Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-07-2024 10:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
KeyGen.exe
Resource
win7-20240708-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
KeyGen.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral3
Sample
dfxInstall-JRiver-8349.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral4
Sample
dfxInstall-JRiver-8349.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral5
Sample
安装说明.url
Resource
win7-20240704-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral6
Sample
安装说明.url
Resource
win10v2004-20240704-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
dfxInstall-JRiver-8349.exe
-
Size
1.6MB
-
MD5
8e5ba3bffb59f1b4399c911f4030c392
-
SHA1
eb20ebb81b21163b66c49b6b4bac70ff03ee70d0
-
SHA256
2db0a5790654013033219b1d1942fbe936d2e238ae6171f809f3cc6d7644d1b7
-
SHA512
da0efd251302965f88022025284e36de2e2ba6298448736a535a237a843e4a568d5363b988883ee4edd3d2634c7c955eaa0171a19dcadb32bec968eb3853abd2
-
SSDEEP
24576:KpZp6JguRntJqo/WDXA1PAMQDhq3F+TrQO3kIbgLgst84I1bTew3wjuNHhGr:Kt6JgqnDguAMQk+P3mLgsin1bpae2
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 2876 MsiExec.exe 2876 MsiExec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2156 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS68fcc30405044a94a8b199bf049b4885_8_349.MSI dfxInstall-JRiver-8349.exe File opened for modification C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS68fcc30405044a94a8b199bf049b4885_8_349.MSI dfxInstall-JRiver-8349.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2156 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2156 msiexec.exe Token: SeIncreaseQuotaPrivilege 2156 msiexec.exe Token: SeRestorePrivilege 2240 msiexec.exe Token: SeTakeOwnershipPrivilege 2240 msiexec.exe Token: SeSecurityPrivilege 2240 msiexec.exe Token: SeCreateTokenPrivilege 2156 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2156 msiexec.exe Token: SeLockMemoryPrivilege 2156 msiexec.exe Token: SeIncreaseQuotaPrivilege 2156 msiexec.exe Token: SeMachineAccountPrivilege 2156 msiexec.exe Token: SeTcbPrivilege 2156 msiexec.exe Token: SeSecurityPrivilege 2156 msiexec.exe Token: SeTakeOwnershipPrivilege 2156 msiexec.exe Token: SeLoadDriverPrivilege 2156 msiexec.exe Token: SeSystemProfilePrivilege 2156 msiexec.exe Token: SeSystemtimePrivilege 2156 msiexec.exe Token: SeProfSingleProcessPrivilege 2156 msiexec.exe Token: SeIncBasePriorityPrivilege 2156 msiexec.exe Token: SeCreatePagefilePrivilege 2156 msiexec.exe Token: SeCreatePermanentPrivilege 2156 msiexec.exe Token: SeBackupPrivilege 2156 msiexec.exe Token: SeRestorePrivilege 2156 msiexec.exe Token: SeShutdownPrivilege 2156 msiexec.exe Token: SeDebugPrivilege 2156 msiexec.exe Token: SeAuditPrivilege 2156 msiexec.exe Token: SeSystemEnvironmentPrivilege 2156 msiexec.exe Token: SeChangeNotifyPrivilege 2156 msiexec.exe Token: SeRemoteShutdownPrivilege 2156 msiexec.exe Token: SeUndockPrivilege 2156 msiexec.exe Token: SeSyncAgentPrivilege 2156 msiexec.exe Token: SeEnableDelegationPrivilege 2156 msiexec.exe Token: SeManageVolumePrivilege 2156 msiexec.exe Token: SeImpersonatePrivilege 2156 msiexec.exe Token: SeCreateGlobalPrivilege 2156 msiexec.exe Token: SeCreateTokenPrivilege 2156 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2156 msiexec.exe Token: SeLockMemoryPrivilege 2156 msiexec.exe Token: SeIncreaseQuotaPrivilege 