c7dda6dc14c58e23b8214d23072e1251679836fa5728db9b1cc142b59f538a99

Analysis

max time kernel
94s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADInfoFreeInstaller.exe
Size

2.0MB
MD5

a134b68cf1d197a141eccfdfc8453c88
SHA1

eb518df5c8dab8415829b5c5a1a6d3beb41e4c8b
SHA256

de88c4800ee0747acd61b218fbe54387d4e92dff66169604bba8506066db1675
SHA512

43b8c8090fad0bedd9be06419ca3eeb1ac11c7cc6080315f3a4509d94db0c1ba339e6a58eae27f81441c50d997b2af5b7ce0d1b813d2fdc4cbe3b90e8fbfc0ea
SSDEEP

49152:hjLr1XqMj1RyE9QY5A4Rn5BIjkXCiOY5AFRn5BIjk1y2RkAyMBAnktW:hrxqMjj2Y5A4RnzI/Y5AFRnzImyBMHW

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
808	MsiExec.exe
808	MsiExec.exe
808	MsiExec.exe
808	MsiExec.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
7	4648	msiexec.exe
9	4648	msiexec.exe
13	4648	msiexec.exe
17	4648	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4648	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4648	msiexec.exe
Token: SeSecurityPrivilege	4084	msiexec.exe
Token: SeCreateTokenPrivilege	4648	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4648	msiexec.exe
Token: SeLockMemoryPrivilege	4648	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4648	msiexec.exe
Token: SeMachineAccountPrivilege	4648	msiexec.exe
Token: SeTcbPrivilege	4648	msiexec.exe
Token: SeSecurityPrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeLoadDriverPrivilege	4648	msiexec.exe
Token: SeSystemProfilePrivilege	4648	msiexec.exe
Token: SeSystemtimePrivilege	4648	msiexec.exe
Token: SeProfSingleProcessPrivilege	4648	msiexec.exe
Token: SeIncBasePriorityPrivilege	4648	msiexec.exe
Token: SeCreatePagefilePrivilege	4648	msiexec.exe
Token: SeCreatePermanentPrivilege	4648	msiexec.exe
Token: SeBackupPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeShutdownPrivilege	4648	msiexec.exe
Token: SeDebugPrivilege	4648	msiexec.exe
Token: SeAuditPrivilege	4648	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4648	msiexec.exe
Token: SeChangeNotifyPrivilege	4648	msiexec.exe
Token: SeRemoteShutdownPrivilege	4648	msiexec.exe
Token: SeUndockPrivilege	4648	msiexec.exe
Token: SeSyncAgentPrivilege	4648	msiexec.exe
Token: SeEnableDelegationPrivilege	4648	msiexec.exe
Token: SeManageVolumePrivilege	4648	msiexec.exe
Token: SeImpersonatePrivilege	4648	msiexec.exe
Token: SeCreateGlobalPrivilege	4648	msiexec.exe
Token: SeCreateTokenPrivilege	4648	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4648	msiexec.exe
Token: SeLockMemoryPrivilege	4648	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4648	msiexec.exe
Token: SeMachineAccountPrivilege	4648	msiexec.exe
Token: SeTcbPrivilege	4648	msiexec.exe
Token: SeSecurityPrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeLoadDriverPrivilege	4648	msiexec.exe
Token: SeSystemProfilePrivilege	4648	msiexec.exe
Token: SeSystemtimePrivilege	4648	msiexec.exe
Token: SeProfSingleProcessPrivilege	4648	msiexec.exe
Token: SeIncBasePriorityPrivilege	4648	msiexec.exe
Token: SeCreatePagefilePrivilege	4648	msiexec.exe
Token: SeCreatePermanentPrivilege	4648	msiexec.exe
Token: SeBackupPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeShutdownPrivilege	4648	msiexec.exe
Token: SeDebugPrivilege	4648	msiexec.exe
Token: SeAuditPrivilege	4648	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4648	msiexec.exe
Token: SeChangeNotifyPrivilege	4648	msiexec.exe
Token: SeRemoteShutdownPrivilege	4648	msiexec.exe
Token: SeUndockPrivilege	4648	msiexec.exe
Token: SeSyncAgentPrivilege	4648	msiexec.exe
Token: SeEnableDelegationPrivilege	4648	msiexec.exe
Token: SeManageVolumePrivilege	4648	msiexec.exe
Token: SeImpersonatePrivilege	4648	msiexec.exe
Token: SeCreateGlobalPrivilege	4648	msiexec.exe
Token: SeCreateTokenPrivilege	4648	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4648	msiexec.exe
Token: SeLockMemoryPrivilege	4648	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
520	ADInfoFreeInstaller.exe
4648	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 4648	520	ADInfoFreeInstaller.exe	81
PID 520 wrote to memory of 4648	520	ADInfoFreeInstaller.exe	81
PID 4084 wrote to memory of 808	4084	msiexec.exe	84
PID 4084 wrote to memory of 808	4084	msiexec.exe	84
PID 4084 wrote to memory of 808	4084	msiexec.exe	84

C:\Users\Admin\AppData\Local\Temp\ADInfoFreeInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\ADInfoFreeInstaller.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:520
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\Cjwdev\AD Info Free Edition 1.7.92\install\ADInfoFreeInstaller.x64.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\ADInfoFreeInstaller.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E26A0D3B184C9858237A60DE32C9C5B9 C
  2⤵
  - Loads dropped DLL
  PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI4E4F.tmp

Filesize
77KB

MD5
7452f56af87d0912c3a06206dc77c0a6

SHA1
5ff38786b61d5061ef0a09a670b98e5d3b961b1d

SHA256
19989417f3f411c8a02aa09f1dd51a7febc530f0f27c8d3f7dd195ba224e6fba

SHA512
e07a612edeb6078f9ed639018a1e22e30dc4b8bf9820f1dadbf405722f32f5e2348ca5585c1d054e857b0644c9d824b44dd64ec4a8d424c2e78aeddc1bc351b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4FB8.tmp

Filesize
270KB

MD5
50a3d9c4c3b6afda98bd6b0c60363175

SHA1
d69ab1b8c51b0282c3b2a02e179bf27128905835

SHA256
4337cdfe01a45f6691cf883b57d5663788fda9a368a1eac989cb16e31f049ac0

SHA512
4824cd07d207608798b17210d196b8fd77ab3f75d3331449cea21c77dd3084deef67feeda029ab2e5f81bdbda1fdfbdb2af7fa753cdcf6292a5702454c232edc

Download Submit
C:\Users\Admin\AppData\Roaming\Cjwdev\AD Info Free Edition 1.7.92\install\ADInfoFreeInstaller.x64.msi

Filesize
551KB

MD5
4d5954581ec2b0b188b980c5c90ccec1

SHA1
79dfbc96f13aef6e7b8b9d3cf8e34a0cde417a6e

SHA256
6b15e67cd01befb0e22133164d62ac6121d050173f83732292db3b4432a48bb1

SHA512
9df918c699be202c60dd6180e367ad5146ed673cb169cbd68446d65ee6d38f2d263e750f988f9565772ec5918fff2ade84db46a7cc7480a6039f54dbf5ba6faa

Download Submit
memory/520-0-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/520-33-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download