Analysis
-
max time kernel
136s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2024, 20:42
Static task
static1
Behavioral task
behavioral1
Sample
Wallet.msi
Resource
win7-20240704-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
Wallet.msi
Resource
win10-20240404-en
windows10-1703-x64
10 signatures
150 seconds
Behavioral task
behavioral3
Sample
Wallet.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral4
Sample
Wallet.msi
Resource
win11-20240802-en
windows11-21h2-x64
10 signatures
150 seconds
General
-
Target
Wallet.msi
-
Size
1.6MB
-
MD5
232855725fdfa00b59e7c0066942b7ff
-
SHA1
f08533026efd8080a83343efcd88521a4b5068fa
-
SHA256
db6132529852ea5707bfdd46195ac03e589eeb59ae12ac54e170b50a4ae0b3e6
-
SHA512
3cb4acc32627f46c89061e0ef7f530c1d780d29d8a4dd67ee6ad7dbfb0e58406da490c7700aafdde63d7af61ac536b5daca8af69dc736e1cff4226f03c48bc2d
-
SSDEEP
49152:pWJ3+JA3iD1Vwt0Cay8NwXKO15sUXOwz2oTw/B:pWJ8A3Ost0CfZXT1ZO2w/
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Installer\e57c9d8.msi msiexec.exe File opened for modification C:\Windows\Installer\e57c9d8.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSICA16.tmp msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 2704 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 4920 msiexec.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3228 2704 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3800 msiexec.exe 3800 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeShutdownPrivilege 4920 msiexec.exe Token: SeIncreaseQuotaPrivilege 4920 msiexec.exe Token: SeSecurityPrivilege 3800 msiexec.exe Token: SeCreateTokenPrivilege 4920 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4920 msiexec.exe Token: SeLockMemoryPrivilege 4920 msiexec.exe Token: SeIncreaseQuotaPrivilege 4920 msiexec.exe Token: SeMachineAccountPrivilege 4920 msiexec.exe Token: SeTcbPrivilege 4920 msiexec.exe Token: SeSecurityPrivilege 4920 msiexec.exe Token: SeTakeOwnershipPrivilege 4920 msiexec.exe Token: SeLoadDriverPrivilege 4920 msiexec.exe Token: SeSystemProfilePrivilege 4920 msiexec.exe Token: SeSystemtimePrivilege 4920 msiexec.exe Token: SeProfSingleProcessPrivilege 4920 msiexec.exe Token: SeIncBasePriorityPrivilege 4920 msiexec.exe Token: SeCreatePagefilePrivilege 4920 msiexec.exe Token: SeCreatePermanentPrivilege 4920 msiexec.exe Token: SeBackupPrivilege 4920 msiexec.exe Token: SeRestorePrivilege 4920 msiexec.exe Token: SeShutdownPrivilege 4920 msiexec.exe Token: SeDebugPrivilege 4920 msiexec.exe Token: SeAuditPrivilege 4920 msiexec.exe Token: SeSystemEnvironmentPrivilege 4920 msiexec.exe Token: SeChangeNotifyPrivilege 4920 msiexec.exe Token: SeRemoteShutdownPrivilege 4920 msiexec.exe Token: SeUndockPrivilege 4920 msiexec.exe Token: SeSyncAgentPrivilege 4920 msiexec.exe Token: SeEnableDelegationPrivilege 4920 msiexec.exe Token: SeManageVolumePrivilege 4920 msiexec.exe Token: SeImpersonatePrivilege 4920 msiexec.exe Token: SeCreateGlobalPrivilege 4920 msiexec.exe Token: SeRestorePrivilege 3800 msiexec.exe Token: SeTakeOwnershipPrivilege 3800 msiexec.exe Token: SeRestorePrivilege 3800 msiexec.exe Token: SeTakeOwnershipPrivilege 3800 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4920 msiexec.exe 4920 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3800 wrote to memory of 2704 3800 msiexec.exe 89 PID 3800 wrote to memory of 2704 3800 msiexec.exe 89 PID 3800 wrote to memory of 2704 3800 msiexec.exe 89
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Wallet.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4920
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3888406D1F634BABD4D165BD34F798EA2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 10723⤵
- Program crash
PID:3228
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2704 -ip 27041⤵PID:4064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5e93fc74b28319ecb5ca6fd8756fcbe33
SHA1781b74da8a681a41b4e8a1a300f8f5dcf2088789
SHA256664a6383e229551f56429d648aa81791174579c6918ed373e206087a859e3951
SHA512899e7b81645778f6bf57c0195e4e06f74f62494287f1c5e7ee96b9317a7768d10e5c62dccaab426735d528d49ad6cf6d26993ae2aa5e4cd6bb5caba96c232e53