a62ef8b3fdece9258ccaa159eb72469dcc67bcdef94281a1079ccb1f3b058c47

Analysis

max time kernel
91s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240708-en
resource tags

arch:x64arch:x86image:win10v2004-20240708-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

38.9MB
MD5

e43590cf5c0bbc73af1d6532e9803258
SHA1

e242676637f8566b26dc2b6bba920a1e950ced5f
SHA256

a62ef8b3fdece9258ccaa159eb72469dcc67bcdef94281a1079ccb1f3b058c47
SHA512

c806030884a7d4d27a13dd8afcb83e97c1d964159e7f612defebcd905db31cda924b2a3efcc8a9f3055747fc939c31b0f2346021ffef2b427ae5ab74253eb3f9
SSDEEP

786432:r8dl217gZe+0fGuKiahOXPRfWkfmy7sf3z4LMTQPa5UQ5bw0Kno4razqEzfBZxYb:YO17gZe+TXQ/8key7/sQS59KzGOEzjxA

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	2512	MSIEXEC.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3604	Setup.exe

Loads dropped DLL 35 IoCs

pid	Process
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe
4552	MsiExec.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfa7c8616	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2512	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2512	MSIEXEC.EXE
Token: SeSecurityPrivilege	4308	msiexec.exe
Token: SeCreateTokenPrivilege	2512	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2512	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2512	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2512	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2512	MSIEXEC.EXE
Token: SeTcbPrivilege	2512	MSIEXEC.EXE
Token: SeSecurityPrivilege	2512	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2512	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2512	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2512	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2512	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2512	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2512	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2512	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2512	MSIEXEC.EXE
Token: SeBackupPrivilege	2512	MSIEXEC.EXE
Token: SeRestorePrivilege	2512	MSIEXEC.EXE
Token: SeShutdownPrivilege	2512	MSIEXEC.EXE
Token: SeDebugPrivilege	2512	MSIEXEC.EXE
Token: SeAuditPrivilege	2512	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2512	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2512	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2512	MSIEXEC.EXE
Token: SeUndockPrivilege	2512	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2512	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2512	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2512	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2512	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2512	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2512	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2512	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2512	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2512	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2512	MSIEXEC.EXE
Token: SeTcbPrivilege	2512	MSIEXEC.EXE
Token: SeSecurityPrivilege	2512	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2512	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2512	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2512	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2512	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2512	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2512	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2512	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2512	MSIEXEC.EXE
Token: SeBackupPrivilege	2512	MSIEXEC.EXE
Token: SeRestorePrivilege	2512	MSIEXEC.EXE
Token: SeShutdownPrivilege	2512	MSIEXEC.EXE
Token: SeDebugPrivilege	2512	MSIEXEC.EXE
Token: SeAuditPrivilege	2512	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2512	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2512	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2512	MSIEXEC.EXE
Token: SeUndockPrivilege	2512	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2512	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2512	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2512	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2512	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2512	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2512	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2512	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2512	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2512	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 3604	4760	Setup.exe	83
PID 4760 wrote to memory of 3604	4760	Setup.exe	83
PID 4760 wrote to memory of 3604	4760	Setup.exe	83
PID 3604 wrote to memory of 2512	3604	Setup.exe	84
PID 3604 wrote to memory of 2512	3604	Setup.exe	84
PID 3604 wrote to memory of 2512	3604	Setup.exe	84
PID 4308 wrote to memory of 4552	4308	msiexec.exe	87
PID 4308 wrote to memory of 4552	4308	msiexec.exe	87
PID 4308 wrote to memory of 4552	4308	msiexec.exe	87
PID 2512 wrote to memory of 3364	2512	MSIEXEC.EXE	88
PID 2512 wrote to memory of 3364	2512	MSIEXEC.EXE	88
PID 2512 wrote to memory of 3364	2512	MSIEXEC.EXE	88
PID 3364 wrote to memory of 1772	3364	cmd.exe	90
PID 3364 wrote to memory of 1772	3364	cmd.exe	90
PID 3364 wrote to memory of 1772	3364	cmd.exe	90

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1772	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\Temp\{BF8925DB-ED56-4A3E-8FA2-A68E05B08EA9}\Setup.exe
  C:\Users\Admin\AppData\Local\Temp\{BF8925DB-ED56-4A3E-8FA2-A68E05B08EA9}\Setup.exe /q"C:\Users\Admin\AppData\Local\Temp\Setup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{BF8925DB-ED56-4A3E-8FA2-A68E05B08EA9}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{BF8925DB-ED56-4A3E-8FA2-A68E05B08EA9}\NetSupport Manager.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Setup.exe"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{CBB68368-7767-4CFF-B3E5-211488346702}\\nsm.lic"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3364
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{CBB68368-7767-4CFF-B3E5-211488346702}\\nsm.lic"
        5⤵
        Views/modifies file attributes
        
