Analysis
-
max time kernel
134s -
max time network
138s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
11/08/2024, 20:42
Static task
static1
Behavioral task
behavioral1
Sample
Wallet.msi
Resource
win7-20240704-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
Wallet.msi
Resource
win10-20240404-en
windows10-1703-x64
10 signatures
150 seconds
Behavioral task
behavioral3
Sample
Wallet.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral4
Sample
Wallet.msi
Resource
win11-20240802-en
windows11-21h2-x64
10 signatures
150 seconds
General
-
Target
Wallet.msi
-
Size
1.6MB
-
MD5
232855725fdfa00b59e7c0066942b7ff
-
SHA1
f08533026efd8080a83343efcd88521a4b5068fa
-
SHA256
db6132529852ea5707bfdd46195ac03e589eeb59ae12ac54e170b50a4ae0b3e6
-
SHA512
3cb4acc32627f46c89061e0ef7f530c1d780d29d8a4dd67ee6ad7dbfb0e58406da490c7700aafdde63d7af61ac536b5daca8af69dc736e1cff4226f03c48bc2d
-
SSDEEP
49152:pWJ3+JA3iD1Vwt0Cay8NwXKO15sUXOwz2oTw/B:pWJ8A3Ost0CfZXT1ZO2w/
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Installer\e576f63.msi msiexec.exe File opened for modification C:\Windows\Installer\e576f63.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI6FA2.tmp msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 2408 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3080 msiexec.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1556 2408 WerFault.exe 75 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4664 msiexec.exe 4664 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeShutdownPrivilege 3080 msiexec.exe Token: SeIncreaseQuotaPrivilege 3080 msiexec.exe Token: SeSecurityPrivilege 4664 msiexec.exe Token: SeCreateTokenPrivilege 3080 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3080 msiexec.exe Token: SeLockMemoryPrivilege 3080 msiexec.exe Token: SeIncreaseQuotaPrivilege 3080 msiexec.exe Token: SeMachineAccountPrivilege 3080 msiexec.exe Token: SeTcbPrivilege 3080 msiexec.exe Token: SeSecurityPrivilege 3080 msiexec.exe Token: SeTakeOwnershipPrivilege 3080 msiexec.exe Token: SeLoadDriverPrivilege 3080 msiexec.exe Token: SeSystemProfilePrivilege 3080 msiexec.exe Token: SeSystemtimePrivilege 3080 msiexec.exe Token: SeProfSingleProcessPrivilege 3080 msiexec.exe Token: SeIncBasePriorityPrivilege 3080 msiexec.exe Token: SeCreatePagefilePrivilege 3080 msiexec.exe Token: SeCreatePermanentPrivilege 3080 msiexec.exe Token: SeBackupPrivilege 3080 msiexec.exe Token: SeRestorePrivilege 3080 msiexec.exe Token: SeShutdownPrivilege 3080 msiexec.exe Token: SeDebugPrivilege 3080 msiexec.exe Token: SeAuditPrivilege 3080 msiexec.exe Token: SeSystemEnvironmentPrivilege 3080 msiexec.exe Token: SeChangeNotifyPrivilege 3080 msiexec.exe Token: SeRemoteShutdownPrivilege 3080 msiexec.exe Token: SeUndockPrivilege 3080 msiexec.exe Token: SeSyncAgentPrivilege 3080 msiexec.exe Token: SeEnableDelegationPrivilege 3080 msiexec.exe Token: SeManageVolumePrivilege 3080 msiexec.exe Token: SeImpersonatePrivilege 3080 msiexec.exe Token: SeCreateGlobalPrivilege 3080 msiexec.exe Token: SeRestorePrivilege 4664 msiexec.exe Token: SeTakeOwnershipPrivilege 4664 msiexec.exe Token: SeRestorePrivilege 4664 msiexec.exe Token: SeTakeOwnershipPrivilege 4664 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3080 msiexec.exe 3080 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4664 wrote to memory of 2408 4664 msiexec.exe 75 PID 4664 wrote to memory of 2408 4664 msiexec.exe 75 PID 4664 wrote to memory of 2408 4664 msiexec.exe 75
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Wallet.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3080
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5C11361618A8CF670B8741D39493A8A12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 10603⤵
- Program crash
PID:1556
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5e93fc74b28319ecb5ca6fd8756fcbe33
SHA1781b74da8a681a41b4e8a1a300f8f5dcf2088789
SHA256664a6383e229551f56429d648aa81791174579c6918ed373e206087a859e3951
SHA512899e7b81645778f6bf57c0195e4e06f74f62494287f1c5e7ee96b9317a7768d10e5c62dccaab426735d528d49ad6cf6d26993ae2aa5e4cd6bb5caba96c232e53