Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 20:18
Static task
static1
Behavioral task
behavioral1
Sample
images/新云软件.url
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
images/新云软件.url
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
setup.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
setup.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
安装与配置说明.htm
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
安装与配置说明.htm
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
软件最终用户许可协议.rtf
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral8
Sample
软件最终用户许可协议.rtf
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
setup.exe
-
Size
10.9MB
-
MD5
00bac975e69efdbf633cd695e0a6fbad
-
SHA1
205dee4a96e634e2bfe366202f9e4cdec4fea3ce
-
SHA256
1881cb7555c814f83e50d4b2fdb3fb66a0cc3e0776aa67a01b8ff7f6544625ea
-
SHA512
d829d87917185d2f276aa32f05d561d61907a716bd1d330b967b78f8aa3adeb8ca6e9fdab5eed5cd13e8ebcdfc9e314084fff9db779638d3567aa17bdb9b14ee
-
SSDEEP
196608:HM4aNk4LDK+g25YC+QmnkleS9rJB4IQn9ZlVen0BL5GuDlR/GLpyEDp:74q+7Y3uRJBnQn9A0lR/6y8
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3832 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\S: msiexec.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Downloaded Installations\{580F0402-A163-4EFF-8CB9-DA1A423B158F}\AnyOffice.NetÐͬ°ì¹«ÏµÍ³ 2009(4.2.4.0) Õýʽ°æ.msi setup.exe File opened for modification C:\Windows\Downloaded Installations\{580F0402-A163-4EFF-8CB9-DA1A423B158F}\AnyOffice.NetÐͬ°ì¹«ÏµÍ³ 2009(4.2.4.0) Õýʽ°æ.msi setup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5004 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 5004 MSIEXEC.EXE Token: SeSecurityPrivilege 3160 msiexec.exe Token: SeCreateTokenPrivilege 5004 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 5004 MSIEXEC.EXE Token: SeLockMemoryPrivilege 5004 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 5004 MSIEXEC.EXE Token: SeMachineAccountPrivilege 5004 MSIEXEC.EXE Token: SeTcbPrivilege 5004 MSIEXEC.EXE Token: SeSecurityPrivilege 5004 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 5004 MSIEXEC.EXE Token: SeLoadDriverPrivilege 5004 MSIEXEC.EXE Token: SeSystemProfilePrivilege 5004 MSIEXEC.EXE Token: SeSystemtimePrivilege 5004 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 5004 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 5004 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 5004 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 5004 MSIEXEC.EXE Token: SeBackupPrivilege 5004 MSIEXEC.EXE Token: SeRestorePrivilege 5004 MSIEXEC.EXE Token: SeShutdownPrivilege 5004 MSIEXEC.EXE Token: SeDebugPrivilege 5004 MSIEXEC.EXE Token: SeAuditPrivilege 5004 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 5004 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 5004 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 5004 MSIEXEC.EXE Token: SeUndockPrivilege 5004 MSIEXEC.EXE Token: SeSyncAgentPrivilege 5004 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 5004 MSIEXEC.EXE Token: SeManageVolumePrivilege 5004 MSIEXEC.EXE Token: SeImpersonatePrivilege 5004 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 5004 MSIEXEC.EXE Token: SeCreateTokenPrivilege 5004 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 5004 MSIEXEC.EXE Token: SeLockMemoryPrivilege 5004 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 5004 MSIEXEC.EXE Token: SeMachineAccountPrivilege 5004 MSIEXEC.EXE Token: SeTcbPrivilege 5004 MSIEXEC.EXE Token: SeSecurityPrivilege 5004 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 5004 MSIEXEC.EXE Token: SeLoadDriverPrivilege 5004 MSIEXEC.EXE Token: SeSystemProfilePrivilege 