        PID:1772

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F3BDD99C5908F6347346FD3159CBEF90 C
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DLL_{CBB68368-7767-4CFF-B3E5-211488346702}.ini

Filesize
7KB

MD5
f330e1a07cfd5e79ca030e839af88823

SHA1
bc926e426c2f50c59b33fd8ce2f6453c0265a225

SHA256
cc9b6ec5f9221df30b2b0e058ea7659e31c5a6ed4239cd9f6415a2d0824b0d92

SHA512
f037cafc3d93bd9be927f2aa6d700b49281a577945d252e81779c08cc896e630ef4ff900cf2b8631d18a5a413bad37c30932df7cbdc48b59d0fede11499d83c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI877.tmp

Filesize
169KB

MD5
0e6fda2b8425c9513c774cf29a1bc72d

SHA1
a79ffa24cb5956398ded44da24793a2067b85dd0

SHA256
e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9

SHA512
285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI924.tmp

Filesize
511KB

MD5
d524b639a3a088155981b9b4efa55631

SHA1
39d8eea673c02c1522b110829b93d61310555b98

SHA256
03d91c8cd20b846625a092a3dae6a12369930c65d6216a455a00449ebb0dc289

SHA512
84f8ab54122f93a40da08fd83bca767ab49eb0f73c4ab274d9bda11dd09224134df011fa02e5a3abbafcc6fbef6a60673dd48feabdf829a1e22c85a2a759b7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI944.tmp

Filesize
153KB

MD5
a1b7850763af9593b66ee459a081bddf

SHA1
6e45955fae2b2494902a1b55a3873e542f0f5ce4

SHA256
41b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af

SHA512
a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICAC.tmp

Filesize
487KB

MD5
3085d62326cc1ae4ab21489576973621

SHA1
e3c847dee0ecc7176c1168d6d1df9b9e98b19936

SHA256
d2dc425f47d8c80abd8cadbcd8aa53516e7754c371bd3bad3907294a6ca57c5c

SHA512
f993e4e04b348f7eb346d2f3d00fdaed2212f28ba885bbe50c1959737c5b6cab9cfbe17c4aba992521aa0ecdcf5216fa9e6c36a47746077307d32170223a9a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BF8925DB-ED56-4A3E-8FA2-A68E05B08EA9}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BF8925DB-ED56-4A3E-8FA2-A68E05B08EA9}\NetSupport Manager.msi

Filesize
39.7MB

MD5
89cae9bde0f3e1a2d61adbe7bba774d6

SHA1
f46168a1faa5231b68ea5592301d54204d2e7f4d

SHA256
cffb621b1d176998e5bdf49019da3dd6f15c4e5fbac38f24527dfe36a5e595df

SHA512
65aca3ccb33fb50481bd368e25e4cbb54eafdc791e7e083196fed5c3870f7dc0f8c8c1b6ab813a1c9000b25912aa26e73e6e0b0c8fa0bcf934e79cace44e15b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BF8925DB-ED56-4A3E-8FA2-A68E05B08EA9}\Setup.INI

Filesize
5KB

MD5
e3911c00797574a4dc9d8f4bca6673c3

SHA1
f8d56536b5be665d8241f76b419aa5458263d701

SHA256
b13a908d30d4156f6161c912e6d56cfa137324bafd5d3fc88ece04f51751a374

SHA512
11f768ecd8a6d42067831fa85bb5edb5662731345c657f56aa2bea61aebb33fa5777287a6ae4fbb13fc72688d61283bba148158583713755a55859cc3065e3f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BF8925DB-ED56-4A3E-8FA2-A68E05B08EA9}\Setup.exe

Filesize
38.9MB

MD5
e43590cf5c0bbc73af1d6532e9803258

SHA1
e242676637f8566b26dc2b6bba920a1e950ced5f

SHA256
a62ef8b3fdece9258ccaa159eb72469dcc67bcdef94281a1079ccb1f3b058c47

SHA512
c806030884a7d4d27a13dd8afcb83e97c1d964159e7f612defebcd905db31cda924b2a3efcc8a9f3055747fc939c31b0f2346021ffef2b427ae5ab74253eb3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BF8925DB-ED56-4A3E-8FA2-A68E05B08EA9}\_ISMSIDEL.INI

Filesize
592B

MD5
845e53b0d7067ec6e7411423000cc052

SHA1
14a8e85f4bff1ad605ecf0c9967e0276ef7a8298

SHA256
7b158f38edf9a8e54b36c7581afd1cac280351f47af41c8127617649f6e8445d

SHA512
4607c434e4a8047d5212fa4a27ec922ffb1e50bd208bba4ef4bf089d9dbee36922c62701763dab2c534d89d159fe7fcb26dc0f11dc06a450d989c24b9fe3c152

Download Submit