Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 10:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
KeyGen.exe
Resource
win7-20240708-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
KeyGen.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral3
Sample
dfxInstall-JRiver-8349.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral4
Sample
dfxInstall-JRiver-8349.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral5
Sample
安装说明.url
Resource
win7-20240704-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral6
Sample
安装说明.url
Resource
win10v2004-20240704-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
dfxInstall-JRiver-8349.exe
-
Size
1.6MB
-
MD5
8e5ba3bffb59f1b4399c911f4030c392
-
SHA1
eb20ebb81b21163b66c49b6b4bac70ff03ee70d0
-
SHA256
2db0a5790654013033219b1d1942fbe936d2e238ae6171f809f3cc6d7644d1b7
-
SHA512
da0efd251302965f88022025284e36de2e2ba6298448736a535a237a843e4a568d5363b988883ee4edd3d2634c7c955eaa0171a19dcadb32bec968eb3853abd2
-
SSDEEP
24576:KpZp6JguRntJqo/WDXA1PAMQDhq3F+TrQO3kIbgLgst84I1bTew3wjuNHhGr:Kt6JgqnDguAMQk+P3mLgsin1bpae2
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation dfxInstall-JRiver-8349.exe -
Loads dropped DLL 2 IoCs
pid Process 1076 MsiExec.exe 1076 MsiExec.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 2 2460 msiexec.exe 7 2460 msiexec.exe 9 2460 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS68fcc30405044a94a8b199bf049b4885_8_349.MSI dfxInstall-JRiver-8349.exe File opened for modification C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS68fcc30405044a94a8b199bf049b4885_8_349.MSI dfxInstall-JRiver-8349.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2460 msiexec.exe Token: SeIncreaseQuotaPrivilege 2460 msiexec.exe Token: SeSecurityPrivilege 1960 msiexec.exe Token: SeCreateTokenPrivilege 2460 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2460 msiexec.exe Token: SeLockMemoryPrivilege 2460 msiexec.exe Token: SeIncreaseQuotaPrivilege 2460 msiexec.exe Token: SeMachineAccountPrivilege 2460 msiexec.exe Token: SeTcbPrivilege 2460 msiexec.exe Token: SeSecurityPrivilege 2460 msiexec.exe Token: SeTakeOwnershipPrivilege 2460 msiexec.exe Token: SeLoadDriverPrivilege 2460 msiexec.exe Token: SeSystemProfilePrivilege 2460 msiexec.exe Token: SeSystemtimePrivilege 2460 msiexec.exe Token: SeProfSingleProcessPrivilege 2460 msiexec.exe Token: SeIncBasePriorityPrivilege 2460 msiexec.exe Token: SeCreatePagefilePrivilege 2460 msiexec.exe Token: SeCreatePermanentPrivilege 2460 msiexec.exe Token: SeBackupPrivilege 2460 msiexec.exe Token: SeRestorePrivilege 2460 msiexec.exe Token: SeShutdownPrivilege 2460 msiexec.exe Token: SeDebugPrivilege 2460 msiexec.exe Token: SeAuditPrivilege 2460 msiexec.exe Token: SeSystemEnvironmentPrivilege 2460 msiexec.exe Token: SeChangeNotifyPrivilege 2460 msiexec.exe Token: SeRemoteShutdownPrivilege 2460 msiexec.exe Token: SeUndockPrivilege 2460 msiexec.exe Token: SeSyncAgentPrivilege 2460 msiexec.exe Token: SeEnableDelegationPrivilege 2460 msiexec.exe Token: SeManageVolumePrivilege 2460 msiexec.exe Token: SeImpersonatePrivilege 2460 msiexec.exe Token: SeCreateGlobalPrivilege 2460 msiexec.exe Token: SeCreateTokenPrivilege 