Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
01/07/2024, 08:08
General
-
Target
Arch0465723801.msi
-
Size
37.2MB
-
MD5
4b8effee7cd036ae012aa8217d923a94
-
SHA1
65b7b7a8478b745248b35324b1d01836d041d710
-
SHA256
c98ae9d2a0cdacdc66c2eec7c768f61870a4cc958264ff2a5cb2fd34fcf3e4af
-
SHA512
bc61ca873f9e8bf358df3ed2f286f2b35fb4502a29de942935d92d1fb618fe0e4726a1b5e123d4782adf96df00d30cb65c962af76918feb478b66262c8332fa5
-
SSDEEP
786432:L8XkV8Tpj4LjhBwRV4gfBNUlM2mNSd7y/ASelgYuxI03zK/k6V:L18T8wRV4g5al2AeREizK/x
Malware Config
Signatures
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 10 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 33 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 52 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Arch0465723801.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B6C9241803A75EC027FC245763F156B22⤵
- Loads dropped DLL
-
-
C:\Program Files (x86)\Arch0465723801\Arch0465723801\wilre.exe"C:\Program Files (x86)\Arch0465723801\Arch0465723801\wilre.exe"2⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\Installer\MSI17BB.tmp"C:\Windows\Installer\MSI17BB.tmp" https://nertaos.com/it/serv.php2⤵
- Checks whether UAC is enabled
- Executes dropped EXE
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2352 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59751e5697011a2d1482585c13ee36e12
SHA1cff2be6af6db6abacad276748593830ea021d0b4
SHA256d849167db35533889766898892b1440323e6cb175759b2eb25d2d90b7b5dc888
SHA51201d6575bf548954f91f3eae12e995d189fc2d91e5dcc6c12cdf8612ac19c53683ef0febb70bc2e815283f79d42a79d897743fef7a05f42faeea923b83775012d
-
Filesize
24.6MB
MD5f1ce0414f1cca8f4927c73b9caceeabd
SHA11b82d314447fc125b7bafd26a9d493e206bc0487
SHA256009070a7e74e32c414c91255e70f14755d1d4a5cc75d6ad63794af3e61b1ae03
SHA5120658952bca9cb8cf0a7105a290f430024e65e89901640e43fa15cd080f4276accd7d249aa427a4c2832d113cdcdbe947a52df23de992c22120b3ddbb3c09acb3
-
Filesize
26.1MB
MD548d732a19514bef06acc712f43fa7d65
SHA1f06845844e06879d355824ce1fcfa90244d526ed
SHA256ba4612db8ce37b8e64d163a4c8e236b0ad2ddc223b91383f270924846394bf95
SHA512041aaa1c64da4d81a6867a56ebd9d8bfd092bd584c09de05349bce42e3b718a36b45970240f0ec25bf962e59730276e51f116d2f7b609beda6993edfa9248135
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
342B
MD5f7e69c3541d6c18a6ed9f3bb23c95cf3
SHA1b4e83a4dc7c0f3892cf25779b5b68d6a1f708ab4
SHA256c3b02225ce44c046d7bb2570d6c302477d724b7e38427071b860540b7291d289
SHA5120443e1945e4b828f0c1e0eeee31ad4da1595f8d921230f81b660063e88d9fc00e17c9fc4eb17f690b9deebcda4bb35fbd3ad9fb172ec1b7d71fb1614bb00c85d
-
Filesize
342B
MD5f5cd024cef255720c8ab437c6fb358c1
SHA14033322de1ffe5f8826b9d9b6d135fba2c2179f6
SHA256a177fe08ae19dc8fac183869f28646d537ae3432bf34a6ec20d9e83335e5d202
SHA5128f36959c3ccdf28eab0f624c4903196ebc3166f31b696180e28884e86fefffa05bb05142454d820df6bcda4d835bab022728ffb280cb8b9a3f5d25fd12e26b7a
-
Filesize
342B
MD5aa91fb09f63fa1e0c7afc191ab0cbeb4
