c0160132cdd26f97faf1dbe38c46b508c790b54af3a8488cd7dda990e0052aba

Resubmissions

28-06-2024 16:08

240628-tllx1aygqj 7

28-06-2024 16:00

240628-tf3zbswcrf 7

28-06-2024 15:54

240628-tchh8awckf 7

Analysis

max time kernel
135s
max time network
138s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28-06-2024 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HelloWorld.exe
Size

84.8MB
MD5

3c77097a11493ae585e1e366d192f05f
SHA1

5d8634bda8ad06806fe3c3fe7ac765e7a38df4ed
SHA256

c0160132cdd26f97faf1dbe38c46b508c790b54af3a8488cd7dda990e0052aba
SHA512

39071eaeceaa5904e3abcb31c8a2f13582d87469cd4aca1225a311d5bd2fa262e0f24b322157dc1c21efc8a3ed091102ab50e61543c61a3637bc7e6c1856b3ed
SSDEEP

1572864:Q49UQEDl5ZdBrkJoO3nxVvKuLSCbB1lfDfvUTckPjC479SKAokgRBH45fPB:QKUQgl5TxOXmuLSCb/lfD3+cQjl7dBds

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3300	HelloWorld-x64.exe

Loads dropped DLL 14 IoCs

pid	Process
1284	MsiExec.exe
4632	MsiExec.exe
4632	MsiExec.exe
4632	MsiExec.exe
4632	MsiExec.exe
4632	MsiExec.exe
4632	MsiExec.exe
4632	MsiExec.exe
4632	MsiExec.exe
4632	MsiExec.exe
4632	MsiExec.exe
3300	HelloWorld-x64.exe
3300	HelloWorld-x64.exe
3300	HelloWorld-x64.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	HelloWorld.exe
File opened (read-only)	\??\M:	HelloWorld.exe
File opened (read-only)	\??\S:	HelloWorld.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	HelloWorld.exe
File opened (read-only)	\??\W:	HelloWorld.exe
File opened (read-only)	\??\X:	HelloWorld.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	HelloWorld.exe
File opened (read-only)	\??\E:	HelloWorld.exe
File opened (read-only)	\??\Z:	HelloWorld.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	HelloWorld.exe
File opened (read-only)	\??\Q:	HelloWorld.exe
File opened (read-only)	\??\V:	HelloWorld.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	HelloWorld.exe
File opened (read-only)	\??\K:	HelloWorld.exe
File opened (read-only)	\??\P:	HelloWorld.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	HelloWorld.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	HelloWorld.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	HelloWorld.exe
File opened (read-only)	\??\O:	HelloWorld.exe
File opened (read-only)	\??\T:	HelloWorld.exe
File opened (read-only)	\??\Y:	HelloWorld.exe
File opened (read-only)	\??\I:	HelloWorld.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	HelloWorld.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4116	msiexec.exe
Token: SeCreateTokenPrivilege	2832	HelloWorld.exe
Token: SeAssignPrimaryTokenPrivilege	2832	HelloWorld.exe
Token: SeLockMemoryPrivilege	2832	HelloWorld.exe
Token: SeIncreaseQuotaPrivilege	2832	HelloWorld.exe
Token: SeMachineAccountPrivilege	2832	HelloWorld.exe
Token: SeTcbPrivilege	2832	HelloWorld.exe
Token: SeSecurityPrivilege	2832	HelloWorld.exe
Token: SeTakeOwnershipPrivilege	2832	HelloWorld.exe
Token: SeLoadDriverPrivilege	2832	HelloWorld.exe
Token: SeSystemProfilePrivilege	2832	HelloWorld.exe
Token: SeSystemtimePrivilege	2832	HelloWorld.exe
Token: SeProfSingleProcessPrivilege	2832	HelloWorld.exe
Token: SeIncBasePriorityPrivilege	2832	HelloWorld.exe
Token: SeCreatePagefilePrivilege	2832	HelloWorld.exe
Token: SeCreatePermanentPrivilege	2832	HelloWorld.exe
Token: SeBackupPrivilege	2832	HelloWorld.exe
Token: SeRestorePrivilege	2832	HelloWorld.exe
Token: SeShutdownPrivilege	2832	HelloWorld.exe
Token: SeDebugPrivilege	2832	HelloWorld.exe
Token: SeAuditPrivilege	2832	HelloWorld.exe
Token: SeSystemEnvironmentPrivilege	2832	HelloWorld.exe
Token: SeChangeNotifyPrivilege	2832	HelloWorld.exe
Token: SeRemoteShutdownPrivilege	2832	HelloWorld.exe
Token: SeUndockPrivilege	2832	HelloWorld.exe
Token: SeSyncAgentPrivilege	2832	HelloWorld.exe
Token: SeEnableDelegationPrivilege	2832	HelloWorld.exe
Token: SeManageVolumePrivilege	2832	HelloWorld.exe
Token: SeImpersonatePrivilege	2832	HelloWorld.exe
Token: SeCreateGlobalPrivilege	2832	HelloWorld.exe
Token: SeCreateTokenPrivilege	2832	HelloWorld.exe
Token: SeAssignPrimaryTokenPrivilege	2832	HelloWorld.exe
Token: SeLockMemoryPrivilege	2832	HelloWorld.exe
Token: SeIncreaseQuotaPrivilege	2832	HelloWorld.exe
Token: SeMachineAccountPrivilege	2832	HelloWorld.exe
Token: SeTcbPrivilege	2832	HelloWorld.exe
Token: SeSecurityPrivilege	2832	HelloWorld.exe
Token: SeTakeOwnershipPrivilege	2832	HelloWorld.exe
Token: SeLoadDriverPrivilege	2832	HelloWorld.exe
Token: SeSystemProfilePrivilege	2832	HelloWorld.exe
Token: SeSystemtimePrivilege	2832	HelloWorld.exe
Token: SeProfSingleProcessPrivilege	2832	HelloWorld.exe
Token: SeIncBasePriorityPrivilege	2832	HelloWorld.exe
Token: SeCreatePagefilePrivilege	2832	HelloWorld.exe
Token: SeCreatePermanentPrivilege	2832	HelloWorld.exe
Token: SeBackupPrivilege	2832	HelloWorld.exe
Token: SeRestorePrivilege	2832	HelloWorld.exe
Token: SeShutdownPrivilege	2832	HelloWorld.exe
Token: SeDebugPrivilege	2832	HelloWorld.exe
Token: SeAuditPrivilege	2832	HelloWorld.exe
Token: SeSystemEnvironmentPrivilege	2832	HelloWorld.exe
Token: SeChangeNotifyPrivilege	2832	HelloWorld.exe
Token: SeRemoteShutdownPrivilege	2832	HelloWorld.exe
Token: SeUndockPrivilege	2832	HelloWorld.exe
Token: SeSyncAgentPrivilege	2832	HelloWorld.exe
Token: SeEnableDelegationPrivilege	2832	HelloWorld.exe
Token: SeManageVolumePrivilege	2832	HelloWorld.exe
Token: SeImpersonatePrivilege	2832	HelloWorld.exe
Token: SeCreateGlobalPrivilege	2832	HelloWorld.exe
Token: SeCreateTokenPrivilege	2832	HelloWorld.exe
Token: SeAssignPrimaryTokenPrivilege	2832	HelloWorld.exe
Token: SeLockMemoryPrivilege	2832	HelloWorld.exe
Token: SeIncreaseQuotaPrivilege	2832	HelloWorld.exe
Token: SeMachineAccountPrivilege	2832	HelloWorld.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2832	HelloWorld.exe
2784	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 1284	4116	msiexec.exe	75
PID 4116 wrote to memory of 1284	4116	msiexec.exe	75
PID 4116 wrote to memory of 1284	4116	msiexec.exe	75
PID 2832 wrote to memory of 2784	2832	HelloWorld.exe	76
PID 2832 wrote to memory of 2784	2832	HelloWorld.exe	76
PID 2832 wrote to memory of 2784	2832	HelloWorld.exe	76
PID 4116 wrote to memory of 4632	4116	msiexec.exe	77
PID 4116 wrote to memory of 4632	4116	msiexec.exe	77
PID 4116 wrote to memory of 4632	4116	msiexec.exe	77
PID 4632 wrote to memory of 2088	4632	MsiExec.exe	78
PID 4632 wrote to memory of 2088	4632	MsiExec.exe	78
PID 4632 wrote to memory of 2088	4632	MsiExec.exe	78
PID 4632 wrote to memory of 3300	4632	MsiExec.exe	79
PID 4632 wrote to memory of 3300	4632	MsiExec.exe	79
PID 4632 wrote to memory of 3300	4632	MsiExec.exe	79

