Overview
overview
10Static
static
3Untitled_J...df.exe
windows7-x64
7Untitled_J...df.exe
windows10-2004-x64
7[SYSTEM]/$UpCase.ps1
windows7-x64
3[SYSTEM]/$UpCase.ps1
windows10-2004-x64
3libcrypto-1_1-x64.dll
windows7-x64
10libcrypto-1_1-x64.dll
windows10-2004-x64
10vcruntime140.dll
windows7-x64
1vcruntime140.dll
windows10-2004-x64
1Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-07-2024 17:55
Static task
static1
Behavioral task
behavioral1
Sample
Untitled_June_06_25_2024_export.pdf.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
Untitled_June_06_25_2024_export.pdf.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
[SYSTEM]/$UpCase.ps1
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral4
Sample
[SYSTEM]/$UpCase.ps1
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
libcrypto-1_1-x64.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral6
Sample
libcrypto-1_1-x64.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
vcruntime140.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral8
Sample
vcruntime140.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
General
-
Target
Untitled_June_06_25_2024_export.pdf.exe
-
Size
801KB
-
MD5
41dcc29d7eaba7b84fd54323394712af
-
SHA1
ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b
-
SHA256
a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a
-
SHA512
5a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee
-
SSDEEP
6144:xmbuKA33X1rgMuu+xdaXkW+zF6m8XZPELSrPzA:x6XA33X1rTuuyrVZ6m8XGH
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2516 ICACLS.EXE -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI2424.tmp msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\Logs\DPX\setuperr.log EXPAND.EXE File created C:\Windows\Installer\f76229e.msi msiexec.exe File opened for modification C:\Windows\Installer\f76229e.msi msiexec.exe File created C:\Windows\Installer\f7622a1.ipi msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2304 setup.exe -
Loads dropped DLL 4 IoCs
pid Process 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2312 msiexec.exe 2312 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeShutdownPrivilege 2056 msiexec.exe Token: SeIncreaseQuotaPrivilege 2056 msiexec.exe Token: SeRestorePrivilege 2312 msiexec.exe Token: SeTakeOwnershipPrivilege 2312 msiexec.exe Token: SeSecurityPrivilege 2312 msiexec.exe Token: SeCreateTokenPrivilege 2056 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2056 msiexec.exe Token: SeLockMemoryPrivilege 2056 msiexec.exe Token: SeIncreaseQuotaPrivilege 2056 msiexec.exe Token: SeMachineAccountPrivilege 2056 msiexec.exe Token: SeTcbPrivilege 2056 msiexec.exe Token: SeSecurityPrivilege 2056 msiexec.exe Token: SeTakeOwnershipPrivilege 2056 msiexec.exe Token: SeLoadDriverPrivilege 2056 msiexec.exe Token: SeSystemProfilePrivilege 2056 msiexec.exe Token: SeSystemtimePrivilege 2056 msiexec.exe Token: SeProfSingleProcessPrivilege 2056 msiexec.exe Token: SeIncBasePriorityPrivilege 2056 msiexec.exe Token: SeCreatePagefilePrivilege 2056 msiexec.exe Token: SeCreatePermanentPrivilege 2056 msiexec.exe Token: SeBackupPrivilege 2056 msiexec.exe Token: SeRestorePrivilege 2056 msiexec.exe Token: SeShutdownPrivilege 2056 msiexec.exe Token: SeDebugPrivilege 2056 msiexec.exe Token: SeAuditPrivilege 2056 msiexec.exe Token: SeSystemEnvironmentPrivilege 2056 msiexec.exe Token: SeChangeNotifyPrivilege 2056 msiexec.exe Token: SeRemoteShutdownPrivilege 2056 msiexec.exe Token: SeUndockPrivilege 2056 msiexec.exe Token: SeSyncAgentPrivilege 2056 msiexec.exe Token: SeEnableDelegationPrivilege 2056 msiexec.exe Token: SeManageVolumePrivilege 2056 msiexec.exe Token: SeImpersonatePrivilege 2056 msiexec.exe Token: SeCreateGlobalPrivilege 2056 msiexec.exe Token: SeRestorePrivilege 2312 msiexec.exe Token: SeTakeOwnershipPrivilege 2312 msiexec.exe Token: SeRestorePrivilege 2312 msiexec.exe Token: SeTakeOwnershipPrivilege 2312 msiexec.