SHA1c1296c4e90eeab66c314475c9894b8f765f600b0
SHA25681d3cc59fe61749d5cdc5fee81f4d5a38b6e172327768131ea77c5c9f0491dbd
SHA512da1c0a7cd287cd54e3bfd694be6a6a7cda079bc4f413d1668f71ad5f2452b9a21d0408478ed264c6980c379d9e19125657b032f2a123ca583c5902548cac96c0
-
Filesize
342B
MD5517afe164c0902c62710c9952332e537
SHA1537a113cc7dd2598409a91b78299db1fa1a0019b
SHA2568119ea6f38abe87942933dd7ed3a33fa430bcdbcbdb52404db472baf5db21709
SHA512405484b418e35179b71a75965d708c67ee83650103002f9f9d43992a5a0ebaefb22fec3f6476f0d769770fda20bfb6dd02b9f8e2c5e4e96d83916d2576a76369
-
Filesize
342B
MD500c5d60d286e76f3a16cb85ab7636888
SHA14808585cb5bf129c828fdffd9333c7b52abbc48a
SHA256e84e662f18257865a79f928f1946eba2e348e7c9cc3c04789610e8230bd49f99
SHA512abed10a0fe1813f3e2f641f93206f92b265d1f891588d009f3e08df0919a9191db66d96ef3ac008a1c4118bdd4ed07cdd8596c620bb96363aca99dddc6c8a8e8
-
Filesize
342B
MD578bc5a3599c10ce4ff5760d0e5f63265
SHA1434edc02b74eba03c09d982931d72d6234dda2c1
SHA25602549e62ea5c2a151fceeb00f78c84ca74ee6ac749e5252df0a38433f3d65677
SHA5123f9f0da4111d12af459700c0366f95bc5b043e34f0a9c28f4b601b3d69eb7dda3d5ca6606d70e897ca29121335a7c2973352fd1df954d768c807355781bf28b1
-
Filesize
342B
MD53f62fdd2f732407d142571e0d5dc37d5
SHA1d2502ce65e3b57d70843a13a1f41a5091e24a210
SHA2562797ef99cde71f70ca45c60192bfd22d1228e26e92e7c38f4b7a31ef36d4e7e0
SHA512f4354ef4c1117c83742113cb9c9f6906ba62980f437ae847b6b680b7fa08c2f9c10752d1bf7517664f32d3d5075f488e75f35f448e1cb56d616ffd7b011cb15c
-
Filesize
342B
MD5a6bc5f2ff9ddfe9ad12ec07f1de393fb
SHA10854b46bcb53b88cb4508e4814c8ddd3633f4d32
SHA256e273357d0506e518b36678ecd919ae8eebd3cf59c3cae64529966f371ea227e0
SHA512800630120a1943737853892779732b15a4136655ff7ddc7423758e856097a357da44ed95d838029dfb349968d49bddd703ec370f1878b6e8e40e4a704b168fe1
-
Filesize
342B
MD55deea42710bc671e39c58b56640a492a
SHA1f0e8b9fd9ba9b68467d7be1b27945e31f1e03b5a
SHA25656c637c83b90eb3d5abba74d099e6fee16b49013255ed93acd157c5a408ea52d
SHA512a3ecceb2cb8d726bd7f50a77a281048c5bb8fccfdbd2f158b33974a8b73b13c790d8ec41513d5b91aea9332febc97a2dd4c6954c5e2c50dd7712f4b004ba90d8
-
Filesize
342B
MD57f12ebe11796602fc1d5e4db9b1eb823
SHA1dc62db08f83396e11a27ec0d6505b55648493d6b
SHA25691c6abd1120aa004be6ce21cb15caa244bd18431196bf3afa2865896880a3027
SHA512fe22aa1b83179c22f3af06e9f17a81dcf67e1ea6575b39f263cabae5ccc497a411d430224d0bc0bc8951980009ce6ace72016fea449782e88619f8c3105537c9
-
Filesize
342B
MD52de708a4ace4ffd277459a9f6342736d
SHA1961a0c4205a0c56dce343a28009a5f70ef45f9cd
SHA2560bf6082b0e9a26089c363aff6c12e2ba4dd6230126da9a1a9252003679f2b524
SHA51247a1e3e7741887c69642d00aa7393d7c99af3d729e499fe5c51c3199a0c6d9511906ebae57668a232800b4fb99b48f1363d224ff6001de12900131b3de7ec56c
-
Filesize
342B
MD57d86a0d52d3c3de20ecbda434d33473a
SHA1a2bdd80bc441d1190b22f22d649297e847d2a8be
SHA256564cc6052dfc7780e13d62f6efbe55f4bfd534565dbfaff49b8794a0010d530c
SHA51258374a6320945eccb3b33fcf3ede2f8c9e83851f5090a15364f5e14f59c9f655601828314f4a105bfeab89fd527ad1b126c6ce9d19724ad32840272893018809
