
Token: SeBackupPrivilege	2092	Checker_legacybattle.exe
Token: SeRestorePrivilege	2092	Checker_legacybattle.exe
Token: SeShutdownPrivilege	2092	Checker_legacybattle.exe
Token: SeDebugPrivilege	2092	Checker_legacybattle.exe
Token: SeAuditPrivilege	2092	Checker_legacybattle.exe
Token: SeSystemEnvironmentPrivilege	2092	Checker_legacybattle.exe
Token: SeChangeNotifyPrivilege	2092	Checker_legacybattle.exe
Token: SeRemoteShutdownPrivilege	2092	Checker_legacybattle.exe
Token: SeUndockPrivilege	2092	Checker_legacybattle.exe
Token: SeSyncAgentPrivilege	2092	Checker_legacybattle.exe
Token: SeEnableDelegationPrivilege	2092	Checker_legacybattle.exe
Token: SeManageVolumePrivilege	2092	Checker_legacybattle.exe
Token: SeImpersonatePrivilege	2092	Checker_legacybattle.exe
Token: SeCreateGlobalPrivilege	2092	Checker_legacybattle.exe
Token: SeCreateTokenPrivilege	2092	Checker_legacybattle.exe
Token: SeAssignPrimaryTokenPrivilege	2092	Checker_legacybattle.exe
Token: SeLockMemoryPrivilege	2092	Checker_legacybattle.exe
Token: SeIncreaseQuotaPrivilege	2092	Checker_legacybattle.exe
Token: SeMachineAccountPrivilege	2092	Checker_legacybattle.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2092	Checker_legacybattle.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 5040	3048	msiexec.exe	83
PID 3048 wrote to memory of 5040	3048	msiexec.exe	83
PID 3048 wrote to memory of 5040	3048	msiexec.exe	83

C:\Users\Admin\AppData\Local\Temp\Checker_legacybattle.exe
"C:\Users\Admin\AppData\Local\Temp\Checker_legacybattle.exe"
1⤵
- Enumerates connected drives
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2092

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 73C3361C72AC41952EA06072850AA7B4 C
  2⤵
  - Loads dropped DLL
  PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2092\buttonimgs.xaml

Filesize
351B

MD5
118f4c63590056978ac5065ecd4337b7

SHA1
3c8b555894deb0e0f3872ab6badb75d73a837ff5

SHA256
18573b641fd232ce9506dfbb4a15f7871b73bf3499f6a6b5734c2bc152852c94

SHA512
3a6ca3bd174b88dd0bb1b2b160a78e46a2ffe3e52228d48683493e74881419f63bf9c7fbd4a8a754583fb77ef97d77d04136bb9c7c6eecd76a143ac5016fc982

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8167.tmp

Filesize
587KB

MD5
9e0aef52f6c03b2fea067342d9d4f22f

SHA1
d4431a858c8a7a79315829ec7aa82e838c2714f4

SHA256
42b8adafcb4e8496d9822a0c504f449e56456528a9251c153381d3f63d197e5b

SHA512
42858a6695d7906b3df4dc97f3b1fac737633a51ffb52e8ec8eddeb21f8cdb53c199bb698e54c4a931155eafd879de6fff114b84f298c84436b776e286ebeeb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8225.tmp

Filesize
1.1MB

MD5
c04ed00ddcb3518e8cf6db24db294a50

SHA1
cc98cc3ab9c4371f85ea227d9f761bab4aa76baa

SHA256
3c21e1f3bb3ebeb5f0ff68658db8abd18b62f8b195288c4bf87936fc51f8ae9e

SHA512
736946a3130f294878ea51145960017babcc1b8ac2c96afd8b9e2a4d120f173afb84bbd04b6f0113f286d4bc671befecd4e92c582f1de1a0d5bc8738c3cae9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8514.tmp

Filesize
709KB

MD5
eb7811666ac7be6477e23af68511424f

SHA1
1623579c5a3710dcc694a2fd49defa27d56d9175

SHA256
ad706739b04256b9215e80d2d030863a37f0d7fd0e4071d0a3a73d6704d8bd8f

SHA512
3055baa15c92f476513c66a423043dc4b8c5f83f47643ad77665d6a2f823f4655bf4ae241d8af4bc34d53630df1c35989f0b11b934a631960668fcc7a8c81a7b

Download Submit
C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\install\51B5780\SandeLLoCHECKER_Installer.msi

Filesize
4.7MB

MD5
69d9a69f84bc67feed975148b9e2ec7c

SHA1
b4cd30ae6c20a0a5297589a4739d9b5a3fc5154f

SHA256
2fc0bc7675b71742b759f44f00e23662f28ad3d04cc5e2956428e57cb61d55b7

SHA512
63b5c471d372611b3936f9f2dba302b95490719f228b7362c99957162f92fb4fb31d82dc5c6a55cf1f793dca9f321d601439c7f61aa94c11cc25302e365a428f

Download Submit