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2056 2156 Untitled_June_06_25_2024_export.pdf.exe 28 PID 2156 wrote to memory of 2056 2156 Untitled_June_06_25_2024_export.pdf.exe 28 PID 2156 wrote to memory of 2056 2156 Untitled_June_06_25_2024_export.pdf.exe 28 PID 2156 wrote to memory of 2056 2156 Untitled_June_06_25_2024_export.pdf.exe 28 PID 2156 wrote to memory of 2056 2156 Untitled_June_06_25_2024_export.pdf.exe 28 PID 2312 wrote to memory of 1700 2312 msiexec.exe 30 PID 2312 wrote to memory of 1700 2312 msiexec.exe 30 PID 2312 wrote to memory of 1700 2312 msiexec.exe 30 PID 2312 wrote to memory of 1700 2312 msiexec.exe 30 PID 2312 wrote to memory of 1700 2312 msiexec.exe 30 PID 2312 wrote to memory of 1700 2312 msiexec.exe 30 PID 2312 wrote to memory of 1700 2312 msiexec.exe 30 PID 1700 wrote to memory of 2516 1700 MsiExec.exe 31 PID 1700 wrote to memory of 2516 1700 MsiExec.exe 31 PID 1700 wrote to memory of 2516 1700 MsiExec.exe 31 PID 1700 wrote to memory of 2516 1700 MsiExec.exe 31 PID 1700 wrote to memory of 2636 1700 MsiExec.exe 33 PID 1700 wrote to memory of 2636 1700 MsiExec.exe 33 PID 1700 wrote to memory of 2636 1700 MsiExec.exe 33 PID 1700 wrote to memory of 2636 1700 MsiExec.exe 33 PID 1700 wrote to memory of 2304 1700 MsiExec.exe 35 PID 1700 wrote to memory of 2304 1700 MsiExec.exe 35 PID 1700 wrote to memory of 2304 1700 MsiExec.exe 35 PID 1700 wrote to memory of 2304 1700 MsiExec.exe 35 PID 1700 wrote to memory of 2304 1700 MsiExec.exe 35 PID 1700 wrote to memory of 2304 1700 MsiExec.exe 35 PID 1700 wrote to memory of 2304 1700 MsiExec.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Untitled_June_06_25_2024_export.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Untitled_June_06_25_2024_export.pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi" /Qn2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 99D06EC1E93459C7CE31D0203C8C54A02⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-bdcbb176-a5e8-4ea4-861b-dcefbf5119e7\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:2516
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\MW-bdcbb176-a5e8-4ea4-861b-dcefbf5119e7\files\setup.exe"C:\Users\Admin\AppData\Local\Temp\MW-bdcbb176-a5e8-4ea4-861b-dcefbf5119e7\files\setup.exe" /VERYSILENT /VERYSILENT3⤵
- Executes dropped EXE
PID:2304
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD524cbbd2c70efbb75845548513114317e
SHA1bd13f38e7301648b8cea6135a851b8691fda2c27
SHA256b31e366ae13a960eb0efbfb5074b0abd1f300151289833d7dfa1a9382bea1855
SHA512b7b0e4fa57e17b0da21a85f56f29a711ff226c8a9e95ca59721e4f20e32b9cbd8a5fdf69010e79f8452df5457a055cc2a41f2ad773eaf692680bc39cb8e50ead
-
Filesize
1.3MB
MD557c5b54337af1acd54c65c5abae694b2
SHA187b6b5eebf8fa70a42bd2cf192740b7130a521a2
SHA256ead264b457fd74737f51a2c4bf5d4679d7e1dcdd1547aca6fe3bf7e117c9d0d8
SHA512af10bdc86a45d59d6e46b5cfa942348360c3ac4312d122bf80783673c448861621811a2c3f4446355037b98a67f642cb8ae27945619d0cd32aaeff9656c0982e
-
Filesize
1KB
MD5f62e49ca85d38fb65da3cb860beef3c0
SHA151e46bf08be121f27e545437d32e6fd3ddfb20a2
SHA2565109577d35bc3a477fea7742d688575c764e61a7763c33a202cfd7b29f0fd9db
SHA512dd2a52363c6235e69de37efea50eabd34f22bf774455183589908c05b7a97b86c15bcbae65c0b04bc69ad993cc4e12d4890f93cb400ef39f0f8f336dfcff0719
-
Filesize
1KB
MD58f81aac50833dd3944d1115422f73a80
SHA149270965c50006649c74d9b29781d9b54dc18d3c
SHA25616b6f93217dd3ec53ccfe8f85b7664dc3df737ee783805bcc735eaba7136a1f6
SHA51286dcf958f1f5149bfa0760af70c819b97ddb5c8a423f2144029f55889fea7fe80c0469a385de302b21d0548b0ebe5a9bfd6313a59ccb731007ce14392c32961c
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108