-
Filesize
342B
MD51e19b81a5ef1129496a08f713c44db3b
SHA1755235c3163f721af456ba365d21fc652d254a88
SHA256635c92c8334d85e1f26d934825edf4638122017426c822b5ecde97a2ce8dd5c8
SHA512da842508c97c8f004698db5b882a921240d7dc9a09998fccb760118d384e216e46bb102ae43d4967b697caf137ed323bbf6eca120a0d156c773e0316400cc72b
-
Filesize
342B
MD5853a0260c03d60fc33cb761f57961956
SHA162e9b9f8b5cf57c1feaecd8fcb04ecfc8bfda1ec
SHA256283c89ce62ad66b6735243d3bed20f3187e12f5ac420b8100914957d4d99a14f
SHA512f00e8aefd4e5f291ce4d191cded373fa24c10fc23827cca8888cffe4fed4901b6f9079ccac45256e2ef89e978458af15396629b75cfd02f0afa5c6750f879ed6
-
Filesize
342B
MD5963d0505d5279da13b9cebf8a9ff447c
SHA1bbeb14d58238c88e2fb3741887221753fc2d242b
SHA2566bb789ae2ff08b3b59fbbcf2b03b007544ca7d8317455ba00765b87adb6fcea7
SHA512b59ad752e312e48835e31a332f20734286e451eb85b8d7361e88058f02b7ff5a074696053b508e4d695a3d64890c54df8e1e2e1d3b0b439f4c50e428c12ff21e
-
Filesize
342B
MD5dd42729e42f23f6274c039fa7a7b756d
SHA15952e65419efd878066ab7bd8b5eb2b7abaedf3d
SHA2560b8f74c855ed314bfdb4f033475250b2869205a032933569a7a6e65420ebaa1f
SHA5125c6e374d13fcc641881cd326ddb141167e5bf8106440cdd5371aa34d033d1d0e2593b54ce5907a9548e18c28cedc172a7cdbabcfeffb050f4eb5fdb40f38a8b6
-
Filesize
342B
MD5eccf654c06f951554fa9614084b5f9d6
SHA19b6f0e5394a7d6774378a7689eaa15f5f8ec29a4
SHA256a6dc1aad3a8b829b250c13bf39af6bd4c055f91396c1dd5619378504480953c1
SHA5120ab0c048d325531bfcfc239d9b670ee511ad240475afe0ecc4248e2f8b96ed89880267b722be0bd3688a93a7776ba1c2ed90a009a6cbfc29b9a6033b7402629c
-
Filesize
342B
MD526435da957dcb937e3078e53edb0986d
SHA156e5c1f37d8a1b1e25b224a555b5a0cfce2df838
SHA256bb9ca08f40d2a80f5dcc9039b3b3d8d7b0a1a5739d0a5f9b4b0d3fbe422aabe3
SHA51279092daafaa07c192d7a059812a1662e6ebff40b01f323209f90baf399ca85f0b8ece2d4fc3a6f1e0c97aa4f803d5e4c22721ea692771b3d806dd3e4ddbdf48e
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
57B
MD5c6d5a7f697aa7da0d0b845ea1f293e94
SHA188e5f4e96aa62dd0defbf5deaf86ae091d86f22f
SHA2562338f3f8cf5ce27a59050f32a62ee8f84e223292ad9c6de5e8c7d140fc055385
SHA512d3d68e1c8c081b7b15fd04a513a7aa036f849c80cd6228bce71585f7cc16f5205e4ae7183c7c119032591ef1d033cd267244594117fe157a7de694803108c808
-
Filesize
555KB
MD553ebdf6bc20011120b06e94de66adc51
SHA10c47a3be0ee2dce2e1ffd8c1b40d2ca52d0014f3
SHA256997b258b3f6dd1448fd4d135a56c138813f45f728e57be0eb1908df5b68f031b
SHA51216f2b1ec3e6628f49640afedcad302b0af1fe42b8a7a45b99a16fcec5ed68014ee5aa43672ecc92d7fbd83af18bdc3d1ae3efd0a7b7314ba6a4a156aaa5d37cd
-
Filesize
409KB
MD5a7286d5354ef27044c98aad51fc4468e
SHA1c553b71a417baa43758b241673496ee52579ad81
SHA256747479cf05918baf2fc3e9228778a1fc2aa7e6660c40bd6105519c52b4f28c67
SHA5127e0d200b9ba5d983234f8da372e9f683bf5f7bd029a0dea3acb725128be631fc2cf34e941b5eed0654d5101ea7dddf7e094248e4bd5f84351b850c5aec4b244f
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
4KB
-
Filesize
26.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB