Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16/08/2024, 21:24
Static task
static1
Behavioral task
behavioral1
Sample
VTRL_2.1.8_x64_en-US.msi
Resource
win7-20240704-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
VTRL_2.1.8_x64_en-US.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
VTRL_2.1.8_x64_en-US.msi
-
Size
3.3MB
-
MD5
782cc6839587559457932619a853681f
-
SHA1
3be67bb5c011d4cc9d893a21021751b8c29ff012
-
SHA256
7ad28e6c71df60dc5c8271e23370a7f8090c09a989286944d0e40ff2cad31ba9
-
SHA512
4dc4c17457410ba9addb222763b683a3de1663bb4d640a06c373b20717f0c7ac934e7f48fb426a7b14a3fce68bd292ac38e1d391727f6132b48e3a736a65b794
-
SSDEEP
98304:rTowL4svUiw2pwngDZMZntWJtvUmpv8m:nzL4ow2KnPZ0vU
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2732 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2732 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeShutdownPrivilege 2732 msiexec.exe Token: SeIncreaseQuotaPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2740 msiexec.exe Token: SeTakeOwnershipPrivilege 2740 msiexec.exe Token: SeSecurityPrivilege 2740 msiexec.exe Token: SeCreateTokenPrivilege 2732 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2732 msiexec.exe Token: SeLockMemoryPrivilege 2732 msiexec.exe Token: SeIncreaseQuotaPrivilege 2732 msiexec.exe Token: SeMachineAccountPrivilege 2732 msiexec.exe Token: SeTcbPrivilege 2732 msiexec.exe Token: SeSecurityPrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeLoadDriverPrivilege 2732 msiexec.exe Token: SeSystemProfilePrivilege 2732 msiexec.exe Token: SeSystemtimePrivilege 2732 msiexec.exe Token: SeProfSingleProcessPrivilege 2732 msiexec.exe Token: SeIncBasePriorityPrivilege 2732 msiexec.exe Token: SeCreatePagefilePrivilege 2732 msiexec.exe Token: SeCreatePermanentPrivilege 2732 msiexec.exe Token: SeBackupPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeShutdownPrivilege 2732 msiexec.exe Token: SeDebugPrivilege 2732 msiexec.exe Token: SeAuditPrivilege 2732 msiexec.exe Token: SeSystemEnvironmentPrivilege 2732 msiexec.exe Token: SeChangeNotifyPrivilege 2732 msiexec.exe Token: SeRemoteShutdownPrivilege 2732 msiexec.exe Token: SeUndockPrivilege 2732 msiexec.exe Token: SeSyncAgentPrivilege 2732 msiexec.exe Token: SeEnableDelegationPrivilege 2732 msiexec.exe Token: SeManageVolumePrivilege 2732 msiexec.exe Token: SeImpersonatePrivilege 2732 msiexec.exe Token: SeCreateGlobalPrivilege 2732 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2732 msiexec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\VTRL_2.1.8_x64_en-US.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2732
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740