27e5b536280cf4f1525f95f48043347c0d8333e12b0a612ed7b8f6449dfcd2d1

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gj5.exe
Size

8.3MB
MD5

84e103de7797f7a720505d2a43b3cca2
SHA1

203c8496daec53f97201bdcd88e4a572be17fa72
SHA256

87cdcd10b534f681bc4d60ecc2aaf67970cdc112887172fcd86cfa94e3f5e847
SHA512

d489914157fee7edb44a5439a8568aa2e73e84e1c82eb9c7a3f7bcc0df6f141c0f66d04f2b47eb4cd664ee42ac547a95cee4cb6ebcc961099945bceef200b7d7
SSDEEP

196608:mxZjh3n0Pf+7Ci1IJcdw0bxT8YPqECdyCDgrdgk+P7YliG5klP:mbjhQwCi1F1Y2qEo6rd343

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2264	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS7739C50674AE48CF991BAB5E35A927FC_5_0_4_1.MSI	gj5.exe
File created	C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS7739C50674AE48CF991BAB5E35A927FC_5_0_4_1.MSI	gj5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1732	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1072	msiexec.exe
Token: SeTakeOwnershipPrivilege	1072	msiexec.exe
Token: SeSecurityPrivilege	1072	msiexec.exe
Token: SeCreateTokenPrivilege	1732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1732	msiexec.exe
Token: SeLockMemoryPrivilege	1732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1732	msiexec.exe
Token: SeMachineAccountPrivilege	1732	msiexec.exe
Token: SeTcbPrivilege	1732	msiexec.exe
Token: SeSecurityPrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeLoadDriverPrivilege	1732	msiexec.exe
Token: SeSystemProfilePrivilege	1732	msiexec.exe
Token: SeSystemtimePrivilege	1732	msiexec.exe
Token: SeProfSingleProcessPrivilege	1732	msiexec.exe
Token: SeIncBasePriorityPrivilege	1732	msiexec.exe
Token: SeCreatePagefilePrivilege	1732	msiexec.exe
Token: SeCreatePermanentPrivilege	1732	msiexec.exe
Token: SeBackupPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeShutdownPrivilege	1732	msiexec.exe
Token: SeDebugPrivilege	1732	msiexec.exe
Token: SeAuditPrivilege	1732	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1732	msiexec.exe
Token: SeChangeNotifyPrivilege	1732	msiexec.exe
Token: SeRemoteShutdownPrivilege	1732	msiexec.exe
Token: SeUndockPrivilege	1732	msiexec.exe
Token: SeSyncAgentPrivilege	1732	msiexec.exe
Token: SeEnableDelegationPrivilege	1732	msiexec.exe
Token: SeManageVolumePrivilege	1732	msiexec.exe
Token: SeImpersonatePrivilege	1732	msiexec.exe
Token: SeCreateGlobalPrivilege	1732	msiexec.exe
Token: SeCreateTokenPrivilege	1732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1732	msiexec.exe
Token: SeLockMemoryPrivilege	1732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1732	msiexec.exe
Token: SeMachineAccountPrivilege	1732	msiexec.exe
Token: SeTcbPrivilege	1732	msiexec.exe
Token: SeSecurityPrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeLoadDriverPrivilege	1732	msiexec.exe
Token: SeSystemProfilePrivilege	1732	msiexec.exe
Token: SeSystemtimePrivilege	1732	msiexec.exe
Token: SeProfSingleProcessPrivilege	1732	msiexec.exe
Token: SeIncBasePriorityPrivilege	1732	msiexec.exe
Token: SeCreatePagefilePrivilege	1732	msiexec.exe
Token: SeCreatePermanentPrivilege	1732	msiexec.exe
Token: SeBackupPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeShutdownPrivilege	1732	msiexec.exe
Token: SeDebugPrivilege	1732	msiexec.exe
Token: SeAuditPrivilege	1732	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1732	msiexec.exe
Token: SeChangeNotifyPrivilege	1732	msiexec.exe
Token: SeRemoteShutdownPrivilege	1732	msiexec.exe
Token: SeUndockPrivilege	1732	msiexec.exe
Token: SeSyncAgentPrivilege	1732	msiexec.exe
Token: SeEnableDelegationPrivilege	1732	msiexec.exe
Token: SeManageVolumePrivilege	1732	msiexec.exe
Token: SeImpersonatePrivilege	1732	msiexec.exe
Token: SeCreateGlobalPrivilege	1732	msiexec.exe
Token: SeCreateTokenPrivilege	1732	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1732	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1732	2384	gj5.exe	31
PID 2384 wrote to memory of 1732	2384	gj5.exe	31
PID 2384 wrote to memory of 1732	2384	gj5.exe	31
PID 2384 wrote to memory of 1732	2384	gj5.exe	31
PID 2384 wrote to memory of 1732	2384	gj5.exe	31
PID 2384 wrote to memory of 1732	2384	gj5.exe	31
PID 2384 wrote to memory of 1732	2384	gj5.exe	31
PID 1072 wrote to memory of 2264	1072	msiexec.exe	33
PID 1072 wrote to memory of 2264	1072	msiexec.exe	33
PID 1072 wrote to memory of 2264	1072	msiexec.exe	33
PID 1072 wrote to memory of 2264	1072	msiexec.exe	33
PID 1072 wrote to memory of 2264	1072	msiexec.exe	33
PID 1072 wrote to memory of 2264	1072	msiexec.exe	33
PID 1072 wrote to memory of 2264	1072	msiexec.exe	33

C:\Users\Admin\AppData\Local\Temp\gj5.exe
"C:\Users\Admin\AppData\Local\Temp\gj5.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS7739C50674AE48CF991BAB5E35A927FC_5_0_4_1.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\AppData\Local\Temp\gj5.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DB3C4751DB1BA1A7B6B253A77DA0C9B7 C
  2⤵
  - Loads dropped DLL
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS7739C50674AE48CF991BAB5E35A927FC_5_0_4_1.MSI

Filesize
8.1MB

MD5
be5acfc9caae3e46f4666cc7d4c9a1bc

SHA1
c284754f5f019fb6b507215b65986256e2878f8f

SHA256
d61bd6f33a42d0bc04bf841be5f20a305bb56d4a601a6a0d061af76321610734

SHA512
90c2e707e7c0a6e041b47b9b52bb7ec036f2b1f8c2c50ee07e553a9d73f07f475c8e7c877cbf0457b62dca05b7726c2dc2616a86ed8c7330e707eaa266212baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE83D.tmp

Filesize
19KB

MD5
a8098832976813ce64b23879f0e5af7e

SHA1
46723c8b825f8828af3e5fb4a92552ee170397cf

SHA256
644700716cb63db1c48ff6ffffdb90d654ca8578c0a30a271c63880145813c73

SHA512
9f21344c09be843d4ee6d9393487107f68a8bb11426490f4cdb1a31c4d924c9a111d5f1e269c0bcedb28833fcafbdb0b9c0b2a491d55cd1250690cac944afbaf

Download Submit