C:\Users\Admin\AppData\Local\Temp\HelloWorld.exe
"C:\Users\Admin\AppData\Local\Temp\HelloWorld.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\HelloWorld\HelloWorld翻译 1.0.0\install\B6FCAE9\HelloWorld.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\HelloWorld.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1719349488 "
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:2784

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4996152FCF21CB664AF53F97461B00E7 C
  2⤵
  - Loads dropped DLL
  PID:1284
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 713422A160720C8B5C3CCB5BBCCA4949 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\HelloWorld.exe
    "C:\Users\Admin\AppData\Local\Temp\HelloWorld.exe" /groupsextract:100; /out:"C:\Users\Admin\AppData\Roaming\HelloWorld\HelloWorld翻译\prerequisites" /callbackid:4632
    3⤵
    PID:2088
- - C:\Users\Admin\AppData\Roaming\HelloWorld\HelloWorld翻译\prerequisites\HelloWorld精简版V2\HelloWorld-x64.exe
    "C:\Users\Admin\AppData\Roaming\HelloWorld\HelloWorld翻译\prerequisites\HelloWorld精简版V2\HelloWorld-x64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI7CB3.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7FA4.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Roaming\HelloWorld\HelloWorld翻译 1.0.0\install\B6FCAE9\HelloWorld.msi

Filesize
2.6MB

MD5
2a13b8bdeb5ff6c028152841fb2ccd41

SHA1
3ecbbd15eaa11be57e914d47a6ee31da5b908f5f

SHA256
f1c09dae52cdbadae62fc1fee62c46637bac7507ea6e365fc8c0404b6c56e7ae

SHA512
c4a42c7d613963ef6af1667e68a9da2bbe09e8c3d38d93062621fdd99a4a36ed160ff87ad186dedb5ffc92875db49ff9aa6a16a68aab2c83e4f6cf62677b7db5

Download Submit
\Users\Admin\AppData\Local\Temp\nsgAF6B.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsgAF6B.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsgAF6B.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit