Overview
overview
10Static
static
3Untitled_J...df.exe
windows7-x64
7Untitled_J...df.exe
windows10-2004-x64
7[SYSTEM]/$UpCase.ps1
windows7-x64
3[SYSTEM]/$UpCase.ps1
windows10-2004-x64
3libcrypto-1_1-x64.dll
windows7-x64
10libcrypto-1_1-x64.dll
windows10-2004-x64
10vcruntime140.dll
windows7-x64
1vcruntime140.dll
windows10-2004-x64
1Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
05-07-2024 17:36
Static task
static1
Behavioral task
behavioral1
Sample
Untitled_June_06_25_2024_export.pdf.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Untitled_June_06_25_2024_export.pdf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
[SYSTEM]/$UpCase.ps1
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
[SYSTEM]/$UpCase.ps1
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
libcrypto-1_1-x64.dll
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
libcrypto-1_1-x64.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
vcruntime140.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
vcruntime140.dll
Resource
win10v2004-20240704-en
General
-
Target
Untitled_June_06_25_2024_export.pdf.exe
-
Size
801KB
-
MD5
41dcc29d7eaba7b84fd54323394712af
-
SHA1
ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b
-
SHA256
a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a
-
SHA512
5a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee
-
SSDEEP
6144:xmbuKA33X1rgMuu+xdaXkW+zF6m8XZPELSrPzA:x6XA33X1rTuuyrVZ6m8XGH
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2532 ICACLS.EXE -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI2730.tmp msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\Logs\DPX\setuperr.log EXPAND.EXE File created C:\Windows\Installer\f7625e8.msi msiexec.exe File opened for modification C:\Windows\Installer\f7625e8.msi msiexec.exe File created C:\Windows\Installer\f7625eb.ipi msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2836 setup.exe -
Loads dropped DLL 4 IoCs
pid Process 2192 MsiExec.exe 2192 MsiExec.exe 2192 MsiExec.exe 2192 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1452 msiexec.exe 1452 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeShutdownPrivilege 2196 msiexec.exe Token: SeIncreaseQuotaPrivilege 2196 msiexec.exe Token: SeRestorePrivilege 1452 msiexec.exe Token: SeTakeOwnershipPrivilege 1452 msiexec.exe Token: SeSecurityPrivilege 1452 msiexec.exe Token: SeCreateTokenPrivilege 2196 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2196 msiexec.exe Token: SeLockMemoryPrivilege 2196 msiexec.exe Token: SeIncreaseQuotaPrivilege 2196 msiexec.exe Token: SeMachineAccountPrivilege 2196 msiexec.exe Token: SeTcbPrivilege 2196 msiexec.exe Token: SeSecurityPrivilege 2196 msiexec.exe Token: SeTakeOwnershipPrivilege 2196 msiexec.exe Token: SeLoadDriverPrivilege 2196 msiexec.exe Token: SeSystemProfilePrivilege 2196 msiexec.exe Token: SeSystemtimePrivilege 2196 msiexec.exe Token: SeProfSingleProcessPrivilege 2196 msiexec.exe Token: SeIncBasePriorityPrivilege 2196 msiexec.exe Token: SeCreatePagefilePrivilege 2196 msiexec.exe Token: SeCreatePermanentPrivilege 2196 msiexec.exe Token: SeBackupPrivilege 2196 msiexec.exe Token: SeRestorePrivilege 2196 msiexec.exe Token: SeShutdownPrivilege 2196 msiexec.exe Token: SeDebugPrivilege 2196 msiexec.exe Token: SeAuditPrivilege 2196 msiexec.exe Token: SeSystemEnvironmentPrivilege 2196 msiexec.exe Token: SeChangeNotifyPrivilege 2196 msiexec.exe Token: SeRemoteShutdownPrivilege 2196 msiexec.exe Token: SeUndockPrivilege 2196 msiexec.exe Token: SeSyncAgentPrivilege 2196 msiexec.exe Token: SeEnableDelegationPrivilege 2196 msiexec.exe Token: SeManageVolumePrivilege 2196 msiexec.exe Token: SeImpersonatePrivilege 2196 msiexec.exe Token: SeCreateGlobalPrivilege 2196 msiexec.exe Token: SeRestorePrivilege 1452 msiexec.exe Token: SeTakeOwnershipPrivilege 1452 msiexec.exe Token: SeRestorePrivilege 1452 msiexec.exe Token: SeTakeOwnershipPrivilege 1452 msiexec.