Resubmissions
19-07-2024 08:22
240719-j929savcmd 619-07-2024 08:14
240719-j5fj8a1clk 1019-07-2024 08:08
240719-j1lknstgpb 6Analysis
-
max time kernel
89s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-07-2024 08:08
Static task
static1
Behavioral task
behavioral1
Sample
gooleo.msi
Resource
win10-20240404-en
windows10-1703-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
gooleo.msi
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral3
Sample
gooleo.msi
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral4
Sample
gooleo.msi
Resource
win11-20240709-en
windows11-21h2-x64
6 signatures
150 seconds
General
-
Target
gooleo.msi
-
Size
87.8MB
-
MD5
e651816dd9240300cf9bd9c565e3b869
-
SHA1
a4bc6e8f6516f3d549195887d7095b9496ae52f9
-
SHA256
2c12e2073d0b50369b0b10ebbdb8bf8357fbf7cdca3f97b0b84192339b846c25
-
SHA512
90646a020b0ea67c912f999690382a44f5649c5f3c2a4a7c060aced6a9a71533b92c04d948db8bafd717dd295ad19bb85a71d73ef86a62613e65053323b108b8
-
SSDEEP
1572864:MKSA0Q9ilL4UxQUoim6casSZrcBsCWpuFg9O/jAaWFFDp+chVF1luEbtYio0z8+U:MbVQ92TQUooc3Uw2F9HHluEbtpoOKd3
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Loads dropped DLL 7 IoCs
pid Process 4844 MsiExec.exe 4844 MsiExec.exe 4844 MsiExec.exe 4844 MsiExec.exe 4844 MsiExec.exe 4844 MsiExec.exe 4844 MsiExec.exe -
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
pid Process 708 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 708 msiexec.exe Token: SeIncreaseQuotaPrivilege 708 msiexec.exe Token: SeSecurityPrivilege 3188 msiexec.exe Token: SeCreateTokenPrivilege 708 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 708 msiexec.exe Token: SeLockMemoryPrivilege 708 msiexec.exe Token: SeIncreaseQuotaPrivilege 708 msiexec.exe Token: SeMachineAccountPrivilege 708 msiexec.exe Token: SeTcbPrivilege 708 msiexec.exe Token: SeSecurityPrivilege 708 msiexec.exe Token: SeTakeOwnershipPrivilege 708 msiexec.exe Token: SeLoadDriverPrivilege 708 msiexec.exe Token: SeSystemProfilePrivilege 708 msiexec.exe Token: SeSystemtimePrivilege 708 msiexec.exe Token: SeProfSingleProcessPrivilege 708 msiexec.exe Token: SeIncBasePriorityPrivilege 708 msiexec.exe Token: SeCreatePagefilePrivilege 708 msiexec.exe Token: SeCreatePermanentPrivilege 708 msiexec.exe Token: SeBackupPrivilege 708 msiexec.exe Token: SeRestorePrivilege 708 msiexec.exe Token: SeShutdownPrivilege 708 msiexec.exe Token: SeDebugPrivilege 708 msiexec.exe Token: SeAuditPrivilege 708 msiexec.exe Token: SeSystemEnvironmentPrivilege 708 msiexec.exe Token: SeChangeNotifyPrivilege 708 msiexec.exe Token: SeRemoteShutdownPrivilege 708 msiexec.exe Token: SeUndockPrivilege 708 msiexec.exe Token: SeSyncAgentPrivilege 708 msiexec.exe Token: SeEnableDelegationPrivilege 708 msiexec.exe Token: SeManageVolumePrivilege 708 msiexec.exe Token: SeImpersonatePrivilege 708 msiexec.exe Token: SeCreateGlobalPrivilege 708 msiexec.exe Token: SeCreateTokenPrivilege 708 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 708 msiexec.exe Token: SeLockMemoryPrivilege 708 msiexec.exe Token: SeIncreaseQuotaPrivilege 708 msiexec.exe Token: SeMachineAccountPrivilege 708 msiexec.exe Token: SeTcbPrivilege 708 msiexec.exe Token: SeSecurityPrivilege 708 msiexec.exe Token: SeTakeOwnershipPrivilege 708 msiexec.exe Token: SeLoadDriverPrivilege 708 msiexec.exe Token: SeSystemProfilePrivilege 708 msiexec.exe Token: SeSystemtimePrivilege 708 msiexec.exe Token: SeProfSingleProcessPrivilege 708 msiexec.exe Token: SeIncBasePriorityPrivilege 708 msiexec.exe Token: SeCreatePagefilePrivilege 708 msiexec.exe Token: SeCreatePermanentPrivilege 708 msiexec.exe Token: SeBackupPrivilege 708 msiexec.exe Token: SeRestorePrivilege 708 msiexec.exe Token: SeShutdownPrivilege 708 msiexec.exe Token: SeDebugPrivilege 708 msiexec.exe Token: SeAuditPrivilege 708 msiexec.exe Token: SeSystemEnvironmentPrivilege 708 msiexec.exe Token: SeChangeNotifyPrivilege 708 msiexec.exe Token: SeRemoteShutdownPrivilege 708 msiexec.exe Token: SeUndockPrivilege 708 msiexec.exe Token: SeSyncAgentPrivilege 708 msiexec.exe Token: SeEnableDelegationPrivilege 708 msiexec.exe Token: SeManageVolumePrivilege 708 msiexec.exe Token: SeImpersonatePrivilege 708 msiexec.exe Token: SeCreateGlobalPrivilege 708 msiexec.exe Token: SeCreateTokenPrivilege 708 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 708 msiexec.exe Token: SeLockMemoryPrivilege 708 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 708 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3188 wrote to memory of 4844 3188 msiexec.exe 85 PID 3188 wrote to memory of 4844 3188 msiexec.exe 85 PID 3188 wrote to memory of 4844 3188 msiexec.exe 85
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\gooleo.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:708
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9B2D1CF383936291A918460FD049D44E C2⤵
- Loads dropped DLL
PID:4844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
588KB
MD5a9941233b9415b479d3b4f3732161eab
SHA1cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7