Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 10:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20240611-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral3
Sample
wqEtripSetUp.msi
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral4
Sample
wqEtripSetUp.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral5
Sample
新云软件.url
Resource
win7-20240508-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral6
Sample
新云软件.url
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
wqEtripSetUp.msi
-
Size
11.5MB
-
MD5
60fff77b4d1a52465dcb9d92d747985d
-
SHA1
8e13b3d87d10eb624be801b2465d71471cb09150
-
SHA256
4ab4b66e69297c858b5075f4191b43e9d934733ac186384b59f42572cdd54195
-
SHA512
511d55ab09ce7da4a8d0a07e0c09615565f0b22486dacb219dcbae2ea5c502e87006397d1e058681760944631d05aeea686e9c7d00a23089b76692abffabbbcf
-
SSDEEP
196608:UAGoqBQK8QQKKyFbaF4jkm+gipgpeJY2n2SIpZo2o7XIJck+rHLGJH0fzSUxuawc:rGdQK8QDKiU4jKMpYVbX2CIJaIHozt7w
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Loads dropped DLL 2 IoCs
pid Process 2332 MsiExec.exe 2332 MsiExec.exe -
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
pid Process 1452 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1452 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1452 msiexec.exe Token: SeIncreaseQuotaPrivilege 1452 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeSecurityPrivilege 1692 msiexec.exe Token: SeCreateTokenPrivilege 1452 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1452 msiexec.exe Token: SeLockMemoryPrivilege 1452 msiexec.exe Token: SeIncreaseQuotaPrivilege 1452 msiexec.exe Token: SeMachineAccountPrivilege 1452 msiexec.exe Token: SeTcbPrivilege 1452 msiexec.exe Token: SeSecurityPrivilege 1452 msiexec.exe Token: SeTakeOwnershipPrivilege 1452 msiexec.exe Token: SeLoadDriverPrivilege 1452 msiexec.exe Token: SeSystemProfilePrivilege 1452 msiexec.exe Token: SeSystemtimePrivilege 1452 msiexec.exe Token: SeProfSingleProcessPrivilege 1452 msiexec.exe Token: SeIncBasePriorityPrivilege 1452 msiexec.exe Token: SeCreatePagefilePrivilege 1452 msiexec.exe Token: SeCreatePermanentPrivilege 1452 msiexec.exe Token: SeBackupPrivilege 1452 msiexec.exe Token: SeRestorePrivilege 1452 msiexec.exe Token: SeShutdownPrivilege 1452 msiexec.exe Token: SeDebugPrivilege 1452 msiexec.exe Token: SeAuditPrivilege 1452 msiexec.exe Token: SeSystemEnvironmentPrivilege 1452 msiexec.exe Token: SeChangeNotifyPrivilege 1452 msiexec.exe Token: SeRemoteShutdownPrivilege 1452 msiexec.exe Token: SeUndockPrivilege 1452 msiexec.exe Token: SeSyncAgentPrivilege 1452 msiexec.exe Token: SeEnableDelegationPrivilege 1452 msiexec.exe Token: SeManageVolumePrivilege 1452 msiexec.exe Token: SeImpersonatePrivilege 1452 msiexec.exe Token: SeCreateGlobalPrivilege 1452 msiexec.exe Token: SeCreateTokenPrivilege 1452 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1452 msiexec.exe Token: SeLockMemoryPrivilege 1452 msiexec.exe Token: SeIncreaseQuotaPrivilege 1452 msiexec.exe Token: SeMachineAccountPrivilege 1452 msiexec.exe Token: SeTcbPrivilege 1452 msiexec.exe Token: SeSecurityPrivilege 1452 msiexec.exe Token: SeTakeOwnershipPrivilege 1452 msiexec.exe Token: SeLoadDriverPrivilege 1452 msiexec.exe Token: SeSystemProfilePrivilege 1452 msiexec.exe Token: SeSystemtimePrivilege 1452 msiexec.exe Token: SeProfSingleProcessPrivilege 1452 msiexec.exe Token: SeIncBasePriorityPrivilege 1452 msiexec.exe Token: SeCreatePagefilePrivilege 1452 msiexec.exe Token: SeCreatePermanentPrivilege 1452 msiexec.exe Token: SeBackupPrivilege 1452 msiexec.exe Token: SeRestorePrivilege 1452 msiexec.exe Token: SeShutdownPrivilege 1452 msiexec.exe Token: SeDebugPrivilege 1452 msiexec.exe Token: SeAuditPrivilege 1452 msiexec.exe Token: SeSystemEnvironmentPrivilege 1452 msiexec.exe Token: SeChangeNotifyPrivilege 1452 msiexec.exe Token: SeRemoteShutdownPrivilege 1452 msiexec.exe Token: SeUndockPrivilege 1452 msiexec.exe Token: SeSyncAgentPrivilege 1452 msiexec.exe Token: SeEnableDelegationPrivilege 1452 msiexec.exe Token: SeManageVolumePrivilege 1452 msiexec.exe Token: SeImpersonatePrivilege 1452 msiexec.exe Token: SeCreateGlobalPrivilege 1452 msiexec.exe Token: SeCreateTokenPrivilege 1452 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1452 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1692 wrote to memory of 2332 1692 msiexec.exe 29 PID 1692 wrote to memory of 2332 1692 msiexec.exe 29 PID 1692 wrote to memory of 2332 1692 msiexec.exe 29 PID 1692 wrote to memory of 2332 1692 msiexec.exe 29 PID 1692 wrote to memory of 2332 1692 msiexec.exe 29 PID 1692 wrote to memory of 2332 1692 msiexec.exe 29 PID 1692 wrote to memory of 2332 1692 msiexec.exe 29
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wqEtripSetUp.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1452
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A7C986C1ADF8FC3CDF03A5A4CB745616 C2⤵
- Loads dropped DLL
PID:2332
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD5401955b8f77f1c86364af675ce66cb87
SHA14980ad5359f3a80d434b8b177eefc3102c37e414
SHA2567b384a5b16e8550cef4143851117984fb71c3ac34fbfc5d95487153afac9c46c
SHA5127974db82d827b7a0e724f22f76660ee954e2698d17e38478af9ca685c8407d58804c1da36d8e21071f345ca0c8645c455401af1f4d7cfd7edfb2822b5661a25e