Overview
overview
10Static
static
3Untitled_J...df.exe
windows7-x64
10Untitled_J...df.exe
windows10-2004-x64
7[SYSTEM]/$UpCase.ps1
windows7-x64
3[SYSTEM]/$UpCase.ps1
windows10-2004-x64
3libcrypto-1_1-x64.dll
windows7-x64
10libcrypto-1_1-x64.dll
windows10-2004-x64
10vcruntime140.dll
windows7-x64
1vcruntime140.dll
windows10-2004-x64
1Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 11:59
Static task
static1
Behavioral task
behavioral1
Sample
Untitled_June_06_25_2024_export.pdf.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral2
Sample
Untitled_June_06_25_2024_export.pdf.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
[SYSTEM]/$UpCase.ps1
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral4
Sample
[SYSTEM]/$UpCase.ps1
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
libcrypto-1_1-x64.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
libcrypto-1_1-x64.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
vcruntime140.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
vcruntime140.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
Untitled_June_06_25_2024_export.pdf.exe
-
Size
801KB
-
MD5
41dcc29d7eaba7b84fd54323394712af
-
SHA1
ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b
-
SHA256
a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a
-
SHA512
5a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee
-
SSDEEP
6144:xmbuKA33X1rgMuu+xdaXkW+zF6m8XZPELSrPzA:x6XA33X1rTuuyrVZ6m8XGH
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1348 ICACLS.EXE -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{5954EC54-3AE7-4C5F-A5C0-2B3335969234} msiexec.exe File opened for modification C:\Windows\Installer\MSI4C4B.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File created C:\Windows\Installer\e574b03.msi msiexec.exe File opened for modification C:\Windows\Installer\e574b03.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 1380 setup.exe -
Loads dropped DLL 1 IoCs
pid Process 2476 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2968 msiexec.exe 2968 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeShutdownPrivilege 4732 msiexec.exe Token: SeIncreaseQuotaPrivilege 4732 msiexec.exe Token: SeSecurityPrivilege 2968 msiexec.exe Token: SeCreateTokenPrivilege 4732 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4732 msiexec.exe Token: SeLockMemoryPrivilege 4732 msiexec.exe Token: SeIncreaseQuotaPrivilege 4732 msiexec.exe Token: SeMachineAccountPrivilege 4732 msiexec.exe Token: SeTcbPrivilege 4732 msiexec.exe Token: SeSecurityPrivilege 4732 msiexec.exe Token: SeTakeOwnershipPrivilege 4732 msiexec.exe Token: SeLoadDriverPrivilege 4732 msiexec.exe Token: SeSystemProfilePrivilege 4732 msiexec.exe Token: SeSystemtimePrivilege 4732 msiexec.exe Token: SeProfSingleProcessPrivilege 4732 msiexec.exe Token: SeIncBasePriorityPrivilege 4732 msiexec.exe Token: SeCreatePagefilePrivilege 4732 msiexec.exe Token: SeCreatePermanentPrivilege 4732 msiexec.exe Token: SeBackupPrivilege 4732 msiexec.exe Token: SeRestorePrivilege 4732 msiexec.exe Token: SeShutdownPrivilege 4732 msiexec.exe Token: SeDebugPrivilege 4732 msiexec.exe Token: SeAuditPrivilege 4732 msiexec.exe Token: SeSystemEnvironmentPrivilege 4732 msiexec.exe Token: SeChangeNotifyPrivilege 4732 msiexec.exe Token: SeRemoteShutdownPrivilege 4732 msiexec.exe Token: SeUndockPrivilege 4732 msiexec.exe Token: SeSyncAgentPrivilege 4732 msiexec.exe Token: SeEnableDelegationPrivilege 4732 msiexec.exe Token: SeManageVolumePrivilege 4732 msiexec.exe Token: SeImpersonatePrivilege 4732 msiexec.exe Token: SeCreateGlobalPrivilege 4732 msiexec.exe Token: SeRestorePrivilege 2968 msiexec.exe Token: SeTakeOwnershipPrivilege 2968 msiexec.exe Token: SeRestorePrivilege 2968 msiexec.exe Token: SeTakeOwnershipPrivilege 2968 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4408 wrote to memory of 4732 4408 Untitled_June_06_25_2024_export.pdf.exe 80 PID 4408 wrote to memory of 4732 4408 Untitled_June_06_25_2024_export.pdf.exe 80 PID 2968 wrote to memory of 2476 2968 msiexec.exe 83 PID 2968 wrote to memory of 2476 2968 msiexec.exe 83 PID 2968 wrote to memory of 2476 2968 msiexec.exe 83 PID 2476 wrote to memory of 1348 2476 MsiExec.exe 84 PID 2476 wrote to memory of 1348 2476 MsiExec.exe 84 PID 2476 wrote to memory of 1348 2476 MsiExec.exe 84 PID 2476 wrote to memory of 2408 2476 MsiExec.exe 86 PID 2476 wrote to memory of 2408 2476 MsiExec.exe 86 PID 2476 wrote to memory of 2408 2476 MsiExec.exe 86 PID 2476 wrote to memory of 1380 2476 MsiExec.exe 88 PID 2476 wrote to memory of 1380 2476 MsiExec.exe 88 PID 2476 wrote to memory of 1380 2476 MsiExec.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\Untitled_June_06_25_2024_export.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Untitled_June_06_25_2024_export.pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SYSTEM32\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi" /Qn2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 21D8EF1E48C0B0698968028E5CE5425D2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-8cefa28c-f45a-4bde-bb70-06342f7391e3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:1348
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\MW-8cefa28c-f45a-4bde-bb70-06342f7391e3\files\setup.exe"C:\Users\Admin\AppData\Local\Temp\MW-8cefa28c-f45a-4bde-bb70-06342f7391e3\files\setup.exe" /VERYSILENT /VERYSILENT3⤵
- Executes dropped EXE
PID:1380
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD524cbbd2c70efbb75845548513114317e
SHA1bd13f38e7301648b8cea6135a851b8691fda2c27
SHA256b31e366ae13a960eb0efbfb5074b0abd1f300151289833d7dfa1a9382bea1855
SHA512b7b0e4fa57e17b0da21a85f56f29a711ff226c8a9e95ca59721e4f20e32b9cbd8a5fdf69010e79f8452df5457a055cc2a41f2ad773eaf692680bc39cb8e50ead
-
Filesize
1.3MB
MD557c5b54337af1acd54c65c5abae694b2
SHA187b6b5eebf8fa70a42bd2cf192740b7130a521a2
SHA256ead264b457fd74737f51a2c4bf5d4679d7e1dcdd1547aca6fe3bf7e117c9d0d8
SHA512af10bdc86a45d59d6e46b5cfa942348360c3ac4312d122bf80783673c448861621811a2c3f4446355037b98a67f642cb8ae27945619d0cd32aaeff9656c0982e
-
Filesize
1KB
MD513b94853c520e0dbcf2f0d7ea7676a17
SHA10d5d63caa140a0fa51bc0fbbe9c5e329c2b00929
SHA2567cc61ce032d4acdf91613a9729910f1f677e6c166f70f762bd94b1ce432aa0f0
SHA512f91729d3e3fe1501f3070d746994f61199236daac758e55ebd43ee42457889848b0fe64640325601d12223cee43b1c364536d1b006fe710d5c6d68d942cd4e2c
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108