2c12e2073d0b50369b0b10ebbdb8bf8357fbf7cdca3f97b0b84192339b846c25

Resubmissions

19-07-2024 08:22

240719-j929savcmd 6

19-07-2024 08:14

240719-j5fj8a1clk 10

19-07-2024 08:08

240719-j1lknstgpb 6

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gooleo.msi
Size

87.8MB
MD5

e651816dd9240300cf9bd9c565e3b869
SHA1

a4bc6e8f6516f3d549195887d7095b9496ae52f9
SHA256

2c12e2073d0b50369b0b10ebbdb8bf8357fbf7cdca3f97b0b84192339b846c25
SHA512

90646a020b0ea67c912f999690382a44f5649c5f3c2a4a7c060aced6a9a71533b92c04d948db8bafd717dd295ad19bb85a71d73ef86a62613e65053323b108b8
SSDEEP

1572864:MKSA0Q9ilL4UxQUoim6casSZrcBsCWpuFg9O/jAaWFFDp+chVF1luEbtYio0z8+U:MbVQ92TQUooc3Uw2F9HHluEbtpoOKd3

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
2700	MsiExec.exe
2700	MsiExec.exe
2700	MsiExec.exe
2700	MsiExec.exe
2700	MsiExec.exe

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

pid	Process
2748	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2748	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2748	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2748	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeSecurityPrivilege	2672	msiexec.exe
Token: SeCreateTokenPrivilege	2748	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2748	msiexec.exe
Token: SeLockMemoryPrivilege	2748	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2748	msiexec.exe
Token: SeMachineAccountPrivilege	2748	msiexec.exe
Token: SeTcbPrivilege	2748	msiexec.exe
Token: SeSecurityPrivilege	2748	msiexec.exe
Token: SeTakeOwnershipPrivilege	2748	msiexec.exe
Token: SeLoadDriverPrivilege	2748	msiexec.exe
Token: SeSystemProfilePrivilege	2748	msiexec.exe
Token: SeSystemtimePrivilege	2748	msiexec.exe
Token: SeProfSingleProcessPrivilege	2748	msiexec.exe
Token: SeIncBasePriorityPrivilege	2748	msiexec.exe
Token: SeCreatePagefilePrivilege	2748	msiexec.exe
Token: SeCreatePermanentPrivilege	2748	msiexec.exe
Token: SeBackupPrivilege	2748	msiexec.exe
Token: SeRestorePrivilege	2748	msiexec.exe
Token: SeShutdownPrivilege	2748	msiexec.exe
Token: SeDebugPrivilege	2748	msiexec.exe
Token: SeAuditPrivilege	2748	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2748	msiexec.exe
Token: SeChangeNotifyPrivilege	2748	msiexec.exe
Token: SeRemoteShutdownPrivilege	2748	msiexec.exe
Token: SeUndockPrivilege	2748	msiexec.exe
Token: SeSyncAgentPrivilege	2748	msiexec.exe
Token: SeEnableDelegationPrivilege	2748	msiexec.exe
Token: SeManageVolumePrivilege	2748	msiexec.exe
Token: SeImpersonatePrivilege	2748	msiexec.exe
Token: SeCreateGlobalPrivilege	2748	msiexec.exe
Token: SeCreateTokenPrivilege	2748	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2748	msiexec.exe
Token: SeLockMemoryPrivilege	2748	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2748	msiexec.exe
Token: SeMachineAccountPrivilege	2748	msiexec.exe
Token: SeTcbPrivilege	2748	msiexec.exe
Token: SeSecurityPrivilege	2748	msiexec.exe
Token: SeTakeOwnershipPrivilege	2748	msiexec.exe
Token: SeLoadDriverPrivilege	2748	msiexec.exe
Token: SeSystemProfilePrivilege	2748	msiexec.exe
Token: SeSystemtimePrivilege	2748	msiexec.exe
Token: SeProfSingleProcessPrivilege	2748	msiexec.exe
Token: SeIncBasePriorityPrivilege	2748	msiexec.exe
Token: SeCreatePagefilePrivilege	2748	msiexec.exe
Token: SeCreatePermanentPrivilege	2748	msiexec.exe
Token: SeBackupPrivilege	2748	msiexec.exe
Token: SeRestorePrivilege	2748	msiexec.exe
Token: SeShutdownPrivilege	2748	msiexec.exe
Token: SeDebugPrivilege	2748	msiexec.exe
Token: SeAuditPrivilege	2748	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2748	msiexec.exe
Token: SeChangeNotifyPrivilege	2748	msiexec.exe
Token: SeRemoteShutdownPrivilege	2748	msiexec.exe
Token: SeUndockPrivilege	2748	msiexec.exe
Token: SeSyncAgentPrivilege	2748	msiexec.exe
Token: SeEnableDelegationPrivilege	2748	msiexec.exe
Token: SeManageVolumePrivilege	2748	msiexec.exe
Token: SeImpersonatePrivilege	2748	msiexec.exe
Token: SeCreateGlobalPrivilege	2748	msiexec.exe
Token: SeCreateTokenPrivilege	2748	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2748	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2700	2672	msiexec.exe	31
PID 2672 wrote to memory of 2700	2672	msiexec.exe	31
PID 2672 wrote to memory of 2700	2672	msiexec.exe	31
PID 2672 wrote to memory of 2700	2672	msiexec.exe	31
PID 2672 wrote to memory of 2700	2672	msiexec.exe	31
PID 2672 wrote to memory of 2700	2672	msiexec.exe	31
PID 2672 wrote to memory of 2700	2672	msiexec.exe	31

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\gooleo.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2748

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B6AD998E03B1490FD7DEC0D08532D9BA C
  2⤵
  - Loads dropped DLL
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI2DB5.tmp

Filesize
588KB

MD5
a9941233b9415b479d3b4f3732161eab

SHA1
cb2d99af52b3b1c712943b13e45d85c80c732e57

SHA256
ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2

SHA512
cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads