3028ce536c4f824a7a704635266d9f21a0b012a7736f2bfbe7963da1637150c6

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 07:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3028ce536c4f824a7a704635266d9f21a0b012a7736f2bfbe7963da1637150c6.msi
Size

5.2MB
MD5

63000314ce0824ec8de4656837f6d932
SHA1

760f3642f230579674b68b45a3587866212afb0a
SHA256

3028ce536c4f824a7a704635266d9f21a0b012a7736f2bfbe7963da1637150c6
SHA512

c13d51d8b95d9f41db084dd516169a32721511eeba86870d4bf4bde8d1d63d82c8145871f793e89b67920ff76047125fe2d0a3f928afde29f1357ff74aaf8b2b
SSDEEP

98304:1d2naw8kkB5ON60VNif4DXqH8XoxzZ0Lji0lROQrKm3esfDY1:f88kkC0QlXqHx+Jl9r6B

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	FomsTudioª.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI5259.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e5750c0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5750c0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI51BB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI520A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI53A3.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI510E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI52F6.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7CF68476-6C14-470A-B502-0AF87529D6C4}	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2192	FomsTudioª.exe

Loads dropped DLL 6 IoCs

pid	Process
4988	MsiExec.exe
4988	MsiExec.exe
4988	MsiExec.exe
4988	MsiExec.exe
4988	MsiExec.exe
2192	FomsTudioª.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3872	msiexec.exe
3872	msiexec.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1928	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1928	msiexec.exe
Token: SeSecurityPrivilege	3872	msiexec.exe
Token: SeCreateTokenPrivilege	1928	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1928	msiexec.exe
Token: SeLockMemoryPrivilege	1928	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1928	msiexec.exe
Token: SeMachineAccountPrivilege	1928	msiexec.exe
Token: SeTcbPrivilege	1928	msiexec.exe
Token: SeSecurityPrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeLoadDriverPrivilege	1928	msiexec.exe
Token: SeSystemProfilePrivilege	1928	msiexec.exe
Token: SeSystemtimePrivilege	1928	msiexec.exe
Token: SeProfSingleProcessPrivilege	1928	msiexec.exe
Token: SeIncBasePriorityPrivilege	1928	msiexec.exe
Token: SeCreatePagefilePrivilege	1928	msiexec.exe
Token: SeCreatePermanentPrivilege	1928	msiexec.exe
Token: SeBackupPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeShutdownPrivilege	1928	msiexec.exe
Token: SeDebugPrivilege	1928	msiexec.exe
Token: SeAuditPrivilege	1928	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1928	msiexec.exe
Token: SeChangeNotifyPrivilege	1928	msiexec.exe
Token: SeRemoteShutdownPrivilege	1928	msiexec.exe
Token: SeUndockPrivilege	1928	msiexec.exe
Token: SeSyncAgentPrivilege	1928	msiexec.exe
Token: SeEnableDelegationPrivilege	1928	msiexec.exe
Token: SeManageVolumePrivilege	1928	msiexec.exe
Token: SeImpersonatePrivilege	1928	msiexec.exe
Token: SeCreateGlobalPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	3872	msiexec.exe
Token: SeTakeOwnershipPrivilege	3872	msiexec.exe
Token: SeRestorePrivilege	3872	msiexec.exe
Token: SeTakeOwnershipPrivilege	3872	msiexec.exe
Token: SeRestorePrivilege	3872	msiexec.exe
Token: SeTakeOwnershipPrivilege	3872	msiexec.exe
Token: SeRestorePrivilege	3872	msiexec.exe
Token: SeTakeOwnershipPrivilege	3872	msiexec.exe
Token: SeRestorePrivilege	3872	msiexec.exe
Token: SeTakeOwnershipPrivilege	3872	msiexec.exe
Token: SeRestorePrivilege	3872	msiexec.exe
Token: SeTakeOwnershipPrivilege	3872	msiexec.exe
Token: SeRestorePrivilege	3872	msiexec.exe
Token: SeTakeOwnershipPrivilege	3872	msiexec.exe
Token: SeRestorePrivilege	3872	msiexec.exe
Token: SeTakeOwnershipPrivilege	3872	msiexec.exe
Token: SeRestorePrivilege	3872	msiexec.exe
Token: SeTakeOwnershipPrivilege	3872	msiexec.exe
Token: 33	2192	FomsTudioª.exe
Token: SeIncBasePriorityPrivilege	2192	FomsTudioª.exe
Token: 33	2192	FomsTudioª.exe
Token: SeIncBasePriorityPrivilege	2192	FomsTudioª.exe
Token: 33	2192	FomsTudioª.exe
Token: SeIncBasePriorityPrivilege	2192	FomsTudioª.exe
Token: 33	2192	FomsTudioª.exe
Token: SeIncBasePriorityPrivilege	2192	FomsTudioª.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1928	msiexec.exe
1928	msiexec.exe
2192	FomsTudioª.exe
2192	FomsTudioª.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 4988	3872	msiexec.exe	84
PID 3872 wrote to memory of 4988	3872	msiexec.exe	84
PID 3872 wrote to memory of 4988	3872	msiexec.exe	84
PID 3872 wrote to memory of 2192	3872	msiexec.exe	87
PID 3872 wrote to memory of 2192	3872	msiexec.exe	87
PID 2192 wrote to memory of 3004	2192	FomsTudioª.exe	96
PID 2192 wrote to memory of 3004	2192	FomsTudioª.exe	96
PID 2192 wrote to memory of 2876	2192	FomsTudioª.exe	98
PID 2192 wrote to memory of 2876	2192	FomsTudioª.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3028ce536c4f824a7a704635266d9f21a0b012a7736f2bfbe7963da1637150c6.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1928