5004 MSIEXEC.EXE Token: SeSystemtimePrivilege 5004 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 5004 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 5004 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 5004 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 5004 MSIEXEC.EXE Token: SeBackupPrivilege 5004 MSIEXEC.EXE Token: SeRestorePrivilege 5004 MSIEXEC.EXE Token: SeShutdownPrivilege 5004 MSIEXEC.EXE Token: SeDebugPrivilege 5004 MSIEXEC.EXE Token: SeAuditPrivilege 5004 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 5004 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 5004 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 5004 MSIEXEC.EXE Token: SeUndockPrivilege 5004 MSIEXEC.EXE Token: SeSyncAgentPrivilege 5004 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 5004 MSIEXEC.EXE Token: SeManageVolumePrivilege 5004 MSIEXEC.EXE Token: SeImpersonatePrivilege 5004 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 5004 MSIEXEC.EXE Token: SeCreateTokenPrivilege 5004 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 5004 MSIEXEC.EXE Token: SeLockMemoryPrivilege 5004 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5004 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4584 wrote to memory of 5004 4584 setup.exe 86 PID 4584 wrote to memory of 5004 4584 setup.exe 86 PID 4584 wrote to memory of 5004 4584 setup.exe 86 PID 3160 wrote to memory of 3832 3160 msiexec.exe 89 PID 3160 wrote to memory of 3832 3160 msiexec.exe 89 PID 3160 wrote to memory of 3832 3160 msiexec.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "C:\Windows\Downloaded Installations\{580F0402-A163-4EFF-8CB9-DA1A423B158F}\AnyOffice.NetÐͬ°ì¹«ÏµÍ³ 2009(4.2.4.0) Õýʽ°æ.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="setup.exe"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5004
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 02662B0122FC33454C881A2D48693356 C2⤵
- Loads dropped DLL
PID:3832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
513KB
MD5ab8e6b4dc17767b1882bd5924b314179
SHA1f0e5faeaf693c2e52bad68bba5449949bb7348e1
SHA25637b4f14665862b6d1283abf4fbdfcaa8fd6b88f30cf23f9753e068f6344075c6
SHA5120bbe09d6d9535004d88ecfa429e3a1e731eb71cac064eb863b43d9cf937a6b5355df0ed99023f961ff6ea984217a55530440bb1058e25980db8f64ff3152224b
-
Filesize
1KB
MD5b42c510fde70e376ae0b726e352a1f27
SHA10d41e951ca4a4e1ac0aa3ae4376e535b93eee4c0
SHA256d709661b752eee06b6233fa7a373002af9230aa2acd44b277ef4bd2a709bf005
SHA5129c9c34dd887bcbc2723e086d6c7108c0899e78c125a60d7718bcf913868e5283f4a296daf9284136505a40b3b1fb10576c7f8e4a60727e3e1ba5794bfb57b9a6
-
Filesize
6KB
MD5d79173462cb9377187d61ec9caf58344
SHA1ed853089c38246eb3c8d06004b4ef0dc4c0d4a91
SHA256e99a2f085d31fa583a54804f5784ac6ca3e1fbb505c8a26251532c7287ea2cd4
SHA512c0a182eddf7972c7824b3dbf0502056a025c831c392c945780626968e458cf55a6db893a108a70a676fbaa5fdae6d27577bcc2377ffd8462532ac24f410d453a
-
Filesize
2KB
MD510a484fe7b0b5d8783ca5e740fc23c5f
SHA12acaf478b8d46a8b7dd4fb7f32f2cc069d6bed32
SHA256e1002b859cf2b6c48a62efc361e3e62ed4687f0ed94b5ba686cb6dd745cea234
SHA512dd5ee5fa54a17784e15846222b467d27b9f6fcb0da74ad7eef7e40e47c9f1ce9734bcc091a24524b9c3fd67cb5114af1d288b147f306829a9e2627c7b4e9d0c6
-
C:\Windows\Downloaded Installations\{580F0402-A163-4EFF-8CB9-DA1A423B158F}\AnyOffice.NetÐͬ°ì¹«ÏµÍ³ 2009(4.2.4.0) Õýʽ°æ.msi
Filesize10.0MB
MD587268f320809ce21570e7fb0f13f7297
SHA1e9a2c938007633d97a09628bad10aa0da4e2ed5a
SHA256896f6f849abcc1b945b9676ae17c075394a62e9117a15db7a4bc4040802a1ed3
SHA512116421f9d311c37e287994243d005b96aca29d92449c597a1504e40d4f69b751d862f030bc61a7d6ff98b0ac0b44dda51edbe81762c54bf6a32dceb80e677735