236aa3f0c90eabae780df59429fc87fbff76d9b18bbdf7e8298429d07a3f71ae

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wqEtripSetUp.msi
Size

11.5MB
MD5

60fff77b4d1a52465dcb9d92d747985d
SHA1

8e13b3d87d10eb624be801b2465d71471cb09150
SHA256

4ab4b66e69297c858b5075f4191b43e9d934733ac186384b59f42572cdd54195
SHA512

511d55ab09ce7da4a8d0a07e0c09615565f0b22486dacb219dcbae2ea5c502e87006397d1e058681760944631d05aeea686e9c7d00a23089b76692abffabbbcf
SSDEEP

196608:UAGoqBQK8QQKKyFbaF4jkm+gipgpeJY2n2SIpZo2o7XIJck+rHLGJH0fzSUxuawc:rGdQK8QDKiU4jKMpYVbX2CIJaIHozt7w

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
3772	MsiExec.exe
3772	MsiExec.exe

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

pid	Process
1780	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1780	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1780	msiexec.exe
Token: SeSecurityPrivilege	2344	msiexec.exe
Token: SeCreateTokenPrivilege	1780	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1780	msiexec.exe
Token: SeLockMemoryPrivilege	1780	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1780	msiexec.exe
Token: SeMachineAccountPrivilege	1780	msiexec.exe
Token: SeTcbPrivilege	1780	msiexec.exe
Token: SeSecurityPrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeLoadDriverPrivilege	1780	msiexec.exe
Token: SeSystemProfilePrivilege	1780	msiexec.exe
Token: SeSystemtimePrivilege	1780	msiexec.exe
Token: SeProfSingleProcessPrivilege	1780	msiexec.exe
Token: SeIncBasePriorityPrivilege	1780	msiexec.exe
Token: SeCreatePagefilePrivilege	1780	msiexec.exe
Token: SeCreatePermanentPrivilege	1780	msiexec.exe
Token: SeBackupPrivilege	1780	msiexec.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeShutdownPrivilege	1780	msiexec.exe
Token: SeDebugPrivilege	1780	msiexec.exe
Token: SeAuditPrivilege	1780	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1780	msiexec.exe
Token: SeChangeNotifyPrivilege	1780	msiexec.exe
Token: SeRemoteShutdownPrivilege	1780	msiexec.exe
Token: SeUndockPrivilege	1780	msiexec.exe
Token: SeSyncAgentPrivilege	1780	msiexec.exe
Token: SeEnableDelegationPrivilege	1780	msiexec.exe
Token: SeManageVolumePrivilege	1780	msiexec.exe
Token: SeImpersonatePrivilege	1780	msiexec.exe
Token: SeCreateGlobalPrivilege	1780	msiexec.exe
Token: SeCreateTokenPrivilege	1780	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1780	msiexec.exe
Token: SeLockMemoryPrivilege	1780	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1780	msiexec.exe
Token: SeMachineAccountPrivilege	1780	msiexec.exe
Token: SeTcbPrivilege	1780	msiexec.exe
Token: SeSecurityPrivilege	1780	msiexec.exe
Token: SeTakeOwnershipPrivilege	1780	msiexec.exe
Token: SeLoadDriverPrivilege	1780	msiexec.exe
Token: SeSystemProfilePrivilege	1780	msiexec.exe
Token: SeSystemtimePrivilege	1780	msiexec.exe
Token: SeProfSingleProcessPrivilege	1780	msiexec.exe
Token: SeIncBasePriorityPrivilege	1780	msiexec.exe
Token: SeCreatePagefilePrivilege	1780	msiexec.exe
Token: SeCreatePermanentPrivilege	1780	msiexec.exe
Token: SeBackupPrivilege	1780	msiexec.exe
Token: SeRestorePrivilege	1780	msiexec.exe
Token: SeShutdownPrivilege	1780	msiexec.exe
Token: SeDebugPrivilege	1780	msiexec.exe
Token: SeAuditPrivilege	1780	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1780	msiexec.exe
Token: SeChangeNotifyPrivilege	1780	msiexec.exe
Token: SeRemoteShutdownPrivilege	1780	msiexec.exe
Token: SeUndockPrivilege	1780	msiexec.exe
Token: SeSyncAgentPrivilege	1780	msiexec.exe
Token: SeEnableDelegationPrivilege	1780	msiexec.exe
Token: SeManageVolumePrivilege	1780	msiexec.exe
Token: SeImpersonatePrivilege	1780	msiexec.exe
Token: SeCreateGlobalPrivilege	1780	msiexec.exe
Token: SeCreateTokenPrivilege	1780	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1780	msiexec.exe
Token: SeLockMemoryPrivilege	1780	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1780	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 3772	2344	msiexec.exe	93
PID 2344 wrote to memory of 3772	2344	msiexec.exe	93
PID 2344 wrote to memory of 3772	2344	msiexec.exe	93

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wqEtripSetUp.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1780

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D3780B183D84574223A72B5672A6F7F8 C
  2⤵
  - Loads dropped DLL
  PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI1D57.tmp

Filesize
209KB

MD5
401955b8f77f1c86364af675ce66cb87

SHA1
4980ad5359f3a80d434b8b177eefc3102c37e414

SHA256
7b384a5b16e8550cef4143851117984fb71c3ac34fbfc5d95487153afac9c46c

SHA512
7974db82d827b7a0e724f22f76660ee954e2698d17e38478af9ca685c8407d58804c1da36d8e21071f345ca0c8645c455401af1f4d7cfd7edfb2822b5661a25e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads