Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 17:53
Static task
static1
Behavioral task
behavioral1
Sample
HTTPDebuggerPro.msi
Resource
win7-20240704-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
HTTPDebuggerPro.msi
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
HTTPDebuggerPro.msi
-
Size
10.4MB
-
MD5
da7e08ef168ee4662ff1878202303a36
-
SHA1
df3bc617162a0f5f5e854403f5dc1e00e093e498
-
SHA256
ed9e8f5fda10a14fbce76252b111a031bc4f3351e9eb342ea4edf6b6d16add69
-
SHA512
bd248c68077a6aa1d6120cd3401770b09762cd75010a30b40cdd46196c726bce2fffa9036a2e3f47bbdbe4b935b9252c7ea38f4947d5ef187831d274a13b8974
-
SSDEEP
196608:I0juQ6vXkAs3lJiZvWFsd0EMdPfR9kngqVepxvwyd+wNQ3jOPw8pJN6sR:I0jT6vXj2I+FifM5Bqcvvu3jgJN6sR
Score
6/10
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 2 2956 msiexec.exe 4 2956 msiexec.exe 6 2956 msiexec.exe 8 2956 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Loads dropped DLL 3 IoCs
pid Process 1216 MsiExec.exe 1216 MsiExec.exe 1216 MsiExec.exe -
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
pid Process 2956 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2956 msiexec.exe Token: SeIncreaseQuotaPrivilege 2956 msiexec.exe Token: SeSecurityPrivilege 4332 msiexec.exe Token: SeCreateTokenPrivilege 2956 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2956 msiexec.exe Token: SeLockMemoryPrivilege 2956 msiexec.exe Token: SeIncreaseQuotaPrivilege 2956 msiexec.exe Token: SeMachineAccountPrivilege 2956 msiexec.exe Token: SeTcbPrivilege 2956 msiexec.exe Token: SeSecurityPrivilege 2956 msiexec.exe Token: SeTakeOwnershipPrivilege 2956 msiexec.exe Token: SeLoadDriverPrivilege 2956 msiexec.exe Token: SeSystemProfilePrivilege 2956 msiexec.exe Token: SeSystemtimePrivilege 2956 msiexec.exe Token: SeProfSingleProcessPrivilege 2956 msiexec.exe Token: SeIncBasePriorityPrivilege 2956 msiexec.exe Token: SeCreatePagefilePrivilege 2956 msiexec.exe Token: SeCreatePermanentPrivilege 2956 msiexec.exe Token: SeBackupPrivilege 2956 msiexec.exe Token: SeRestorePrivilege 2956 msiexec.exe Token: SeShutdownPrivilege 2956 msiexec.exe Token: SeDebugPrivilege 2956 msiexec.exe Token: SeAuditPrivilege 2956 msiexec.exe Token: SeSystemEnvironmentPrivilege 2956 msiexec.exe Token: SeChangeNotifyPrivilege 2956 msiexec.exe Token: SeRemoteShutdownPrivilege 2956 msiexec.exe Token: SeUndockPrivilege 2956 msiexec.exe Token: SeSyncAgentPrivilege 2956 msiexec.exe Token: SeEnableDelegationPrivilege 2956 msiexec.exe Token: SeManageVolumePrivilege 2956 msiexec.exe Token: SeImpersonatePrivilege 2956 msiexec.exe Token: SeCreateGlobalPrivilege 2956 msiexec.exe Token: SeCreateTokenPrivilege 2956 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2956 msiexec.exe Token: SeLockMemoryPrivilege 2956 msiexec.exe Token: SeIncreaseQuotaPrivilege 2956 msiexec.exe Token: SeMachineAccountPrivilege 2956 msiexec.exe Token: SeTcbPrivilege 2956 msiexec.exe Token: SeSecurityPrivilege 2956 msiexec.exe Token: SeTakeOwnershipPrivilege 2956 msiexec.exe Token: SeLoadDriverPrivilege 2956 msiexec.exe Token: SeSystemProfilePrivilege 2956 msiexec.exe Token: SeSystemtimePrivilege 2956 msiexec.exe Token: SeProfSingleProcessPrivilege 2956 msiexec.exe Token: SeIncBasePriorityPrivilege 2956 msiexec.exe Token: SeCreatePagefilePrivilege 2956 msiexec.exe Token: SeCreatePermanentPrivilege 2956 msiexec.exe Token: SeBackupPrivilege 2956 msiexec.exe Token: SeRestorePrivilege 2956 msiexec.exe Token: SeShutdownPrivilege 2956 msiexec.exe Token: SeDebugPrivilege 2956 msiexec.exe Token: SeAuditPrivilege 2956 msiexec.exe Token: SeSystemEnvironmentPrivilege 2956 msiexec.exe Token: SeChangeNotifyPrivilege 2956 msiexec.exe Token: SeRemoteShutdownPrivilege 2956 msiexec.exe Token: SeUndockPrivilege 2956 msiexec.exe Token: SeSyncAgentPrivilege 2956 msiexec.exe Token: SeEnableDelegationPrivilege 2956 msiexec.exe Token: SeManageVolumePrivilege 2956 msiexec.exe Token: SeImpersonatePrivilege 2956 msiexec.exe Token: SeCreateGlobalPrivilege 2956 msiexec.exe Token: SeCreateTokenPrivilege 2956 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2956 msiexec.exe Token: SeLockMemoryPrivilege 2956 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2956 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4332 wrote to memory of 1216 4332 msiexec.exe 88 PID 4332 wrote to memory of 1216 4332 msiexec.exe 88 PID 4332 wrote to memory of 1216 4332 msiexec.exe 88
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\HTTPDebuggerPro.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2956
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5B82AB9B65EA5EC6CADA7568637742F3 C2⤵
- Loads dropped DLL
PID:1216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD56a9c36332255fca66c688c75aa68e1de
SHA12a03e2a5e6a8d9e2b0cfb4e2cc1923d9c08578c1
SHA2567b7ebada5da99a20c44eaf77e6d673985da42d9b7cb4f5e4235b7579581ae170
SHA512a638c48026f2a0b565b34d7d0dfacfec4f582e698f88234521a6fcff1ed90c134f39aa3311cca2a67e401de01f81cac01d9f792f189127e0f87a345076827627