Analysis Overview
SHA256
b78112b8eced8b7e581730c13e55dd7e9a722acbe6c68f806883913d78142ad2
Threat Level: Shows suspicious behavior
The file b78112b8eced8b7e581730c13e55dd7e9a722acbe6c68f806883913d78142ad2 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Enumerates connected drives
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 04:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 04:52
Reported
2024-06-12 04:54
Platform
win7-20240611-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b78112b8eced8b7e581730c13e55dd7e9a722acbe6c68f806883913d78142ad2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b78112b8eced8b7e581730c13e55dd7e9a722acbe6c68f806883913d78142ad2.exe
"C:\Users\Admin\AppData\Local\Temp\b78112b8eced8b7e581730c13e55dd7e9a722acbe6c68f806883913d78142ad2.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D0039FE920748E15D9C3CE3324C285DC C
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\gasdgtt\TD远程协助(TO DESK) 2.3.0\install\TD远程协助(TO DESK).msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\b78112b8eced8b7e581730c13e55dd7e9a722acbe6c68f806883913d78142ad2.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1717908529 "
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5753C9A843005F71CF85A78129A4A5A4 C
Network
Files
memory/2344-0-0x0000000000300000-0x0000000000301000-memory.dmp
C:\Users\Admin\AppData\Roaming\gasdgtt\TD远程协助(TO DESK) 2.3.0\install\TD远程协助(TO DESK).msi
| MD5 | 0392f8459009c52b349f798b30f39278 |
| SHA1 | 7f46a00dbf265fe0b591a9dd7cd7f1165009e4a2 |
| SHA256 | 410089e31e683cb8d4ed15e573c8547248777bd642ef7beb90713ba485850037 |
| SHA512 | 2a8885e031fdd4aabcfb3c1dca04c0db0fe1fd8ea74cedd7e1c44a7d787a7947028dacebada243cc0455eab835cf012ee907c72323c74acbf31c500bc8e4e6da |
\Users\Admin\AppData\Local\Temp\MSI60E5.tmp
| MD5 | 475d20c0ea477a35660e3f67ecf0a1df |
| SHA1 | 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08 |
| SHA256 | 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd |
| SHA512 | 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e |
memory/2344-30-0x0000000000300000-0x0000000000301000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 04:52
Reported
2024-06-12 04:54
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b78112b8eced8b7e581730c13e55dd7e9a722acbe6c68f806883913d78142ad2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b78112b8eced8b7e581730c13e55dd7e9a722acbe6c68f806883913d78142ad2.exe
"C:\Users\Admin\AppData\Local\Temp\b78112b8eced8b7e581730c13e55dd7e9a722acbe6c68f806883913d78142ad2.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 76A785407364165C3BE935ED0A83F72D C
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\gasdgtt\TD远程协助(TO DESK) 2.3.0\install\TD远程协助(TO DESK).msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\b78112b8eced8b7e581730c13e55dd7e9a722acbe6c68f806883913d78142ad2.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1717927297 "
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B5ABEA5F4B845CB7EF2C7701FA3F8E27 C
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\gasdgtt\TD远程协助(TO DESK) 2.3.0\install\TD远程协助(TO DESK).msi
| MD5 | 0392f8459009c52b349f798b30f39278 |
| SHA1 | 7f46a00dbf265fe0b591a9dd7cd7f1165009e4a2 |
| SHA256 | 410089e31e683cb8d4ed15e573c8547248777bd642ef7beb90713ba485850037 |
| SHA512 | 2a8885e031fdd4aabcfb3c1dca04c0db0fe1fd8ea74cedd7e1c44a7d787a7947028dacebada243cc0455eab835cf012ee907c72323c74acbf31c500bc8e4e6da |
C:\Users\Admin\AppData\Local\Temp\MSI20B3.tmp
| MD5 | 475d20c0ea477a35660e3f67ecf0a1df |
| SHA1 | 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08 |
| SHA256 | 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd |
| SHA512 | 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e |