c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Size

7.3MB
MD5

74fc237f0d05f8a6873ed376af7fcd0c
SHA1

4ed436e3c5d4254cb26625e10062165e3f69b80c
SHA256

c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9
SHA512

2fa103808f76dccfab80a087628fb3bff0ada3f892797d3452b493c2c9050203000c66041bf59197d09de9e8da5dccf46c5e0e11c6323f04f98053916d779062
SSDEEP

98304:9hDq6qXCP7yKPNmxecLushvf7U35YnK/Ag12QzwabJT4pCbRTT3Fyz8K224VnQ7t:TDq6UE7ozQzTJT02TT1qP22IekjK

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2800	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\V:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\W:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\Y:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\X:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\Z:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\U:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\K:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\P:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2840	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3032	msiexec.exe
Token: SeTakeOwnershipPrivilege	3032	msiexec.exe
Token: SeSecurityPrivilege	3032	msiexec.exe
Token: SeCreateTokenPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeAssignPrimaryTokenPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeLockMemoryPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeIncreaseQuotaPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeMachineAccountPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeTcbPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeSecurityPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeTakeOwnershipPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeLoadDriverPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeSystemProfilePrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeSystemtimePrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeProfSingleProcessPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeIncBasePriorityPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeCreatePagefilePrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeCreatePermanentPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeBackupPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeRestorePrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeShutdownPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeDebugPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeAuditPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeSystemEnvironmentPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeChangeNotifyPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeRemoteShutdownPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeUndockPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeSyncAgentPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeEnableDelegationPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeManageVolumePrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeImpersonatePrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeCreateGlobalPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeCreateTokenPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeAssignPrimaryTokenPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeLockMemoryPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeIncreaseQuotaPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeMachineAccountPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeTcbPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeSecurityPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeTakeOwnershipPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeLoadDriverPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeSystemProfilePrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeSystemtimePrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeProfSingleProcessPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeIncBasePriorityPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeCreatePagefilePrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeCreatePermanentPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeBackupPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeRestorePrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeShutdownPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeDebugPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeAuditPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeSystemEnvironmentPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeChangeNotifyPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeRemoteShutdownPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeUndockPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeSyncAgentPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeEnableDelegationPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeManageVolumePrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeImpersonatePrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeCreateGlobalPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeCreateTokenPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeAssignPrimaryTokenPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
Token: SeLockMemoryPrivilege	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
2840	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2800	3032	msiexec.exe	29
PID 3032 wrote to memory of 2800	3032	msiexec.exe	29
PID 3032 wrote to memory of 2800	3032	msiexec.exe	29
PID 3032 wrote to memory of 2800	3032	msiexec.exe	29
PID 3032 wrote to memory of 2800	3032	msiexec.exe	29
PID 3032 wrote to memory of 2800	3032	msiexec.exe	29
PID 3032 wrote to memory of 2800	3032	msiexec.exe	29
PID 2020 wrote to memory of 2840	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe	30
PID 2020 wrote to memory of 2840	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe	30
PID 2020 wrote to memory of 2840	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe	30
PID 2020 wrote to memory of 2840	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe	30
PID 2020 wrote to memory of 2840	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe	30
PID 2020 wrote to memory of 2840	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe	30
PID 2020 wrote to memory of 2840	2020	c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe	30
PID 3032 wrote to memory of 2644	3032	msiexec.exe	31
PID 3032 wrote to memory of 2644	3032	msiexec.exe	31
PID 3032 wrote to memory of 2644	3032	msiexec.exe	31
PID 3032 wrote to memory of 2644	3032	msiexec.exe	31
PID 3032 wrote to memory of 2644	3032	msiexec.exe	31
PID 3032 wrote to memory of 2644	3032	msiexec.exe	31
PID 3032 wrote to memory of 2644	3032	msiexec.exe	31

C:\Users\Admin\AppData\Local\Temp\c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe
"C:\Users\Admin\AppData\Local\Temp\c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\uuiasg1\金山文档精灵 1.3.5 1.3.5\install\金山文档精灵 1.3.5.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\c9254567c1026b219ead70cca1162a98fb5af429f278d1b3379bcec9494401f9.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1718111625 "
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2840

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 315257A081294ECFE9DD5163C222DC15 C
  2⤵
  - Loads dropped DLL
  PID:2800
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 56D0DB8EC7177646DFF8497418D06E40 C
  2⤵
  - Loads dropped DLL
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI2952.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Roaming\uuiasg1\金山文档精灵 1.3.5 1.3.5\install\金山文档精灵 1.3.5.msi

Filesize
1.4MB

MD5
2e57100f1c31cb85069ebd09da46e39d

SHA1
92958351510648e0255c304f7eb34d5b3f696103

SHA256
b4d79bb577d89b30acc3cc1bae23b8ffb9a09ad4d04de2d4afab59d0515dbbbd

SHA512
fa8ed2866f01aff164996ed45e154d16790e7f5cc17a4fc4eb6f6b877f3f1d233f36b335b4637a78570a4e72a75270eae425209300662229f6d4f9562e63f2ac

Download Submit
memory/2020-0-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2020-30-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download