42042fec3226c309a89f3f3a499cf9427a60d68a59474a5549968da1e0bfc346

Analysis

max time kernel
51s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

torbrowser-install-win64-12.5.2_ALL.exe
Size

289.6MB
MD5

43d370c16771d0f1ac2fc59c215e7354
SHA1

a75b9cd40fa23327703fbb79f48f0a3dd4df969f
SHA256

42042fec3226c309a89f3f3a499cf9427a60d68a59474a5549968da1e0bfc346
SHA512

33ab2368f8ce000578a92cd5200623c98d35d47eeed401ea41f9b3e6beaf50e194d97be8896a0244656471e99ce7e6620c263532ef0d8079fd0b41046fb4fde5
SSDEEP

6291456:VHPOAwPIY9Q6VbzoyOABSnazyBUJCbP795QHxYF:VHP6NQizVJCbR5kYF

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
1240	MsiExec.exe
1240	MsiExec.exe
252	MsiExec.exe
252	MsiExec.exe
252	MsiExec.exe
252	MsiExec.exe
252	MsiExec.exe
252	MsiExec.exe
252	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\Y:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\T:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\Q:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\L:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\S:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\Z:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\P:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\W:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\O:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\X:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	torbrowser-install-win64-12.5.2_ALL.exe
File opened (read-only)	\??\A:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4784	msiexec.exe
Token: SeCreateTokenPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeAssignPrimaryTokenPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeLockMemoryPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeIncreaseQuotaPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeMachineAccountPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeTcbPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeSecurityPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeTakeOwnershipPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeLoadDriverPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeSystemProfilePrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeSystemtimePrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeProfSingleProcessPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeIncBasePriorityPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeCreatePagefilePrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeCreatePermanentPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeBackupPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeRestorePrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeShutdownPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeDebugPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeAuditPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeSystemEnvironmentPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeChangeNotifyPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeRemoteShutdownPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeUndockPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeSyncAgentPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeEnableDelegationPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeManageVolumePrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeImpersonatePrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeCreateGlobalPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeCreateTokenPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeAssignPrimaryTokenPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeLockMemoryPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeIncreaseQuotaPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeMachineAccountPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeTcbPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeSecurityPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeTakeOwnershipPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeLoadDriverPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeSystemProfilePrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeSystemtimePrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeProfSingleProcessPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeIncBasePriorityPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeCreatePagefilePrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeCreatePermanentPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeBackupPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeRestorePrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeShutdownPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeDebugPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeAuditPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeSystemEnvironmentPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeChangeNotifyPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeRemoteShutdownPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeUndockPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeSyncAgentPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeEnableDelegationPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeManageVolumePrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeImpersonatePrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeCreateGlobalPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeCreateTokenPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeAssignPrimaryTokenPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeLockMemoryPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeIncreaseQuotaPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe
Token: SeMachineAccountPrivilege	3752	torbrowser-install-win64-12.5.2_ALL.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3752	torbrowser-install-win64-12.5.2_ALL.exe
4744	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 1240	4784	msiexec.exe	82
PID 4784 wrote to memory of 1240	4784	msiexec.exe	82
PID 4784 wrote to memory of 1240	4784	msiexec.exe	82
PID 3752 wrote to memory of 4744	3752	torbrowser-install-win64-12.5.2_ALL.exe	83
PID 3752 wrote to memory of 4744	3752	torbrowser-install-win64-12.5.2_ALL.exe	83
PID 3752 wrote to memory of 4744	3752	torbrowser-install-win64-12.5.2_ALL.exe	83
PID 4784 wrote to memory of 252	4784	msiexec.exe	84
PID 4784 wrote to memory of 252	4784	msiexec.exe	84
PID 4784 wrote to memory of 252	4784	msiexec.exe	84

C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-12.5.2_ALL.exe
"C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-12.5.2_ALL.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Tor Browser\Tor Browser 13.0.14\install\Tor Browser.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-12.5.2_ALL.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1719429548 "
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:4744

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 58013836BC37A607F4EC3EA945BE28DC C
  2⤵
  - Loads dropped DLL
  PID:1240
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 070C94C2300E950D00F72A1F3185C566 C
  2⤵
  - Loads dropped DLL
  PID:252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI7E1A.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Users\Admin\AppData\Roaming\Tor Browser\Tor Browser 13.0.14\install\Tor Browser.msi

Filesize
1.9MB

MD5
dc6f1443f551689359252bd1f266ee5a

SHA1
064816d1c449b4e6785b9cc844754ae8f354fdcc

SHA256
0894b40a346dda6d94bfb845f98dde8cb5cf8ce4a984fe5ca6d3e16890ecf51e

SHA512
b65846847f113be5912ade6aa48acf04b745f4615e7b02e8312952717645ca86cb921488ea177795256ecc4b0198233e286be8bf64e129176939e39262fad767

Download Submit