Analysis
-
max time kernel
142s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 01:06
General
-
Target
0f962b19b3405722d618ca44beea3240f8c809723b9f7735828db59d061fcd42.msi
-
Size
18.7MB
-
MD5
4cbfb798bb6076378fc96c9c4b1a80fc
-
SHA1
5fadac688f773244af547411b22d44d757c4c829
-
SHA256
0f962b19b3405722d618ca44beea3240f8c809723b9f7735828db59d061fcd42
-
SHA512
55a254aa2b30604bf66d7f2feeecd395c8624b4b9892898f7e9689e85ec4772c386989d91b72cb681ab614e59f2174ae705fd39ae892cb10f431d9f67aa3b15f
-
SSDEEP
393216:ZavYmPEVSlMJHe3qS4Lt0aXQ5VFVxdPqsvV34kX:gNcLe3qFZ0mQdd9VIkX
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 6 IoCs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Blocklisted process makes network request 4 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 13 IoCs
-
Loads dropped DLL 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0f962b19b3405722d618ca44beea3240f8c809723b9f7735828db59d061fcd42.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6E4BA6C74EDEAE06663F7C56080C357D2⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
738KB
MD536cd2870d577ff917ba93c9f50f86374
SHA1e51baf257f5a3c3cd7b68690e36945fa3284e710
SHA2568d3e94c47af3da706a9fe9e4428b2fefd5e9e6c7145e96927fffdf3dd5e472b8
SHA512426fe493a25e99ca9630ad4706ca5ac062445391ab2087793637339f3742a5e1af2cedb4682babc0c4e7f9e06fed0b4ed543ddeb6f4e6f75c50349c0354aceda
-
Filesize
16.5MB
MD52e2a5db0e8e5a8a65f89d11330de872e
SHA1116dd648183dca8e9f6d1e345962924aaab7fccd
SHA2566bcd4341830d410f5e274fedfc44f6b1b1df574337492ced997af85e1433e617
SHA5126cda7a7ba89aeb75824e99112178f17b3cfe63966abd9bf8a5b363f05ade184711f0cfbf7aacc50f6926808bc1b2d6b081b13f6ef553320e6dfea7df3e7622e8
-
Filesize
482KB
MD5c2703965b8ba0ecf8c5d8a043976facc
SHA1c578c694d4fe5c15acc3b7aa60e9874d0ded3d54
SHA256e28e34fbdaff077669586dcdb4e10f0ba2ca6c9973ed4d372a5c3ec3b8ad20e7
SHA512cb729665206594928a90b29e5c7592120345e92a605122ec6aea564250c4d5d48e1d39c8803820eccde7920aa4d9af99fb3748671de076476d833710b9491d61
-
Filesize
106KB
MD5931c97553b3319f21b9ef249aa3cd244
SHA142c6611da2154bb6e0911993cf97071908b48bf2
SHA2567e643c188a1ee3b0251b7dfcab000b7c48fd840eff35189e8a45901852e3910a
SHA512790141b758aa68c6384aaf6f85b09f9bc641a300a4e7fa05a74c3f89af090fbbfdcfe3dce24842a8d0c75b874839d505692c1951ed66f57e9840c559820514d3
-
Filesize
4KB
-
Filesize
32.9MB
-
Filesize
1.3MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
1.3MB