Overview
overview
6Static
static
3pingplotte...ll.exe
windows7-x64
6pingplotte...ll.exe
windows10-2004-x64
6$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$_4_.msi
windows7-x64
6$_4_.msi
windows10-2004-x64
6Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
pingplotter_install.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
pingplotter_install.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/DotNetChecker.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/DotNetChecker.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
$_4_.msi
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
$_4_.msi
Resource
win10v2004-20240508-en
General
-
Target
$_4_.msi
-
Size
68.0MB
-
MD5
d338244a4c63c6829ba63a436cd96bca
-
SHA1
cf5b67a36f27990ae89933913b8e09c48360837c
-
SHA256
c04393d32a045faa0940dc56f91d456935060cfa995cf3caee948ef09ab5cd33
-
SHA512
ac5ed089a9ca48a7a997cf6053d7a8dec41b729f1ee456051ffc23373425bf62a2f82df9027176fa614b39c335ca86b4e23633fe50359fc0392a54ff47744b46
-
SSDEEP
393216:wst/V4e0wTkW4rjtNkWbNUz6sdhq1Dzw7RvPm0DMFGwyZyjVhlwdLnoIXXsagvHs:wUqWYXkW5Ujqhzw7RvtYrHs9os
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Loads dropped DLL 7 IoCs
pid Process 3652 MsiExec.exe 3652 MsiExec.exe 3652 MsiExec.exe 3652 MsiExec.exe 3652 MsiExec.exe 3652 MsiExec.exe 3652 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1116 msiexec.exe Token: SeIncreaseQuotaPrivilege 1116 msiexec.exe Token: SeSecurityPrivilege 2628 msiexec.exe Token: SeCreateTokenPrivilege 1116 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1116 msiexec.exe Token: SeLockMemoryPrivilege 1116 msiexec.exe Token: SeIncreaseQuotaPrivilege 1116 msiexec.exe Token: SeMachineAccountPrivilege 1116 msiexec.exe Token: SeTcbPrivilege 1116 msiexec.exe Token: SeSecurityPrivilege 1116 msiexec.exe Token: SeTakeOwnershipPrivilege 1116 msiexec.exe Token: SeLoadDriverPrivilege 1116 msiexec.exe Token: SeSystemProfilePrivilege 1116 msiexec.exe Token: SeSystemtimePrivilege 1116 msiexec.exe Token: SeProfSingleProcessPrivilege 1116 msiexec.exe Token: SeIncBasePriorityPrivilege 1116 msiexec.exe Token: SeCreatePagefilePrivilege 1116 msiexec.exe Token: SeCreatePermanentPrivilege 1116 msiexec.exe Token: SeBackupPrivilege 1116 msiexec.exe Token: SeRestorePrivilege 1116 msiexec.exe Token: SeShutdownPrivilege 1116 msiexec.exe Token: SeDebugPrivilege 1116 msiexec.exe Token: SeAuditPrivilege 1116 msiexec.exe Token: SeSystemEnvironmentPrivilege 1116 msiexec.exe Token: SeChangeNotifyPrivilege 1116 msiexec.exe Token: SeRemoteShutdownPrivilege 1116 msiexec.exe Token: SeUndockPrivilege 1116 msiexec.exe Token: SeSyncAgentPrivilege 1116 msiexec.exe Token: SeEnableDelegationPrivilege 1116 msiexec.exe Token: SeManageVolumePrivilege 1116 msiexec.exe Token: SeImpersonatePrivilege 1116 msiexec.exe Token: SeCreateGlobalPrivilege 1116 msiexec.exe Token: SeCreateTokenPrivilege 1116 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1116 msiexec.exe Token: SeLockMemoryPrivilege 1116 msiexec.exe Token: SeIncreaseQuotaPrivilege 1116 msiexec.exe Token: SeMachineAccountPrivilege 1116 msiexec.exe Token: SeTcbPrivilege 1116 msiexec.exe Token: SeSecurityPrivilege 1116 msiexec.exe Token: SeTakeOwnershipPrivilege 1116 msiexec.exe Token: SeLoadDriverPrivilege 1116 msiexec.exe Token: SeSystemProfilePrivilege 1116 msiexec.exe Token: SeSystemtimePrivilege 1116 msiexec.exe Token: SeProfSingleProcessPrivilege 1116 msiexec.exe Token: SeIncBasePriorityPrivilege 1116 msiexec.exe Token: SeCreatePagefilePrivilege 1116 msiexec.exe Token: SeCreatePermanentPrivilege 1116 msiexec.exe Token: SeBackupPrivilege 1116 msiexec.exe Token: SeRestorePrivilege 1116 msiexec.exe Token: SeShutdownPrivilege 1116 msiexec.exe Token: SeDebugPrivilege 1116 msiexec.exe Token: SeAuditPrivilege 1116 msiexec.exe Token: SeSystemEnvironmentPrivilege 1116 msiexec.exe Token: SeChangeNotifyPrivilege 1116 msiexec.exe Token: SeRemoteShutdownPrivilege 1116 msiexec.exe Token: SeUndockPrivilege 1116 msiexec.exe Token: SeSyncAgentPrivilege 1116 msiexec.exe Token: SeEnableDelegationPrivilege 1116 msiexec.exe Token: SeManageVolumePrivilege 1116 msiexec.exe Token: SeImpersonatePrivilege 1116 msiexec.exe Token: SeCreateGlobalPrivilege 1116 msiexec.exe Token: SeCreateTokenPrivilege 1116 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1116 msiexec.exe Token: SeLockMemoryPrivilege 1116 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1116 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2628 wrote to memory of 3652 2628 msiexec.exe 85 PID 2628 wrote to memory of 3652 2628 msiexec.exe 85 PID 2628 wrote to memory of 3652 2628 msiexec.exe 85
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\$_4_.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1116
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0EC4CF081FD576931736972B2923DDA6 C2⤵
- Loads dropped DLL
PID:3652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
364KB
MD5ca95f207ec70ba34b46c785f7bcb5570
SHA125c0d45cb9f94892e2877033d06fe8909e5b9972
SHA2568ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb
SHA512c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831
-
Filesize
561KB
MD55576bf4d22dc695564e49a68cbc98bc2
SHA180e0e045162a65d84939e22a821ecbbbde3f31d6
SHA25620f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801
SHA5124b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972