d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Size

4.6MB
MD5

49cfa73d7dd2fe362a914b4bb628d174
SHA1

ee9aab3efbb85a3ccdc2ec33953469cd9a4a7067
SHA256

d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a
SHA512

c41aadb4a176923734df9705f0c473b982f4ce0da7c400a408091e2ad8f9117a8dc0cc25b8b27c8236e5d2f0692defcc415bd5ea47b51bb7e8dc09930a18c8ae
SSDEEP

98304:yOySfRmDk7aphPPUqCjqeBwgKX19iNFg5h1GDVCo:yOFLepcB1aqqBIVJ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
4308	MsiExec.exe
4308	MsiExec.exe
4308	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\O:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\U:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\V:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\X:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\Z:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\B:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\P:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\M:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\K:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\L:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\S:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\G:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\Q:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\T:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\Y:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4796	msiexec.exe
Token: SeCreateTokenPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeAssignPrimaryTokenPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeLockMemoryPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeIncreaseQuotaPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeMachineAccountPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeTcbPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeSecurityPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeTakeOwnershipPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeLoadDriverPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeSystemProfilePrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeSystemtimePrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeProfSingleProcessPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeIncBasePriorityPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeCreatePagefilePrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeCreatePermanentPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeBackupPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeRestorePrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeShutdownPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeDebugPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeAuditPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeSystemEnvironmentPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeChangeNotifyPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeRemoteShutdownPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeUndockPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeSyncAgentPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeEnableDelegationPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeManageVolumePrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeImpersonatePrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeCreateGlobalPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeCreateTokenPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeAssignPrimaryTokenPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeLockMemoryPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeIncreaseQuotaPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeMachineAccountPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeTcbPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeSecurityPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeTakeOwnershipPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeLoadDriverPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeSystemProfilePrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeSystemtimePrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeProfSingleProcessPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeIncBasePriorityPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeCreatePagefilePrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeCreatePermanentPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeBackupPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeRestorePrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeShutdownPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeDebugPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeAuditPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeSystemEnvironmentPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeChangeNotifyPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeRemoteShutdownPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeUndockPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeSyncAgentPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeEnableDelegationPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeManageVolumePrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeImpersonatePrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeCreateGlobalPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeCreateTokenPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeAssignPrimaryTokenPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeLockMemoryPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeIncreaseQuotaPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
Token: SeMachineAccountPrivilege	5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5052	d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4308	4796	msiexec.exe	88
PID 4796 wrote to memory of 4308	4796	msiexec.exe	88
PID 4796 wrote to memory of 4308	4796	msiexec.exe	88

C:\Users\Admin\AppData\Local\Temp\d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe
"C:\Users\Admin\AppData\Local\Temp\d167da473d0818f428f0c3e34e17c195c6d3b6259c788beca1be3a743675844a.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5052

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 272CE558F322E6695E8F842772513758 C
  2⤵
  - Loads dropped DLL
  PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_5052\dialog.jpg

Filesize
36KB

MD5
abf1076064505dee794fa7aed67252b8

SHA1
358d4e501bb3007feece82a4039cc1050f23fab4

SHA256
fb0d133f05de6aa6a7a3491ae532191a60c438b35d9ff7bfec9e63131f6f0c73

SHA512
9a4680a8d186c1d7550b5e03cbdd095b0c88b2e0249a3af75fa0253d2c9a6f0aa1dd570ecf1a273683a14e6c7b5fb11678be3da439a3bf23eab790372e96e321

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC71A.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC7B7.tmp

Filesize
632KB

MD5
9b4b4ea6509e4db1e2a8f09a7c6f8f04

SHA1
512880abe3c9696edb042599bd199f1d05210aa2

SHA256
3774c31039cb87ed0327f49a00abd7b4211ac938a46378b8661cd5d8b3b34f94

SHA512
63b4788a3ad000c08582f55532dc06bf88bc4111837a63e8157e0f5f668225f46758f9481b6e526a5a813f4f0cc9be65fb4107d2135c61083274592af03ba608

Download Submit
C:\Users\Admin\AppData\Roaming\何故\盘古IM 2.3.1.0\install\E818D2F\盘古IM-新.msi

Filesize
2.5MB

MD5
7a692fda0f2c720ff84d8e90a2b21d48

SHA1
e69d224db0d3d88fb39efe3668eabb17a3ec33b4

SHA256
b13cc76c6150b78be34a81df40069b3b53afb97162d808a3a92f33c3cdc3bb14

SHA512
eefcf56538339252ae3be0366ed7cbdee8a3915d0a98a3cf7c8bb0ace72f62d61fa30db3671d972acb79a7f7975991badc6a3151eae69e98a821394da21d3836

Download Submit
C:\Users\Admin\AppData\Roaming\何故\盘古IM 2.3.1.0\install\decoder.dll

Filesize
215KB

MD5
c098b1c216866d9ca0eeae0a46a46a0a

SHA1
b68890ebc6af792cac62ab0e2ade6a7b777c58ae

SHA256
0960f28f586617647f16ccb2ad9b38fba521605015a4c51f661d4bceca251db0

SHA512
fac75162310f554baccb49b5b88ebceaa8b288e7aca010e0b364077dd2738cd0d484633bef7270fad064813a7b01b7d26e000c0561d20925fa5a6ea902d452e6

Download Submit