2460 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2460 msiexec.exe Token: SeLockMemoryPrivilege 2460 msiexec.exe Token: SeIncreaseQuotaPrivilege 2460 msiexec.exe Token: SeMachineAccountPrivilege 2460 msiexec.exe Token: SeTcbPrivilege 2460 msiexec.exe Token: SeSecurityPrivilege 2460 msiexec.exe Token: SeTakeOwnershipPrivilege 2460 msiexec.exe Token: SeLoadDriverPrivilege 2460 msiexec.exe Token: SeSystemProfilePrivilege 2460 msiexec.exe Token: SeSystemtimePrivilege 2460 msiexec.exe Token: SeProfSingleProcessPrivilege 2460 msiexec.exe Token: SeIncBasePriorityPrivilege 2460 msiexec.exe Token: SeCreatePagefilePrivilege 2460 msiexec.exe Token: SeCreatePermanentPrivilege 2460 msiexec.exe Token: SeBackupPrivilege 2460 msiexec.exe Token: SeRestorePrivilege 2460 msiexec.exe Token: SeShutdownPrivilege 2460 msiexec.exe Token: SeDebugPrivilege 2460 msiexec.exe Token: SeAuditPrivilege 2460 msiexec.exe Token: SeSystemEnvironmentPrivilege 2460 msiexec.exe Token: SeChangeNotifyPrivilege 2460 msiexec.exe Token: SeRemoteShutdownPrivilege 2460 msiexec.exe Token: SeUndockPrivilege 2460 msiexec.exe Token: SeSyncAgentPrivilege 2460 msiexec.exe Token: SeEnableDelegationPrivilege 2460 msiexec.exe Token: SeManageVolumePrivilege 2460 msiexec.exe Token: SeImpersonatePrivilege 2460 msiexec.exe Token: SeCreateGlobalPrivilege 2460 msiexec.exe Token: SeCreateTokenPrivilege 2460 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2460 msiexec.exe Token: SeLockMemoryPrivilege 2460 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2460 msiexec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1408 wrote to memory of 2460 1408 dfxInstall-JRiver-8349.exe 84 PID 1408 wrote to memory of 2460 1408 dfxInstall-JRiver-8349.exe 84 PID 1408 wrote to memory of 2460 1408 dfxInstall-JRiver-8349.exe 84 PID 1960 wrote to memory of 1076 1960 msiexec.exe 89 PID 1960 wrote to memory of 1076 1960 msiexec.exe 89 PID 1960 wrote to memory of 1076 1960 msiexec.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfxInstall-JRiver-8349.exe"C:\Users\Admin\AppData\Local\Temp\dfxInstall-JRiver-8349.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS68fcc30405044a94a8b199bf049b4885_8_349.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\AppData\Local\Temp\dfxInstall-JRiver-8349.exe"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2460
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AB99996C93C56E9AA0AA1EEE7BA82887 C2⤵
- Loads dropped DLL
PID:1076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS68fcc30405044a94a8b199bf049b4885_8_349.MSI
Filesize1.6MB
MD58e5bb57a688e267ac0152355ea19bf34
SHA16ec4d987e54c4cf0c016cab6de9ca31841cc7fdd
SHA2565a5d3d55e3c01691fe2c8edbe9f97cba335a1c2fda064c797408315fa1c8f59d
SHA512c3436ff4befc272430258a8f2645607bd6972165102998055226af1b5efcc31d7d238e92d3498d7a69b4b958a5a082630e85b3b42213888428c0e0193dc1222e
-
Filesize
126KB
MD548a8123016d261e45ee807c0e238a971
SHA1d7c8bc1e4d6437697f137cff3eca0e31e49a55cf
SHA256871f195e12ebb609e6179756092a5821e78cbf920c5c3c7da9ceb01aca991a78
SHA512a03ed081d740160f92f0f46315e3eff6aa7ac1b6ca65c28be595a802b4d32614cc778d57792b0fbc68ec2ce7382bfcee6c4009226cb2b5428c5819d3b6d5828f