79d7036b030dcaaec258637b01dbc4f9786d6777afe85f6fe397d6034e2f4806

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Untitled_June_06_25_2024_export.pdf.exe
Size

801KB
MD5

41dcc29d7eaba7b84fd54323394712af
SHA1

ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b
SHA256

a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a
SHA512

5a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee
SSDEEP

6144:xmbuKA33X1rgMuu+xdaXkW+zF6m8XZPELSrPzA:x6XA33X1rTuuyrVZ6m8XGH

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4704	ICACLS.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5072.tmp	msiexec.exe
File created	C:\Windows\Installer\e574fb6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e574fb6.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5954EC54-3AE7-4C5F-A5C0-2B3335969234}	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
5068	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
3596	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2156	msiexec.exe
2156	msiexec.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2732	msiexec.exe
Token: SeSecurityPrivilege	2156	msiexec.exe
Token: SeCreateTokenPrivilege	2732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2732	msiexec.exe
Token: SeLockMemoryPrivilege	2732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2732	msiexec.exe
Token: SeMachineAccountPrivilege	2732	msiexec.exe
Token: SeTcbPrivilege	2732	msiexec.exe
Token: SeSecurityPrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeLoadDriverPrivilege	2732	msiexec.exe
Token: SeSystemProfilePrivilege	2732	msiexec.exe
Token: SeSystemtimePrivilege	2732	msiexec.exe
Token: SeProfSingleProcessPrivilege	2732	msiexec.exe
Token: SeIncBasePriorityPrivilege	2732	msiexec.exe
Token: SeCreatePagefilePrivilege	2732	msiexec.exe
Token: SeCreatePermanentPrivilege	2732	msiexec.exe
Token: SeBackupPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeShutdownPrivilege	2732	msiexec.exe
Token: SeDebugPrivilege	2732	msiexec.exe
Token: SeAuditPrivilege	2732	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2732	msiexec.exe
Token: SeChangeNotifyPrivilege	2732	msiexec.exe
Token: SeRemoteShutdownPrivilege	2732	msiexec.exe
Token: SeUndockPrivilege	2732	msiexec.exe
Token: SeSyncAgentPrivilege	2732	msiexec.exe
Token: SeEnableDelegationPrivilege	2732	msiexec.exe
Token: SeManageVolumePrivilege	2732	msiexec.exe
Token: SeImpersonatePrivilege	2732	msiexec.exe
Token: SeCreateGlobalPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2156	msiexec.exe
Token: SeTakeOwnershipPrivilege	2156	msiexec.exe
Token: SeRestorePrivilege	2156	msiexec.exe
Token: SeTakeOwnershipPrivilege	2156	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2732	1488	Untitled_June_06_25_2024_export.pdf.exe	80
PID 1488 wrote to memory of 2732	1488	Untitled_June_06_25_2024_export.pdf.exe	80
PID 2156 wrote to memory of 3596	2156	msiexec.exe	83
PID 2156 wrote to memory of 3596	2156	msiexec.exe	83
PID 2156 wrote to memory of 3596	2156	msiexec.exe	83
PID 3596 wrote to memory of 4704	3596	MsiExec.exe	84
PID 3596 wrote to memory of 4704	3596	MsiExec.exe	84
PID 3596 wrote to memory of 4704	3596	MsiExec.exe	84
PID 3596 wrote to memory of 4192	3596	MsiExec.exe	86
PID 3596 wrote to memory of 4192	3596	MsiExec.exe	86
PID 3596 wrote to memory of 4192	3596	MsiExec.exe	86
PID 3596 wrote to memory of 5068	3596	MsiExec.exe	88
PID 3596 wrote to memory of 5068	3596	MsiExec.exe	88
PID 3596 wrote to memory of 5068	3596	MsiExec.exe	88

C:\Users\Admin\AppData\Local\Temp\Untitled_June_06_25_2024_export.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Untitled_June_06_25_2024_export.pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SYSTEM32\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi" /Qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 905611AC411E0B8069486C6522E6C483
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-033956ed-4f98-421a-a40b-be1354427248\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4704
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:4192
- - C:\Users\Admin\AppData\Local\Temp\MW-033956ed-4f98-421a-a40b-be1354427248\files\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-033956ed-4f98-421a-a40b-be1354427248\files\setup.exe" /VERYSILENT /VERYSILENT
    3⤵
    - Executes dropped EXE
    PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi

Filesize
1.6MB

MD5
24cbbd2c70efbb75845548513114317e

SHA1
bd13f38e7301648b8cea6135a851b8691fda2c27

SHA256
b31e366ae13a960eb0efbfb5074b0abd1f300151289833d7dfa1a9382bea1855

SHA512
b7b0e4fa57e17b0da21a85f56f29a711ff226c8a9e95ca59721e4f20e32b9cbd8a5fdf69010e79f8452df5457a055cc2a41f2ad773eaf692680bc39cb8e50ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-033956ed-4f98-421a-a40b-be1354427248\files.cab

Filesize
1.3MB

MD5
57c5b54337af1acd54c65c5abae694b2

SHA1
87b6b5eebf8fa70a42bd2cf192740b7130a521a2

SHA256
ead264b457fd74737f51a2c4bf5d4679d7e1dcdd1547aca6fe3bf7e117c9d0d8

SHA512
af10bdc86a45d59d6e46b5cfa942348360c3ac4312d122bf80783673c448861621811a2c3f4446355037b98a67f642cb8ae27945619d0cd32aaeff9656c0982e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-033956ed-4f98-421a-a40b-be1354427248\msiwrapper.ini

Filesize
1KB

MD5
33090cc4cc5e617faa8bdd7dca41c907

SHA1
56643d5744e3870c57488c08fe6dfd807c334de6

SHA256
bf962e36c7d8f9ef460a647e86e57989f1fb7fe4fc30feac1ad0f3bf5250954c

SHA512
d4bd857b8a00bec0c3f7f97fb8f0b8a701d5967da2341f29d7f7e7a35f9404630c3b66153a30000917ade84696295bfa2b21ae321e4f16663dc0839c03303442

Download Submit
C:\Windows\Installer\MSI5072.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit