Overview
overview
7Static
static
3Ability.msi
windows7-x64
6Ability.msi
windows10-2004-x64
6ABMCmn.dll
windows7-x64
3ABMCmn.dll
windows10-2004-x64
3ABViewForms.dll
windows7-x64
3ABViewForms.dll
windows10-2004-x64
3FormCtls.dll
windows7-x64
3FormCtls.dll
windows10-2004-x64
3FormEdit.exe
windows7-x64
1FormEdit.exe
windows10-2004-x64
3Install.exe
windows7-x64
7Install.exe
windows10-2004-x64
7a4w195.dll
windows7-x64
3a4w195.dll
windows10-2004-x64
3acfpdf.dll
windows7-x64
3acfpdf.dll
windows10-2004-x64
3acfpdfu.dll
windows7-x64
3acfpdfu.dll
windows10-2004-x64
3acfpdfui.dll
windows7-x64
3acfpdfui.dll
windows10-2004-x64
3acpdfcrdb.dll
windows7-x64
3acpdfcrdb.dll
windows10-2004-x64
3acpdfcrext.dll
windows7-x64
3acpdfcrext.dll
windows10-2004-x64
3cdintf.dll
windows7-x64
3cdintf.dll
windows10-2004-x64
3ABAnimFX.dll
windows7-x64
3ABAnimFX.dll
windows10-2004-x64
3ABHook.dll
windows7-x64
3ABHook.dll
windows10-2004-x64
3ABImageX.dll
windows7-x64
3ABImageX.dll
windows10-2004-x64
3Analysis
-
max time kernel
92s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01/08/2024, 21:33
Static task
static1
Behavioral task
behavioral1
Sample
Ability.msi
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Ability.msi
Resource
win10v2004-20240730-en
Behavioral task
behavioral3
Sample
ABMCmn.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
ABMCmn.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral5
Sample
ABViewForms.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
ABViewForms.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral7
Sample
FormCtls.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
FormCtls.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral9
Sample
FormEdit.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
FormEdit.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral11
Sample
Install.exe
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
Install.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral13
Sample
a4w195.dll
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
a4w195.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral15
Sample
acfpdf.dll
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
acfpdf.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral17
Sample
acfpdfu.dll
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
acfpdfu.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral19
Sample
acfpdfui.dll
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
acfpdfui.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral21
Sample
acpdfcrdb.dll
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
acpdfcrdb.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral23
Sample
acpdfcrext.dll
Resource
win7-20240705-en
Behavioral task
behavioral24
Sample
acpdfcrext.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral25
Sample
cdintf.dll
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
cdintf.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral27
Sample
ABAnimFX.dll
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
ABAnimFX.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral29
Sample
ABHook.dll
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
ABHook.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral31
Sample
ABImageX.dll
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
ABImageX.dll
Resource
win10v2004-20240730-en
General
-
Target
Ability.msi
-
Size
1.1MB
-
MD5
e58820ed8d5250b99608423ab08d92aa
-
SHA1
f4fe5454e61f3477d87c9b7c3bcc5d311c1a4a41
-
SHA256
4d355fbb17711132a4c8cfa28c52e5defa8b5b98b1f654e9ff1e429c05a4dc6b
-
SHA512
fb40a210561c60b07ffeb96eeac4f429253488b11776dda611bacad0432948f77d0082a06c20c2cf5822e4ab811f8b134ffa0b9699d42d660d3c0f114353a776
-
SSDEEP
12288:NEEXd2VZ1WcpyO5GvElQ07nJUQKiJKEEH5WqU4JjVcI:5IPHpyO5GvElzLM53zVcI
