Resubmissions
19-07-2024 08:22
240719-j929savcmd 619-07-2024 08:14
240719-j5fj8a1clk 1019-07-2024 08:08
240719-j1lknstgpb 6Analysis
-
max time kernel
130s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
19-07-2024 08:08
Static task
static1
Behavioral task
behavioral1
Sample
gooleo.msi
Resource
win10-20240404-en
windows10-1703-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
gooleo.msi
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral3
Sample
gooleo.msi
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral4
Sample
gooleo.msi
Resource
win11-20240709-en
windows11-21h2-x64
6 signatures
150 seconds
General
-
Target
gooleo.msi
-
Size
87.8MB
-
MD5
e651816dd9240300cf9bd9c565e3b869
-
SHA1
a4bc6e8f6516f3d549195887d7095b9496ae52f9
-
SHA256
2c12e2073d0b50369b0b10ebbdb8bf8357fbf7cdca3f97b0b84192339b846c25
-
SHA512
90646a020b0ea67c912f999690382a44f5649c5f3c2a4a7c060aced6a9a71533b92c04d948db8bafd717dd295ad19bb85a71d73ef86a62613e65053323b108b8
-
SSDEEP
1572864:MKSA0Q9ilL4UxQUoim6casSZrcBsCWpuFg9O/jAaWFFDp+chVF1luEbtYio0z8+U:MbVQ92TQUooc3Uw2F9HHluEbtpoOKd3
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Loads dropped DLL 7 IoCs
pid Process 4180 MsiExec.exe 4180 MsiExec.exe 4180 MsiExec.exe 4180 MsiExec.exe 4180 MsiExec.exe 4180 MsiExec.exe 4180 MsiExec.exe -
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
pid Process 4660 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4660 msiexec.exe Token: SeIncreaseQuotaPrivilege 4660 msiexec.exe Token: SeSecurityPrivilege 4572 msiexec.exe Token: SeCreateTokenPrivilege 4660 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4660 msiexec.exe Token: SeLockMemoryPrivilege 4660 msiexec.exe Token: SeIncreaseQuotaPrivilege 4660 msiexec.exe Token: SeMachineAccountPrivilege 4660 msiexec.exe Token: SeTcbPrivilege 4660 msiexec.exe Token: SeSecurityPrivilege 4660 msiexec.exe Token: SeTakeOwnershipPrivilege 4660 msiexec.exe Token: SeLoadDriverPrivilege 4660 msiexec.exe Token: SeSystemProfilePrivilege 4660 msiexec.exe Token: SeSystemtimePrivilege 4660 msiexec.exe Token: SeProfSingleProcessPrivilege 4660 msiexec.exe Token: SeIncBasePriorityPrivilege 4660 msiexec.exe Token: SeCreatePagefilePrivilege 4660 msiexec.exe Token: SeCreatePermanentPrivilege 4660 msiexec.exe Token: SeBackupPrivilege 4660 msiexec.exe Token: SeRestorePrivilege 4660 msiexec.exe Token: SeShutdownPrivilege 4660 msiexec.exe Token: SeDebugPrivilege 4660 msiexec.exe Token: SeAuditPrivilege 4660 msiexec.exe Token: SeSystemEnvironmentPrivilege 4660 msiexec.exe Token: SeChangeNotifyPrivilege 4660 msiexec.exe Token: SeRemoteShutdownPrivilege 4660 msiexec.exe Token: SeUndockPrivilege 4660 msiexec.exe Token: SeSyncAgentPrivilege 4660 msiexec.exe Token: SeEnableDelegationPrivilege 4660 msiexec.exe Token: SeManageVolumePrivilege 4660 msiexec.exe Token: SeImpersonatePrivilege 4660 msiexec.exe Token: SeCreateGlobalPrivilege 4660 msiexec.exe Token: SeCreateTokenPrivilege 4660 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4660 msiexec.exe Token: SeLockMemoryPrivilege 4660 msiexec.exe Token: SeIncreaseQuotaPrivilege 4660 msiexec.exe Token: SeMachineAccountPrivilege 4660 msiexec.exe Token: SeTcbPrivilege 4660 msiexec.exe Token: SeSecurityPrivilege 4660 msiexec.exe Token: SeTakeOwnershipPrivilege 4660 msiexec.exe Token: SeLoadDriverPrivilege 4660 msiexec.exe Token: SeSystemProfilePrivilege 4660 msiexec.exe Token: SeSystemtimePrivilege 4660 msiexec.exe Token: SeProfSingleProcessPrivilege 4660 msiexec.exe Token: SeIncBasePriorityPrivilege 4660 msiexec.exe Token: SeCreatePagefilePrivilege 4660 msiexec.exe Token: SeCreatePermanentPrivilege 4660 msiexec.exe Token: SeBackupPrivilege 4660 msiexec.exe Token: SeRestorePrivilege 4660 msiexec.exe Token: SeShutdownPrivilege 4660 msiexec.exe Token: SeDebugPrivilege 4660 msiexec.exe Token: SeAuditPrivilege 4660 msiexec.exe Token: SeSystemEnvironmentPrivilege 4660 msiexec.exe Token: SeChangeNotifyPrivilege 4660 msiexec.exe Token: SeRemoteShutdownPrivilege 4660 msiexec.exe Token: SeUndockPrivilege 4660 msiexec.exe Token: SeSyncAgentPrivilege 4660 msiexec.exe Token: SeEnableDelegationPrivilege 4660 msiexec.exe Token: SeManageVolumePrivilege 4660 msiexec.exe Token: SeImpersonatePrivilege 4660 msiexec.exe Token: SeCreateGlobalPrivilege 4660 msiexec.exe Token: SeCreateTokenPrivilege 4660 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4660 msiexec.exe Token: SeLockMemoryPrivilege 4660 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4660 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4572 wrote to memory of 4180 4572 msiexec.exe 75 PID 4572 wrote to memory of 4180 4572 msiexec.exe 75 PID 4572 wrote to memory of 4180 4572 msiexec.exe 75
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\gooleo.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4660
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6860911AA91134CEC4E021AF462A2875 C2⤵
- Loads dropped DLL
PID:4180
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
588KB
MD5a9941233b9415b479d3b4f3732161eab
SHA1cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7