3c76a1ce29594493d952738f9ca57fbd3aaf3edee5f41a69b5a0e8fe8def0823

General

Target

TeamPublisherAdminSetup.exe
Size

7.4MB
MD5

dc8a343d71f6e41663462822e0ee21d7
SHA1

5ffaecef68f699fb76aa1ccab63db271169dd676
SHA256

98da9f1d6492f45ad78b0f5b233b87a84953636fa555a5e928834810f74b96ce
SHA512

43a12dd49048d35dabed24806be126749aa0439b66f5325528f473b54cd57d7b1b101611f51cea7f0dea7d0434fa2b3cde6d7e316ec672f4b7a8b269817b1432
SSDEEP

196608:tdi2/BUErxsdBaYxYHS8JXiZ2uXkkYcZvbbG+77lh:rJUGG1x6NJilkkYcxK+H7

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2712	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2712	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2712	MSIEXEC.EXE
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeSecurityPrivilege	2892	msiexec.exe
Token: SeCreateTokenPrivilege	2712	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2712	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2712	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2712	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2712	MSIEXEC.EXE
Token: SeTcbPrivilege	2712	MSIEXEC.EXE
Token: SeSecurityPrivilege	2712	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2712	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2712	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2712	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2712	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2712	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2712	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2712	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2712	MSIEXEC.EXE
Token: SeBackupPrivilege	2712	MSIEXEC.EXE
Token: SeRestorePrivilege	2712	MSIEXEC.EXE
Token: SeShutdownPrivilege	2712	MSIEXEC.EXE
Token: SeDebugPrivilege	2712	MSIEXEC.EXE
Token: SeAuditPrivilege	2712	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2712	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2712	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2712	MSIEXEC.EXE
Token: SeUndockPrivilege	2712	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2712	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2712	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2712	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2712	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2712	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2712	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2712	2028	TeamPublisherAdminSetup.exe	30
PID 2028 wrote to memory of 2712	2028	TeamPublisherAdminSetup.exe	30
PID 2028 wrote to memory of 2712	2028	TeamPublisherAdminSetup.exe	30
PID 2028 wrote to memory of 2712	2028	TeamPublisherAdminSetup.exe	30
PID 2028 wrote to memory of 2712	2028	TeamPublisherAdminSetup.exe	30
PID 2028 wrote to memory of 2712	2028	TeamPublisherAdminSetup.exe	30
PID 2028 wrote to memory of 2712	2028	TeamPublisherAdminSetup.exe	30

C:\Users\Admin\AppData\Local\Temp\TeamPublisherAdminSetup.exe
"C:\Users\Admin\AppData\Local\Temp\TeamPublisherAdminSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{E80D8790-4305-417D-B1F8-EA6093E375B2}\Team Publisher Admin Tool.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="TeamPublisherAdminSetup.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2712

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Downloaded Installations\{E80D8790-4305-417D-B1F8-EA6093E375B2}\Team Publisher Admin Tool.msi

Filesize
7.4MB

MD5
c122b686747520b5b8e86a9ec3972587

SHA1
fbc861de8531704c4359deab4e62ab21a811bdd8

SHA256
4b51bb1350187a10213b90896ac1c289ae900e8dae65f340f68bee0c47d5c875

SHA512
f7983aa4249d0afaeba87ce0173456473c449a8192e4b49155c4b8149e8dd892fe87111d2359bf4c41860490f3fc852290e126792b53fbcb3649320cb4e8f1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is9F03.tmp

Filesize
1KB

MD5
cd1d6f6dccb6e7752f20bf5efd8b70ef

SHA1
47c1d37fb79c1e5273ae777f4828df990f7b568c

SHA256
f437ad9c2c5bb0a76513a8d7c3bbbd51dc2b4c1e5b685740079c8c2b7b5d3618

SHA512
8ff356871ba370c84c3decbf796dc0f088aba041b6271f9240682cc458e5ba50c275c5c94f12ab9697f5fc86ec5bad394f32667e98a6b48124b6c51b5eb104e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E5AED973-C78A-40AD-9D34-67CD1305E876}\0x0409.ini

Filesize
13KB

MD5
758747727e96a23c7c5a5bbb011656e4

SHA1
51cc637e7eb3451d6dfa9465d949d6dfb2cd65c9

SHA256
bad3b2e854149df9413f06e6c1c7b7c875545393877f59b59907f6b083ce5825

SHA512
21ff9d365beb1b7809b89d540f41bf330515f05f6211c8327be43baf1f050e46ecc1654b0696e7c82a2a803267e38d780ffd83dea7448861f6e3b84838685627

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E5AED973-C78A-40AD-9D34-67CD1305E876}\Setup.INI

Filesize
2KB

MD5
89074b0f563e9ed392323be3a4b81a6b

SHA1
4645061d7d4396201637a16321496a7109ed4260

SHA256
a0efe97906ad61dd7bae6eeb5e15939c397ee59426f9d6da7e8d9b65c69d867a

SHA512
48e738354b5f212629eafcc539c2c5c7ae8dde5260540ffb1f44b40cdc5695ae2d0d7842fc7a611f2ddd569abc0d3796e786847aed706919089dd648e9806bf9

Download Submit

Analysis

Sharing