Analysis
-
max time kernel
118s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 14:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
torbrowser-install-win64-12.5.2_ALL.exe
Resource
win10-20240404-en
windows10-1703-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
torbrowser-install-win64-12.5.2_ALL.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral3
Sample
torbrowser-install-win64-12.5.2_ALL.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral4
Sample
torbrowser-install-win64-12.5.2_ALL.exe
Resource
win11-20240611-en
windows11-21h2-x64
6 signatures
150 seconds
General
-
Target
torbrowser-install-win64-12.5.2_ALL.exe
-
Size
289.6MB
-
MD5
43d370c16771d0f1ac2fc59c215e7354
-
SHA1
a75b9cd40fa23327703fbb79f48f0a3dd4df969f
-
SHA256
42042fec3226c309a89f3f3a499cf9427a60d68a59474a5549968da1e0bfc346
-
SHA512
33ab2368f8ce000578a92cd5200623c98d35d47eeed401ea41f9b3e6beaf50e194d97be8896a0244656471e99ce7e6620c263532ef0d8079fd0b41046fb4fde5
-
SSDEEP
6291456:VHPOAwPIY9Q6VbzoyOABSnazyBUJCbP795QHxYF:VHP6NQizVJCbR5kYF
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 6 IoCs
pid Process 2028 MsiExec.exe 2584 MsiExec.exe 2584 MsiExec.exe 2584 MsiExec.exe 2584 MsiExec.exe 2584 MsiExec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\U: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\J: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\K: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\M: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\N: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\P: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\T: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\X: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\I: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\Z: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\L: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\V: torbrowser-install-win64-12.5.2_ALL.exe File opened (read-only) \??\Y: torbrowser-install-win64-12.5.2_ALL.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2456 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2660 msiexec.exe Token: SeTakeOwnershipPrivilege 2660 msiexec.exe Token: SeSecurityPrivilege 2660 msiexec.exe Token: SeCreateTokenPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeAssignPrimaryTokenPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeLockMemoryPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeIncreaseQuotaPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeMachineAccountPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeTcbPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeSecurityPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeTakeOwnershipPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeLoadDriverPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeSystemProfilePrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeSystemtimePrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeProfSingleProcessPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeIncBasePriorityPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeCreatePagefilePrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeCreatePermanentPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeBackupPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeRestorePrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeShutdownPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeDebugPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeAuditPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeSystemEnvironmentPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeChangeNotifyPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeRemoteShutdownPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeUndockPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeSyncAgentPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeEnableDelegationPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeManageVolumePrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeImpersonatePrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeCreateGlobalPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeCreateTokenPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeAssignPrimaryTokenPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeLockMemoryPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeIncreaseQuotaPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeMachineAccountPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeTcbPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeSecurityPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeTakeOwnershipPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeLoadDriverPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeSystemProfilePrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeSystemtimePrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeProfSingleProcessPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeIncBasePriorityPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeCreatePagefilePrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeCreatePermanentPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeBackupPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeRestorePrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeShutdownPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeDebugPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeAuditPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeSystemEnvironmentPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeChangeNotifyPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeRemoteShutdownPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeUndockPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeSyncAgentPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeEnableDelegationPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeManageVolumePrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeImpersonatePrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeCreateGlobalPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeCreateTokenPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeAssignPrimaryTokenPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe Token: SeLockMemoryPrivilege 2932 torbrowser-install-win64-12.5.2_ALL.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2932 torbrowser-install-win64-12.5.2_ALL.exe 2456 msiexec.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2028 2660 msiexec.exe 29 PID 2660 wrote to memory of 2028 2660 msiexec.exe 29 PID 2660 wrote to memory of 2028 2660 msiexec.exe 29 PID 2660 wrote to memory of 2028 2660 msiexec.exe 29 PID 2660 wrote to memory of 2028 2660 msiexec.exe 29 PID 2660 wrote to memory of 2028 2660 msiexec.exe 29 PID 2660 wrote to memory of 2028 2660 msiexec.exe 29 PID 2932 wrote to memory of 2456 2932 torbrowser-install-win64-12.5.2_ALL.exe 30 PID 2932 wrote to memory of 2456 2932 torbrowser-install-win64-12.5.2_ALL.exe 30 PID 2932 wrote to memory of 2456 2932 torbrowser-install-win64-12.5.2_ALL.exe 30 PID 2932 wrote to memory of 2456 2932 torbrowser-install-win64-12.5.2_ALL.exe 30 PID 2932 wrote to memory of 2456 2932 torbrowser-install-win64-12.5.2_ALL.exe 30 PID 2932 wrote to memory of 2456 2932 torbrowser-install-win64-12.5.2_ALL.exe 30 PID 2932 wrote to memory of 2456 2932 torbrowser-install-win64-12.5.2_ALL.exe 30 PID 2660 wrote to memory of 2584 2660 msiexec.exe 31 PID 2660 wrote to memory of 2584 2660 msiexec.exe 31 PID 2660 wrote to memory of 2584 2660 msiexec.exe 31 PID 2660 wrote to memory of 2584 2660 msiexec.exe 31 PID 2660 wrote to memory of 2584 2660 msiexec.exe 31 PID 2660 wrote to memory of 2584 2660 msiexec.exe 31 PID 2660 wrote to memory of 2584 2660 msiexec.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-12.5.2_ALL.exe"C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-12.5.2_ALL.exe"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Tor Browser\Tor Browser 13.0.14\install\Tor Browser.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-12.5.2_ALL.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1719410764 "2⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2456
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 56D0B1CEDB326BDD814603546C862715 C2⤵
- Loads dropped DLL
PID:2028
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C7E151DCD99618DCAD575E344DA02EC0 C2⤵
- Loads dropped DLL
PID:2584
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
1.9MB
MD5dc6f1443f551689359252bd1f266ee5a
SHA1064816d1c449b4e6785b9cc844754ae8f354fdcc
SHA2560894b40a346dda6d94bfb845f98dde8cb5cf8ce4a984fe5ca6d3e16890ecf51e
SHA512b65846847f113be5912ade6aa48acf04b745f4615e7b02e8312952717645ca86cb921488ea177795256ecc4b0198233e286be8bf64e129176939e39262fad767