Analysis

  • max time kernel
    94s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 10:38

General

  • Target

    383ed6c9cdf8590845730198dfde66cd799ec047ca8850cb5ecdfed293fa287c.exe

  • Size

    4.7MB

  • MD5

    a0023254d52f0f0ae306eaa788f4d628

  • SHA1

    43c3058f6c9f64bcc7da8f2d8e0a5da0076b4948

  • SHA256

    383ed6c9cdf8590845730198dfde66cd799ec047ca8850cb5ecdfed293fa287c

  • SHA512

    2781abb843a870c1cfa02fd0bbb8603b7885230656284afee8cd1f4ea411f438fbdb6b2e48737e368d6ba51e340af9c07ee66e6811f80b144b3053fd0d231154

  • SSDEEP

    98304:kAs++BUHecpbpx+sborjZGS/mBRjUOarcqQPV76M:kAKBx4px+sNxnaAqQt76M

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 10 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 19 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\383ed6c9cdf8590845730198dfde66cd799ec047ca8850cb5ecdfed293fa287c.exe
    "C:\Users\Admin\AppData\Local\Temp\383ed6c9cdf8590845730198dfde66cd799ec047ca8850cb5ecdfed293fa287c.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Getintopc.com\EXE - Step 3 - Setup_Install 1.0.0\install\A9F990C\GetintoPC-Top-EXE.msi" /quiet /qn AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\383ed6c9cdf8590845730198dfde66cd799ec047ca8850cb5ecdfed293fa287c.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1724255291 " AI_EUIMSI=""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3816
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 16263C50C90C885D1DA8E55F205889BC C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1980
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 368B7DEE0CB1A506C57642F8A7DC4E85
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3920
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C52B4FB77EF93E246D62735E32614843 E Global\MSI0000
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Windows\SystemTemp\pssBC3E.ps1" -propFile "C:\Windows\SystemTemp\msiBC2C.txt" -scriptFile "C:\Windows\SystemTemp\scrBC2D.ps1" -scriptArgsFile "C:\Windows\SystemTemp\scrBC2E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        PID:2364

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\MSIB6AE.tmp

          Filesize

          721KB

          MD5

          5a1f2196056c0a06b79a77ae981c7761

          SHA1

          a880ae54395658f129e24732800e207ecd0b5603

          SHA256

          52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

          SHA512

          9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yaooagu0.anb.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Roaming\Getintopc.com\EXE - Step 3 - Setup_Install 1.0.0\install\A9F990C\GetintoPC-Top-EXE.msi

          Filesize

          3.0MB

          MD5

          412ab643d36494c1bee50fa456bb7e72

          SHA1

          1544c26e54f82b20db4fa794a38d930f5c6c8916

          SHA256

          bd0d85ee49dfe1715698bb723f8b451e8a3e95ce8b2191c9d56227f593665218

          SHA512

          1287e3dae4f5740514590056b2d72a082fbc6caf2d25b58c1b6e7c8cead1f5e3a68c662aaaca198277e93e98c87ead1c2a4527f3049dcc1c735f89cd44ca2d9b

        • C:\Users\Admin\AppData\Roaming\Getintopc.com\EXE - Step 3 - Setup_Install 1.0.0\install\A9F990C\LocalAppDataFolder\Updates\WindowsService.exe

          Filesize

          65KB

          MD5

          9ceadcfe7e7535b2088f1fcf3c4b30c7

          SHA1

          b5077627fb7b66d6a96f5db213e80c937171d2f9

          SHA256

          5af9e89a7bfcfcae1c75de6acb7194b667d13776b61e79ea8aeab95f0af76bc7

          SHA512

          1e36b9c493ed164784df1cdb198bda6baf2b8e6a53346ae84938ded60e9e627bad1c99a43756a84056c6760178e27643a8437d30db9c5bdc61afffce492fafda

        • C:\Windows\Installer\MSIB961.tmp

          Filesize

          838KB

          MD5

          4a3f6a4023abd6bba56534de47d20017

          SHA1

          02dd888e467143e2e35465d73f39cf3e66afad10

          SHA256

          a8dfdc283ad8d4dc6f500ddfab564e79dadae075c0d54784b50e1ca548709b30

          SHA512

          580c7918ef90eb0020901bab645b72bcaf945ceb5bd56c2e7847f229b31a961bc4cd4ca9cb2583db480947ca8a0880b5ae4bd26717217abcacc9754352aaba28

        • C:\Windows\Installer\MSIBA2E.tmp

          Filesize

          206KB

          MD5

          8f2b86dbdb785bf7bccea3a2069a10f4

          SHA1

          20c1b9626bb505d62a00ebb61ece4735a68d915d

          SHA256

          ef258d170f3e3605acb90ff7df07d2d39954de8c41305dba1a3d8a2d594e9e4e

          SHA512

          446f840f58e9a3e967421ef791ee646bec027cd0d26dbb65874791080fcc2385dec5bcbb060946a35ba4eec833ee8789b32ea46bd57c996e429baca6352f77fd

        • C:\Windows\Installer\MSIBB39.tmp

          Filesize

          743KB

          MD5

          e92be2ea6cbab4b209fdb91999efa600

          SHA1

          3a78425b5d9094945ab20257900da3f05f146465

          SHA256

          d5249e4b26c8a396c8d3806e0fd8ba01806520fd546d815cc912e693463c699a

          SHA512

          215f81ac83f64eb3706444d4e018a1f25c09f6bb93432097f5262ee32484cfa1362fb43c91ff12be9611342b6151c09a5381a1dca51ae85beb49e4a9d5edee2c

        • C:\Windows\SystemTemp\pssBC3E.ps1

          Filesize

          6KB

          MD5

          30c30ef2cb47e35101d13402b5661179

          SHA1

          25696b2aab86a9233f19017539e2dd83b2f75d4e

          SHA256

          53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

          SHA512

          882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

        • C:\Windows\SystemTemp\scrBC2D.ps1

          Filesize

          628B

          MD5

          40b55328de4484462f6c1154013489d8

          SHA1

          dd31380ab0327bc6feb2bceb3e996750a52a9b1a

          SHA256

          0980664d6e0eebdc85552ce9f1b951d8ef34225d91aae6dccb82563e74432140

          SHA512

          7b0b38f42f07a755ba6f858f74f0259f92f80555106cbc4c99a11c4279406073296227e264df09e74ef253ec10d8286fd688abe36602ff881ee8ccb7c1058c27

        • memory/2364-61-0x000001DF9D560000-0x000001DF9D582000-memory.dmp

          Filesize

          136KB