c09bddfad1d24fe750af2c52dee8ef8d8a559b53e5d495373084da8267ab4de6

General

Target

MultiIE.v3.0.ARM.Cracked/MultiIE-v3.0-d50_DesktopInstall.exe
Size

479KB
MD5

ddfb3db80e87642978385ed71fc8df13
SHA1

7a0c2b09bfc0c5dee84f059edc4bfcce07ab3249
SHA256

4214d61f2bf859ce0995befb6773ffc669215244070330d62c884fd9f4b6b1cd
SHA512

5f72fa891dac4c7e848c019d890c99e8fbca745474289c25ca81bb1648333a7756518794d34267b185f615dd8a0ceda888513a7f8f6ade19d77cdd43d9da6d69
SSDEEP

12288:UH78462Xg6rAsn7+bYywNvvXKkrUmUMkcasqA18S:Q84o0d7+bYh7DzduS

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2816	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2816	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2816	MSIEXEC.EXE
Token: SeRestorePrivilege	2660	msiexec.exe
Token: SeTakeOwnershipPrivilege	2660	msiexec.exe
Token: SeSecurityPrivilege	2660	msiexec.exe
Token: SeCreateTokenPrivilege	2816	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2816	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2816	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2816	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2816	MSIEXEC.EXE
Token: SeTcbPrivilege	2816	MSIEXEC.EXE
Token: SeSecurityPrivilege	2816	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2816	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2816	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2816	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2816	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2816	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2816	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2816	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2816	MSIEXEC.EXE
Token: SeBackupPrivilege	2816	MSIEXEC.EXE
Token: SeRestorePrivilege	2816	MSIEXEC.EXE
Token: SeShutdownPrivilege	2816	MSIEXEC.EXE
Token: SeDebugPrivilege	2816	MSIEXEC.EXE
Token: SeAuditPrivilege	2816	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2816	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2816	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2816	MSIEXEC.EXE
Token: SeUndockPrivilege	2816	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2816	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2816	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2816	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2816	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2816	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2816	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2816	1984	MultiIE-v3.0-d50_DesktopInstall.exe	30
PID 1984 wrote to memory of 2816	1984	MultiIE-v3.0-d50_DesktopInstall.exe	30
PID 1984 wrote to memory of 2816	1984	MultiIE-v3.0-d50_DesktopInstall.exe	30
PID 1984 wrote to memory of 2816	1984	MultiIE-v3.0-d50_DesktopInstall.exe	30
PID 1984 wrote to memory of 2816	1984	MultiIE-v3.0-d50_DesktopInstall.exe	30
PID 1984 wrote to memory of 2816	1984	MultiIE-v3.0-d50_DesktopInstall.exe	30
PID 1984 wrote to memory of 2816	1984	MultiIE-v3.0-d50_DesktopInstall.exe	30

C:\Users\Admin\AppData\Local\Temp\MultiIE.v3.0.ARM.Cracked\MultiIE-v3.0-d50_DesktopInstall.exe
"C:\Users\Admin\AppData\Local\Temp\MultiIE.v3.0.ARM.Cracked\MultiIE-v3.0-d50_DesktopInstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\_is75CD\Southway Corporation MultiIE v3.00-d0050.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2816

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_is75CD\0x0409.ini

Filesize
3KB

MD5
4432abda2ebb20d9e3d8e76817160b30

SHA1
4030a825bbdbc5e895f42a23c17267a26ba6a435

SHA256
54acb1883dfb41543b6d508c7a34d74eb7b26771e10c0a9eb364b8b45e3aa110

SHA512
e30a8dd987b0897a7b7ca0f53c9056743b1ce24a711d445c155c0c8132a075c0c063fd2af8022ed1521898bddb74cb38ea168257bb9c20877a5a83f7a52b89ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is75CD\Setup.INI

Filesize
829B

MD5
4ef526aa04579d5081230366141cf343

SHA1
db87235c10e3b3ecf5c9b604aa94d752151b7894

SHA256
66a43d9982f1a2df69f9b1848ef82fd7d764932e655fb499add9b19558d7c5c6

SHA512
d561c421f100f03f1646cafc99acb876cb466b730dbbde2feb532725a32fda52af3819a3f3479f8b2fbc6397eab8f8256166447f5c804fc1b6563da751379d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is75CD\Southway Corporation MultiIE v3.00-d0050.msi

Filesize
198KB

MD5
b03343b59548abb421e867b91c8371ba

SHA1
cb01ac024ef2d669e7e2c1368664313891a04c82

SHA256
ab4dcb6d2eaf0c74f57eac8fd145cb70853ce267ca2cfbd4a50c3948f5e11a70

SHA512
75a46d0f86c3bcfb8a86c9920c42c89baa8aa8fbf259b6b6d0a776304cdc564e93ccda1afff376b08851ca598f89e1a02d1cc4b5b1a331c9a00b107152dd8edc

Download Submit

Analysis

Sharing