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 2 1796 msiexec.exe 4 1796 msiexec.exe 6 1796 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 1852 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1796 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1796 msiexec.exe Token: SeIncreaseQuotaPrivilege 1796 msiexec.exe Token: SeSecurityPrivilege 876 msiexec.exe Token: SeCreateTokenPrivilege 1796 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1796 msiexec.exe Token: SeLockMemoryPrivilege 1796 msiexec.exe Token: SeIncreaseQuotaPrivilege 1796 msiexec.exe Token: SeMachineAccountPrivilege 1796 msiexec.exe Token: SeTcbPrivilege 1796 msiexec.exe Token: SeSecurityPrivilege 1796 msiexec.exe Token: SeTakeOwnershipPrivilege 1796 msiexec.exe Token: SeLoadDriverPrivilege 1796 msiexec.exe Token: SeSystemProfilePrivilege 1796 msiexec.exe Token: SeSystemtimePrivilege 1796 msiexec.exe Token: SeProfSingleProcessPrivilege 1796 msiexec.exe Token: SeIncBasePriorityPrivilege 1796 msiexec.exe Token: SeCreatePagefilePrivilege 1796 msiexec.exe Token: SeCreatePermanentPrivilege 1796 msiexec.exe Token: SeBackupPrivilege 1796 msiexec.exe Token: SeRestorePrivilege 1796 msiexec.exe Token: SeShutdownPrivilege 1796 msiexec.exe Token: SeDebugPrivilege 1796 msiexec.exe Token: SeAuditPrivilege 1796 msiexec.exe Token: SeSystemEnvironmentPrivilege 1796 msiexec.exe Token: SeChangeNotifyPrivilege 1796 msiexec.exe Token: SeRemoteShutdownPrivilege 1796 msiexec.exe Token: SeUndockPrivilege 1796 msiexec.exe Token: SeSyncAgentPrivilege 1796 msiexec.exe Token: SeEnableDelegationPrivilege 1796 msiexec.exe Token: SeManageVolumePrivilege 1796 msiexec.exe Token: SeImpersonatePrivilege 1796 msiexec.exe Token: SeCreateGlobalPrivilege 1796 msiexec.exe Token: SeCreateTokenPrivilege 1796 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1796 msiexec.exe Token: SeLockMemoryPrivilege 1796 msiexec.exe Token: SeIncreaseQuotaPrivilege 1796 msiexec.exe Token: SeMachineAccountPrivilege 1796 msiexec.exe Token: SeTcbPrivilege 1796 msiexec.exe Token: SeSecurityPrivilege 1796 msiexec.exe Token: SeTakeOwnershipPrivilege 1796 msiexec.exe Token: SeLoadDriverPrivilege 1796 msiexec.exe Token: SeSystemProfilePrivilege 1796 msiexec.exe Token: SeSystemtimePrivilege 1796 msiexec.exe Token: SeProfSingleProcessPrivilege 1796 msiexec.exe Token: SeIncBasePriorityPrivilege 1796 msiexec.exe Token: SeCreatePagefilePrivilege 1796 msiexec.exe Token: SeCreatePermanentPrivilege 1796 msiexec.exe Token: SeBackupPrivilege 1796 msiexec.exe Token: SeRestorePrivilege 1796 msiexec.exe Token: SeShutdownPrivilege 1796 msiexec.exe Token: SeDebugPrivilege 1796 msiexec.exe Token: SeAuditPrivilege 1796 msiexec.exe Token: SeSystemEnvironmentPrivilege 1796 msiexec.exe Token: SeChangeNotifyPrivilege 1796 msiexec.exe Token: SeRemoteShutdownPrivilege 1796 msiexec.exe Token: SeUndockPrivilege 1796 msiexec.exe Token: SeSyncAgentPrivilege 1796 msiexec.exe Token: SeEnableDelegationPrivilege 1796 msiexec.exe Token: SeManageVolumePrivilege 1796 msiexec.exe Token: SeImpersonatePrivilege 1796 msiexec.exe Token: SeCreateGlobalPrivilege 1796 msiexec.exe Token: SeCreateTokenPrivilege 1796 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1796 msiexec.exe Token: SeLockMemoryPrivilege 1796 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1796 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 876 wrote to memory of 1852 876 msiexec.exe 88 PID 876 wrote to memory of 1852 876 msiexec.exe 88 PID 876 wrote to memory of 1852 876 msiexec.exe 88
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Ability.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1796
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9CE541A2C22B2628935907191508B5C3 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD5b51e6d6cfecc093a35f73c52af38f239
SHA1bff035c83ff3043c7d451067bb488df2bda0de7a
SHA25630784ad0a1277620b741b2d234bec44fde766eef2e13f05b2bd9aae177547b4e
SHA5120b9a7e5088ac4fc13774955af93dcd86caa517e416b166fa63566d4cb48996f8630f3e088e4ea1357a78f4072c36eaba7a7eaa057b60018273283c3ecfd05430