Overview
overview
6Static
static
3Backdoor.M....a.exe
windows7-x64
1Backdoor.M....a.exe
windows10-2004-x64
1Backdoor.M....c.exe
windows7-x64
1Backdoor.M....c.exe
windows10-2004-x64
1Backdoor.W...c2.exe
windows7-x64
1Backdoor.W...c2.exe
windows10-2004-x64
1Backdoor.W....d.exe
windows7-x64
1Backdoor.W....d.exe
windows10-2004-x64
1Backdoor.W....h.exe
windows7-x64
1Backdoor.W....h.exe
windows10-2004-x64
1SDK320.msi
windows7-x64
6SDK320.msi
windows10-2004-x64
6Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 06:07
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.MSIL.Tyupkin.a.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
Backdoor.MSIL.Tyupkin.a.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Backdoor.MSIL.Tyupkin.c.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
Backdoor.MSIL.Tyupkin.c.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Backdoor.Win32.Tyupkin.c2.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral6
Sample
Backdoor.Win32.Tyupkin.c2.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Backdoor.Win32.Tyupkin.d.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
Backdoor.Win32.Tyupkin.d.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Backdoor.Win32.Tyupkin.h.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral10
Sample
Backdoor.Win32.Tyupkin.h.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
SDK320.msi
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
SDK320.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
SDK320.msi
-
Size
457KB
-
MD5
32d5cca418b81e002bb3fdd8e4062bc9
-
SHA1
798d6d8adb449de0a3903af062c8edd8e401c2e4
-
SHA256
6303ee28660f9d8bff4a494f96d681a2cebc72e5abc1ac3b0fdebcddbb7e0b8d
-
SHA512
8321b57b238076b88277e7f7bf38711ff854bf92ef25916c0985c6d7f152b7d566ab27b09be550a4cc235aa335f6ce2eda95b07911c21af07a9148212df5c33e
-
SSDEEP
6144:RmWfO38XsmuHi8LGK3s+3XN8s5nChu76Gdu8hPt4hAVxNB+j25p2rT:c/38XnQPLGKc+nN8sMuddTPOh0xaj
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3000 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeShutdownPrivilege 3000 msiexec.exe Token: SeIncreaseQuotaPrivilege 3000 msiexec.exe Token: SeRestorePrivilege 1432 msiexec.exe Token: SeTakeOwnershipPrivilege 1432 msiexec.exe Token: SeSecurityPrivilege 1432 msiexec.exe Token: SeCreateTokenPrivilege 3000 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3000 msiexec.exe Token: SeLockMemoryPrivilege 3000 msiexec.exe Token: SeIncreaseQuotaPrivilege 3000 msiexec.exe Token: SeMachineAccountPrivilege 3000 msiexec.exe Token: SeTcbPrivilege 3000 msiexec.exe Token: SeSecurityPrivilege 3000 msiexec.exe Token: SeTakeOwnershipPrivilege 3000 msiexec.exe Token: SeLoadDriverPrivilege 3000 msiexec.exe Token: SeSystemProfilePrivilege 3000 msiexec.exe Token: SeSystemtimePrivilege 3000 msiexec.exe Token: SeProfSingleProcessPrivilege 3000 msiexec.exe Token: SeIncBasePriorityPrivilege 3000 msiexec.exe Token: SeCreatePagefilePrivilege 3000 msiexec.exe Token: SeCreatePermanentPrivilege 3000 msiexec.exe Token: SeBackupPrivilege 3000 msiexec.exe Token: SeRestorePrivilege 3000 msiexec.exe Token: SeShutdownPrivilege 3000 msiexec.exe Token: SeDebugPrivilege 3000 msiexec.exe Token: SeAuditPrivilege 3000 msiexec.exe Token: SeSystemEnvironmentPrivilege 3000 msiexec.exe Token: SeChangeNotifyPrivilege 3000 msiexec.exe Token: SeRemoteShutdownPrivilege 3000 msiexec.exe Token: SeUndockPrivilege 3000 msiexec.exe Token: SeSyncAgentPrivilege 3000 msiexec.exe Token: SeEnableDelegationPrivilege 3000 msiexec.exe Token: SeManageVolumePrivilege 3000 msiexec.exe Token: SeImpersonatePrivilege 3000 msiexec.exe Token: SeCreateGlobalPrivilege 3000 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3000 msiexec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SDK320.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3000
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432