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7B9E57D5296C9076D16071709CB93232
  2⤵
  - Loads dropped DLL
  PID:4988
- C:\Users\Admin\AppData\Roaming\FomsTudioª.exe
  "C:\Users\Admin\AppData\Roaming\FomsTudioª.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "FomsTudioª"
    3⤵
    PID:3004
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /SC MINUTE /MO 5 /TN "Java" /tr "C:\Users\Admin\AppData\Roaming\Sun\Java.exe k7"
    3⤵
    - Creates scheduled task(s)
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5750c3.rbs

Filesize
1KB

MD5
d697be94b97ebaa5122a00f94e0f2092

SHA1
dba954ab2f981e94c5d0c380128870c2d8d437dd

SHA256
4e519f94eae98c936057b3fd0ed59527d0128429f264db7b45058f1aa3cc21ce

SHA512
ad67defd0a7d6861ce3166425e06928340458886bd2e61f408d69c4b2c93e989bc08255daf3caec1146f84e78cfe9e48c6dd0ed2560c0145f7ecc0e8347884fc

Download Submit
C:\Users\Admin\AppData\Roaming\DTCommonRes.dll

Filesize
7.3MB

MD5
0f7982d2dee9612601ba9dac0eaa100f

SHA1
288f2166c0cae8f59e3b0fa306193b3d0befa377

SHA256
7979593f12175ee2580122105078f94b4974288c73e368d5e998dcc8cf730d3f

SHA512
dfdffd797b76393f24e19235c18c4199b9a28cfa43f5f98ef556e9299427e6b7682384d2d4d66cfd4ea37b7c4f84f58855c7128057acec407eebb30a924f99e2

Download Submit
C:\Users\Admin\AppData\Roaming\FomsTudioª.exe

Filesize
3.9MB

MD5
8a242aeba83c7da62dff095417cccd31

SHA1
2f93e5c9e75e4de7d9a82826ace4dfaa763e6db7

SHA256
51915ee49701927a930a033ac2b84c3303b8cf7ac88869b0d2ba6aabc5fa66f8

SHA512
b91742f74367f7bcbb4f3956fdbbb27edf1589c7badb9a835391c6c003f7ddd52c73632c92d272aca0a056b54801a9f9e0b5faead7242170c5c7d2c261fe614b

Download Submit
C:\Windows\Installer\MSI510E.tmp

Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
memory/2192-50-0x00000000677D0000-0x0000000067F2F000-memory.dmp

Filesize
7.4MB

Download
memory/2192-44-0x00000000677D0000-0x0000000067F2F000-memory.dmp

Filesize
7.4MB

Download
memory/2192-46-0x00000000677D0000-0x0000000067F2F000-memory.dmp

Filesize
7.4MB

Download
memory/2192-48-0x00000000677D0000-0x0000000067F2F000-memory.dmp

Filesize
7.4MB

Download
memory/2192-43-0x00007FF7D6520000-0x00007FF7D6923000-memory.dmp

Filesize
4.0MB

Download
memory/2192-55-0x00000000677D0000-0x0000000067F2F000-memory.dmp

Filesize
7.4MB

Download
memory/2192-61-0x00000000677D0000-0x0000000067F2F000-memory.dmp

Filesize
7.4MB

Download
memory/2192-63-0x00000000677D0000-0x0000000067F2F000-memory.dmp

Filesize
7.4MB

Download
memory/2192-65-0x00000000677D0000-0x0000000067F2F000-memory.dmp

Filesize
7.4MB

Download
memory/2192-67-0x00000000677D0000-0x0000000067F2F000-memory.dmp

Filesize
7.4MB

Download
memory/2192-69-0x00000000677D0000-0x0000000067F2F000-memory.dmp

Filesize
7.4MB

Download
memory/2192-71-0x00000000677D0000-0x0000000067F2F000-memory.dmp

Filesize
7.4MB

Download