Analysis

  • max time kernel
    92s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/08/2024, 21:33

General

  • Target

    Ability.msi

  • Size

    1.1MB

  • MD5

    e58820ed8d5250b99608423ab08d92aa

  • SHA1

    f4fe5454e61f3477d87c9b7c3bcc5d311c1a4a41

  • SHA256

    4d355fbb17711132a4c8cfa28c52e5defa8b5b98b1f654e9ff1e429c05a4dc6b

  • SHA512

    fb40a210561c60b07ffeb96eeac4f429253488b11776dda611bacad0432948f77d0082a06c20c2cf5822e4ab811f8b134ffa0b9699d42d660d3c0f114353a776

  • SSDEEP

    12288:NEEXd2VZ1WcpyO5GvElQ07nJUQKiJKEEH5WqU4JjVcI:5IPHpyO5GvElzLM53zVcI

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Loads dropped DLL 1 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Ability.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1796
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 9CE541A2C22B2628935907191508B5C3 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSIB6EC.tmp

    Filesize

    120KB

    MD5

    b51e6d6cfecc093a35f73c52af38f239

    SHA1

    bff035c83ff3043c7d451067bb488df2bda0de7a

    SHA256

    30784ad0a1277620b741b2d234bec44fde766eef2e13f05b2bd9aae177547b4e

    SHA512

    0b9a7e5088ac4fc13774955af93dcd86caa517e416b166fa63566d4cb48996f8630f3e088e4ea1357a78f4072c36eaba7a7eaa057b60018273283c3ecfd05430