Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 01:03
Static task
static1
Behavioral task
behavioral1
Sample
readit340_3045_full.msi
Resource
win7-20240708-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
readit340_3045_full.msi
Resource
win10v2004-20240709-en
windows10-2004-x64
4 signatures
150 seconds
Behavioral task
behavioral3
Sample
新云软件.url
Resource
win7-20240704-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral4
Sample
新云软件.url
Resource
win10v2004-20240709-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
readit340_3045_full.msi
-
Size
6.5MB
-
MD5
d081c4d17b85101d03167c9c3c8077ca
-
SHA1
e17ffa2bee17412288dd9d02075f612ecd06d457
-
SHA256
24fa2c092a6daaa1c259cc099b3755cb8da72220a1c1770d09b55d1e9b642c3f
-
SHA512
7994fc23c8841a1f9e4aa367736eb35f83e1b39799bc042f3c4715d6471c5d8094aaa7248c2bdfe579abd619e2f42f2f4cd7994057a8dc2797670bd8519fc237
-
SSDEEP
196608:gelD8JBNNVW/f9tCm0xdbijYW5byVYScIQEV+/U:gYD8xfW3amvjYWJA1Hj0c
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
pid Process 1756 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1756 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeShutdownPrivilege 1756 msiexec.exe Token: SeIncreaseQuotaPrivilege 1756 msiexec.exe Token: SeRestorePrivilege 2080 msiexec.exe Token: SeTakeOwnershipPrivilege 2080 msiexec.exe Token: SeSecurityPrivilege 2080 msiexec.exe Token: SeCreateTokenPrivilege 1756 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1756 msiexec.exe Token: SeLockMemoryPrivilege 1756 msiexec.exe Token: SeIncreaseQuotaPrivilege 1756 msiexec.exe Token: SeMachineAccountPrivilege 1756 msiexec.exe Token: SeTcbPrivilege 1756 msiexec.exe Token: SeSecurityPrivilege 1756 msiexec.exe Token: SeTakeOwnershipPrivilege 1756 msiexec.exe Token: SeLoadDriverPrivilege 1756 msiexec.exe Token: SeSystemProfilePrivilege 1756 msiexec.exe Token: SeSystemtimePrivilege 1756 msiexec.exe Token: SeProfSingleProcessPrivilege 1756 msiexec.exe Token: SeIncBasePriorityPrivilege 1756 msiexec.exe Token: SeCreatePagefilePrivilege 1756 msiexec.exe Token: SeCreatePermanentPrivilege 1756 msiexec.exe Token: SeBackupPrivilege 1756 msiexec.exe Token: SeRestorePrivilege 1756 msiexec.exe Token: SeShutdownPrivilege 1756 msiexec.exe Token: SeDebugPrivilege 1756 msiexec.exe Token: SeAuditPrivilege 1756 msiexec.exe Token: SeSystemEnvironmentPrivilege 1756 msiexec.exe Token: SeChangeNotifyPrivilege 1756 msiexec.exe Token: SeRemoteShutdownPrivilege 1756 msiexec.exe Token: SeUndockPrivilege 1756 msiexec.exe Token: SeSyncAgentPrivilege 1756 msiexec.exe Token: SeEnableDelegationPrivilege 1756 msiexec.exe Token: SeManageVolumePrivilege 1756 msiexec.exe Token: SeImpersonatePrivilege 1756 msiexec.exe Token: SeCreateGlobalPrivilege 1756 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1756 msiexec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\readit340_3045_full.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1756
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080