Overview
overview
10Static
static
3Untitled_J...df.exe
windows7-x64
7Untitled_J...df.exe
windows10-2004-x64
7[SYSTEM]/$UpCase.ps1
windows7-x64
3[SYSTEM]/$UpCase.ps1
windows10-2004-x64
3libcrypto-1_1-x64.dll
windows7-x64
10libcrypto-1_1-x64.dll
windows10-2004-x64
10vcruntime140.dll
windows7-x64
1vcruntime140.dll
windows10-2004-x64
1Analysis
-
max time kernel
113s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 17:55
Static task
static1
Behavioral task
behavioral1
Sample
Untitled_June_06_25_2024_export.pdf.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
Untitled_June_06_25_2024_export.pdf.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
[SYSTEM]/$UpCase.ps1
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral4
Sample
[SYSTEM]/$UpCase.ps1
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
libcrypto-1_1-x64.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral6
Sample
libcrypto-1_1-x64.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
vcruntime140.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral8
Sample
vcruntime140.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
General
-
Target
Untitled_June_06_25_2024_export.pdf.exe
-
Size
801KB
-
MD5
41dcc29d7eaba7b84fd54323394712af
-
SHA1
ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b
-
SHA256
a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a
-
SHA512
5a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee
-
SSDEEP
6144:xmbuKA33X1rgMuu+xdaXkW+zF6m8XZPELSrPzA:x6XA33X1rTuuyrVZ6m8XGH
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2216 ICACLS.EXE -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\e577976.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Installer\e577976.msi msiexec.exe File created C:\Windows\Installer\SourceHash{5954EC54-3AE7-4C5F-A5C0-2B3335969234} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI7AAE.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE -
Executes dropped EXE 1 IoCs
pid Process 2084 setup.exe -
Loads dropped DLL 1 IoCs
pid Process 2120 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4268 msiexec.exe 4268 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeShutdownPrivilege 3996 msiexec.exe Token: SeIncreaseQuotaPrivilege 3996 msiexec.exe Token: SeSecurityPrivilege 4268 msiexec.exe Token: SeCreateTokenPrivilege 3996 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3996 msiexec.exe Token: SeLockMemoryPrivilege 3996 msiexec.exe Token: SeIncreaseQuotaPrivilege 3996 msiexec.exe Token: SeMachineAccountPrivilege 3996 msiexec.exe Token: SeTcbPrivilege 3996 msiexec.exe Token: SeSecurityPrivilege 3996 msiexec.exe Token: SeTakeOwnershipPrivilege 3996 msiexec.exe Token: SeLoadDriverPrivilege 3996 msiexec.exe Token: SeSystemProfilePrivilege 3996 msiexec.exe Token: SeSystemtimePrivilege 3996 msiexec.exe Token: SeProfSingleProcessPrivilege 3996 msiexec.exe Token: SeIncBasePriorityPrivilege 3996 msiexec.exe Token: SeCreatePagefilePrivilege 3996 msiexec.exe Token: SeCreatePermanentPrivilege 3996 msiexec.exe Token: SeBackupPrivilege 3996 msiexec.exe Token: SeRestorePrivilege 3996 msiexec.exe Token: SeShutdownPrivilege 3996 msiexec.exe Token: SeDebugPrivilege 3996 msiexec.exe Token: SeAuditPrivilege 3996 msiexec.exe Token: SeSystemEnvironmentPrivilege 3996 msiexec.exe Token: SeChangeNotifyPrivilege 3996 msiexec.exe Token: SeRemoteShutdownPrivilege 3996 msiexec.exe Token: SeUndockPrivilege 3996 msiexec.exe Token: SeSyncAgentPrivilege 3996 msiexec.exe Token: SeEnableDelegationPrivilege 3996 msiexec.exe Token: SeManageVolumePrivilege 3996 msiexec.exe Token: SeImpersonatePrivilege 3996 msiexec.exe Token: SeCreateGlobalPrivilege 3996 msiexec.exe Token: SeRestorePrivilege 4268 msiexec.exe Token: SeTakeOwnershipPrivilege 4268 msiexec.exe Token: SeRestorePrivilege 4268 msiexec.exe Token: SeTakeOwnershipPrivilege 4268 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 464 wrote to memory of 3996 464 Untitled_June_06_25_2024_export.pdf.exe 83 PID 464 wrote to memory of 3996 464 Untitled_June_06_25_2024_export.pdf.exe 83 PID 4268 wrote to memory of 2120 4268 msiexec.exe 86 PID 4268 wrote to memory of 2120 4268 msiexec.exe 86 PID 4268 wrote to memory of 2120 4268 msiexec.exe 86 PID 2120 wrote to memory of 2216 2120 MsiExec.exe 87 PID 2120 wrote to memory of 2216 2120 MsiExec.exe 87 PID 2120 wrote to memory of 2216 2120 MsiExec.exe 87 PID 2120 wrote to memory of 3356 2120 MsiExec.exe 89 PID 2120 wrote to memory of 3356 2120 MsiExec.exe 89 PID 2120 wrote to memory of 3356 2120 MsiExec.exe 89 PID 2120 wrote to memory of 2084 2120 MsiExec.exe 91 PID 2120 wrote to memory of 2084 2120 MsiExec.exe 91 PID 2120 wrote to memory of 2084 2120 MsiExec.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\Untitled_June_06_25_2024_export.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Untitled_June_06_25_2024_export.pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SYSTEM32\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi" /Qn2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 641C5E82CE59320BAFD1AF5D5F807D072⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-94662604-9a8c-4107-827f-b92ba5b977a0\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:2216
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:3356
-
-
C:\Users\Admin\AppData\Local\Temp\MW-94662604-9a8c-4107-827f-b92ba5b977a0\files\setup.exe"C:\Users\Admin\AppData\Local\Temp\MW-94662604-9a8c-4107-827f-b92ba5b977a0\files\setup.exe" /VERYSILENT /VERYSILENT3⤵
- Executes dropped EXE
PID:2084
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD524cbbd2c70efbb75845548513114317e
SHA1bd13f38e7301648b8cea6135a851b8691fda2c27
SHA256b31e366ae13a960eb0efbfb5074b0abd1f300151289833d7dfa1a9382bea1855
SHA512b7b0e4fa57e17b0da21a85f56f29a711ff226c8a9e95ca59721e4f20e32b9cbd8a5fdf69010e79f8452df5457a055cc2a41f2ad773eaf692680bc39cb8e50ead
-
Filesize
1.3MB
MD557c5b54337af1acd54c65c5abae694b2
SHA187b6b5eebf8fa70a42bd2cf192740b7130a521a2
SHA256ead264b457fd74737f51a2c4bf5d4679d7e1dcdd1547aca6fe3bf7e117c9d0d8
SHA512af10bdc86a45d59d6e46b5cfa942348360c3ac4312d122bf80783673c448861621811a2c3f4446355037b98a67f642cb8ae27945619d0cd32aaeff9656c0982e
-
Filesize
1KB
MD5a93b0f9e249839761c83e28f30ab1deb
SHA1c28024de2c959b86537adab293723a7b3fcdc72b
SHA256ebc41429f28af06d663efe0c1a7e995174936e195235dca43a7c9c09dec078b6
SHA512a70409fc4a0e0f1575ea5bb74c1983a4897613b1f4ac159781be7b615760cf36157a53b9bb254b1aea1cc229a4683eeabb65b5b963a196f4c6d947b463f827fe
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108