2156 msiexec.exe Token: SeMachineAccountPrivilege 2156 msiexec.exe Token: SeTcbPrivilege 2156 msiexec.exe Token: SeSecurityPrivilege 2156 msiexec.exe Token: SeTakeOwnershipPrivilege 2156 msiexec.exe Token: SeLoadDriverPrivilege 2156 msiexec.exe Token: SeSystemProfilePrivilege 2156 msiexec.exe Token: SeSystemtimePrivilege 2156 msiexec.exe Token: SeProfSingleProcessPrivilege 2156 msiexec.exe Token: SeIncBasePriorityPrivilege 2156 msiexec.exe Token: SeCreatePagefilePrivilege 2156 msiexec.exe Token: SeCreatePermanentPrivilege 2156 msiexec.exe Token: SeBackupPrivilege 2156 msiexec.exe Token: SeRestorePrivilege 2156 msiexec.exe Token: SeShutdownPrivilege 2156 msiexec.exe Token: SeDebugPrivilege 2156 msiexec.exe Token: SeAuditPrivilege 2156 msiexec.exe Token: SeSystemEnvironmentPrivilege 2156 msiexec.exe Token: SeChangeNotifyPrivilege 2156 msiexec.exe Token: SeRemoteShutdownPrivilege 2156 msiexec.exe Token: SeUndockPrivilege 2156 msiexec.exe Token: SeSyncAgentPrivilege 2156 msiexec.exe Token: SeEnableDelegationPrivilege 2156 msiexec.exe Token: SeManageVolumePrivilege 2156 msiexec.exe Token: SeImpersonatePrivilege 2156 msiexec.exe Token: SeCreateGlobalPrivilege 2156 msiexec.exe Token: SeCreateTokenPrivilege 2156 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2156 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2424 wrote to memory of 2156 2424 dfxInstall-JRiver-8349.exe 30 PID 2424 wrote to memory of 2156 2424 dfxInstall-JRiver-8349.exe 30 PID 2424 wrote to memory of 2156 2424 dfxInstall-JRiver-8349.exe 30 PID 2424 wrote to memory of 2156 2424 dfxInstall-JRiver-8349.exe 30 PID 2424 wrote to memory of 2156 2424 dfxInstall-JRiver-8349.exe 30 PID 2424 wrote to memory of 2156 2424 dfxInstall-JRiver-8349.exe 30 PID 2424 wrote to memory of 2156 2424 dfxInstall-JRiver-8349.exe 30 PID 2240 wrote to memory of 2876 2240 msiexec.exe 32 PID 2240 wrote to memory of 2876 2240 msiexec.exe 32 PID 2240 wrote to memory of 2876 2240 msiexec.exe 32 PID 2240 wrote to memory of 2876 2240 msiexec.exe 32 PID 2240 wrote to memory of 2876 2240 msiexec.exe 32 PID 2240 wrote to memory of 2876 2240 msiexec.exe 32 PID 2240 wrote to memory of 2876 2240 msiexec.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfxInstall-JRiver-8349.exe"C:\Users\Admin\AppData\Local\Temp\dfxInstall-JRiver-8349.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS68fcc30405044a94a8b199bf049b4885_8_349.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\AppData\Local\Temp\dfxInstall-JRiver-8349.exe"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2156
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1CDFB781A3DF99C7B242C9DEA7FC7CD0 C2⤵
- Loads dropped DLL
PID:2876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS68fcc30405044a94a8b199bf049b4885_8_349.MSI
Filesize1.6MB
MD58e5bb57a688e267ac0152355ea19bf34
SHA16ec4d987e54c4cf0c016cab6de9ca31841cc7fdd
SHA2565a5d3d55e3c01691fe2c8edbe9f97cba335a1c2fda064c797408315fa1c8f59d
SHA512c3436ff4befc272430258a8f2645607bd6972165102998055226af1b5efcc31d7d238e92d3498d7a69b4b958a5a082630e85b3b42213888428c0e0193dc1222e
-
Filesize
126KB
MD548a8123016d261e45ee807c0e238a971
SHA1d7c8bc1e4d6437697f137cff3eca0e31e49a55cf
SHA256871f195e12ebb609e6179756092a5821e78cbf920c5c3c7da9ceb01aca991a78
SHA512a03ed081d740160f92f0f46315e3eff6aa7ac1b6ca65c28be595a802b4d32614cc778d57792b0fbc68ec2ce7382bfcee6c4009226cb2b5428c5819d3b6d5828f