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2196 2416 Untitled_June_06_25_2024_export.pdf.exe 28 PID 2416 wrote to memory of 2196 2416 Untitled_June_06_25_2024_export.pdf.exe 28 PID 2416 wrote to memory of 2196 2416 Untitled_June_06_25_2024_export.pdf.exe 28 PID 2416 wrote to memory of 2196 2416 Untitled_June_06_25_2024_export.pdf.exe 28 PID 2416 wrote to memory of 2196 2416 Untitled_June_06_25_2024_export.pdf.exe 28 PID 1452 wrote to memory of 2192 1452 msiexec.exe 30 PID 1452 wrote to memory of 2192 1452 msiexec.exe 30 PID 1452 wrote to memory of 2192 1452 msiexec.exe 30 PID 1452 wrote to memory of 2192 1452 msiexec.exe 30 PID 1452 wrote to memory of 2192 1452 msiexec.exe 30 PID 1452 wrote to memory of 2192 1452 msiexec.exe 30 PID 1452 wrote to memory of 2192 1452 msiexec.exe 30 PID 2192 wrote to memory of 2532 2192 MsiExec.exe 31 PID 2192 wrote to memory of 2532 2192 MsiExec.exe 31 PID 2192 wrote to memory of 2532 2192 MsiExec.exe 31 PID 2192 wrote to memory of 2532 2192 MsiExec.exe 31 PID 2192 wrote to memory of 2996 2192 MsiExec.exe 33 PID 2192 wrote to memory of 2996 2192 MsiExec.exe 33 PID 2192 wrote to memory of 2996 2192 MsiExec.exe 33 PID 2192 wrote to memory of 2996 2192 MsiExec.exe 33 PID 2192 wrote to memory of 2836 2192 MsiExec.exe 35 PID 2192 wrote to memory of 2836 2192 MsiExec.exe 35 PID 2192 wrote to memory of 2836 2192 MsiExec.exe 35 PID 2192 wrote to memory of 2836 2192 MsiExec.exe 35 PID 2192 wrote to memory of 2836 2192 MsiExec.exe 35 PID 2192 wrote to memory of 2836 2192 MsiExec.exe 35 PID 2192 wrote to memory of 2836 2192 MsiExec.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Untitled_June_06_25_2024_export.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Untitled_June_06_25_2024_export.pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\system32\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi" /Qn2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ADAAC12E03154E3CF3FCA1D07DA74B1B2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-81d2e121-63a2-4d5e-b857-ad8e891d9bb4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:2532
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\MW-81d2e121-63a2-4d5e-b857-ad8e891d9bb4\files\setup.exe"C:\Users\Admin\AppData\Local\Temp\MW-81d2e121-63a2-4d5e-b857-ad8e891d9bb4\files\setup.exe" /VERYSILENT /VERYSILENT3⤵
- Executes dropped EXE
PID:2836
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD524cbbd2c70efbb75845548513114317e
SHA1bd13f38e7301648b8cea6135a851b8691fda2c27
SHA256b31e366ae13a960eb0efbfb5074b0abd1f300151289833d7dfa1a9382bea1855
SHA512b7b0e4fa57e17b0da21a85f56f29a711ff226c8a9e95ca59721e4f20e32b9cbd8a5fdf69010e79f8452df5457a055cc2a41f2ad773eaf692680bc39cb8e50ead
-
Filesize
1.3MB
MD557c5b54337af1acd54c65c5abae694b2
SHA187b6b5eebf8fa70a42bd2cf192740b7130a521a2
SHA256ead264b457fd74737f51a2c4bf5d4679d7e1dcdd1547aca6fe3bf7e117c9d0d8
SHA512af10bdc86a45d59d6e46b5cfa942348360c3ac4312d122bf80783673c448861621811a2c3f4446355037b98a67f642cb8ae27945619d0cd32aaeff9656c0982e
-
Filesize
1KB
MD5ede0fc0f02923225c3991d3567870e89
SHA1ffa0973405aef512e3905691da8c754bde0ecceb
SHA256fc4147bb6516a520732845791e6c0154a66b6c9741361457b259fef2693b051f
SHA51255842329077afa462c13d6070591b5479b1d5dba646aa9952115a1e719203662614ede0c6cde2622b8f5ceff98c46a184916445fb3a90fa7ac4c96341821d306
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108