9e9c32badb52444ca8a8726aef7c220ff48de8c7916cdfdca4dff6e009ac1f0c

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OpenShellSetup_4_4_191.exe
Size

7.9MB
MD5

e0484fd1e79a0227a5923cdc95b511ba
SHA1

bea0cb5c42adbde14e8cf50b64982e1877c7855d
SHA256

9e9c32badb52444ca8a8726aef7c220ff48de8c7916cdfdca4dff6e009ac1f0c
SHA512

80f8b0ac16dfbf7df640a69b0f05ec9e002e09ed1d7c84d231db00422972c5a02ddef616570d4e7488f697c28933bbf27e5175db61b8cbd2403203b6e30bf431
SSDEEP

196608:B+s5T8f3Hb+IcrthtV80y85WDe+qHw7aJvRt5Oj8GWDAqr:BbT8j+9JkNDJQGuRFDj

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3004	msiexec.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3004	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	2072	msiexec.exe
Token: SeTakeOwnershipPrivilege	2072	msiexec.exe
Token: SeSecurityPrivilege	2072	msiexec.exe
Token: SeCreateTokenPrivilege	3004	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3004	msiexec.exe
Token: SeLockMemoryPrivilege	3004	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3004	msiexec.exe
Token: SeMachineAccountPrivilege	3004	msiexec.exe
Token: SeTcbPrivilege	3004	msiexec.exe
Token: SeSecurityPrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeLoadDriverPrivilege	3004	msiexec.exe
Token: SeSystemProfilePrivilege	3004	msiexec.exe
Token: SeSystemtimePrivilege	3004	msiexec.exe
Token: SeProfSingleProcessPrivilege	3004	msiexec.exe
Token: SeIncBasePriorityPrivilege	3004	msiexec.exe
Token: SeCreatePagefilePrivilege	3004	msiexec.exe
Token: SeCreatePermanentPrivilege	3004	msiexec.exe
Token: SeBackupPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeShutdownPrivilege	3004	msiexec.exe
Token: SeDebugPrivilege	3004	msiexec.exe
Token: SeAuditPrivilege	3004	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3004	msiexec.exe
Token: SeChangeNotifyPrivilege	3004	msiexec.exe
Token: SeRemoteShutdownPrivilege	3004	msiexec.exe
Token: SeUndockPrivilege	3004	msiexec.exe
Token: SeSyncAgentPrivilege	3004	msiexec.exe
Token: SeEnableDelegationPrivilege	3004	msiexec.exe
Token: SeManageVolumePrivilege	3004	msiexec.exe
Token: SeImpersonatePrivilege	3004	msiexec.exe
Token: SeCreateGlobalPrivilege	3004	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3004	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 3004	2060	OpenShellSetup_4_4_191.exe	30
PID 2060 wrote to memory of 3004	2060	OpenShellSetup_4_4_191.exe	30
PID 2060 wrote to memory of 3004	2060	OpenShellSetup_4_4_191.exe	30
PID 2060 wrote to memory of 3004	2060	OpenShellSetup_4_4_191.exe	30
PID 2060 wrote to memory of 3004	2060	OpenShellSetup_4_4_191.exe	30
PID 2060 wrote to memory of 3004	2060	OpenShellSetup_4_4_191.exe	30
PID 2060 wrote to memory of 3004	2060	OpenShellSetup_4_4_191.exe	30

C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe
"C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i "C:\ProgramData\OpenShellSetup64_4_4_191.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3004

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OpenShellSetup64_4_4_191.msi

Filesize
5.3MB

MD5
cc25bc2f1b5dec7e9e7ab3289ed92cc7

SHA1
449e9de44f4b640f1b7cd4ee2f35ca3d15f77ff2

SHA256
25aa0c605989a6a91ebe0eaafcf55843401e84ed5cc52d8b3ee4b2fa19ba2313

SHA512
e51dcaf8d622f87a9bb5a10a7156d34fb56d13ff26fc9a5d63986d353ae7dad9de3c637d1a1a04d2908d2c378f63873962043667c48607035cd4439f86c11c2a

Download Submit