Overview
overview
7Static
static
3v6.15.8_in...4_.zip
windows7-x64
1v6.15.8_in...4_.zip
windows10-2004-x64
1Repository...im.dll
windows10-2004-x64
1Repository...er.dll
windows10-2004-x64
1Repository/dsprov.dll
windows10-2004-x64
7SR/spsrx.dll
windows10-2004-x64
1SR/srloc.dll
windows10-2004-x64
1SpeechUX/S...PS.dll
windows10-2004-x64
7SpeechUX/sapi.dll
windows10-2004-x64
1SpeechUX/s...pl.dll
windows10-2004-x64
7TTS/MSTTSLoc.dll
windows10-2004-x64
1UMDF/EhStorPwdDrv.dll
windows10-2004-x64
1UMDF/HidTelephony.dll
windows10-2004-x64
1UMDF/IddCx.dll
windows10-2004-x64
1UMDF/Micro...tt.dll
windows10-2004-x64
1UMDF/NfcCx.dll
windows10-2004-x64
1app__v6.15.8_t.msi
windows7-x64
6app__v6.15.8_t.msi
windows10-2004-x64
6Analysis
-
max time kernel
67s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/09/2024, 15:26
Static task
static1
Behavioral task
behavioral1
Sample
v6.15.8_installer_x64_.zip
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
v6.15.8_installer_x64_.zip
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Repository/dnsclientcim.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
Repository/dnsclientpsprovider.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Repository/dsprov.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
SR/spsrx.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
SR/srloc.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
SpeechUX/SpeechUXPS.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
SpeechUX/sapi.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
SpeechUX/speechuxcpl.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
TTS/MSTTSLoc.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
UMDF/EhStorPwdDrv.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
UMDF/HidTelephony.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
UMDF/IddCx.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
UMDF/Microsoft.Bluetooth.Profiles.HidOverGatt.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
UMDF/NfcCx.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
app__v6.15.8_t.msi
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
app__v6.15.8_t.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
app__v6.15.8_t.msi
-
Size
53.7MB
-
MD5
e3671d6b5053d72b6049e6c399c46261
-
SHA1
7ee4351eb77b79091a67f3ca36702fe6a8b25be7
-
SHA256
714d68a959d01d13753f84f5e8cc6de7ad137d000dabf17691180ad7de2032c1
-
SHA512
7e250d1e89033e3587d22d2a99677d7a9e8302459eb1b66f569fb6a7ba07d4045746c08e2f33cc447ff918629a6a9f6f8c644101b893b4cad44d06fdcd142825
-
SSDEEP
1572864:Pp+Ty2SfWnHDk8FjVbfzPTq4W+Rqs7cPdT7NY0XQI:a/0WnHDkkjBPTq4vwPdT7N
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIA2F4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA42D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA547.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA6AF.tmp msiexec.exe File created C:\Windows\Installer\f779f6b.msi msiexec.exe File opened for modification C:\Windows\Installer\f779f6b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA093.tmp msiexec.exe -
Loads dropped DLL 5 IoCs
pid Process 2908 MsiExec.exe 2908 MsiExec.exe 2908 MsiExec.exe 2908 MsiExec.exe 2908 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2136 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeShutdownPrivilege 2136 msiexec.exe Token: SeIncreaseQuotaPrivilege 2136 msiexec.exe Token: SeRestorePrivilege 2144 msiexec.exe Token: SeTakeOwnershipPrivilege 2144 msiexec.exe Token: SeSecurityPrivilege 2144 msiexec.exe Token: SeCreateTokenPrivilege 2136 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2136 msiexec.exe Token: SeLockMemoryPrivilege 2136 msiexec.exe Token: SeIncreaseQuotaPrivilege 2136 msiexec.exe Token: SeMachineAccountPrivilege 2136 msiexec.exe Token: SeTcbPrivilege 2136 msiexec.exe Token: SeSecurityPrivilege 2136 msiexec.exe Token: SeTakeOwnershipPrivilege 2136 msiexec.exe Token: SeLoadDriverPrivilege 2136 msiexec.exe Token: SeSystemProfilePrivilege 2136 msiexec.exe Token: SeSystemtimePrivilege 2136 msiexec.exe Token: SeProfSingleProcessPrivilege 2136 msiexec.exe Token: SeIncBasePriorityPrivilege 2136 msiexec.exe Token: SeCreatePagefilePrivilege 2136 msiexec.exe Token: SeCreatePermanentPrivilege 2136 msiexec.exe Token: SeBackupPrivilege 2136 msiexec.exe Token: SeRestorePrivilege 2136 msiexec.exe Token: SeShutdownPrivilege 2136 msiexec.exe Token: SeDebugPrivilege 2136 msiexec.exe Token: SeAuditPrivilege 2136 msiexec.exe Token: SeSystemEnvironmentPrivilege 2136 msiexec.exe Token: SeChangeNotifyPrivilege 2136 msiexec.exe Token: SeRemoteShutdownPrivilege 2136 msiexec.exe Token: SeUndockPrivilege 2136 msiexec.exe Token: SeSyncAgentPrivilege 2136 msiexec.exe Token: SeEnableDelegationPrivilege 2136 msiexec.exe Token: SeManageVolumePrivilege 2136 msiexec.exe Token: SeImpersonatePrivilege 2136 msiexec.exe Token: SeCreateGlobalPrivilege 2136 msiexec.exe Token: SeRestorePrivilege 2144 msiexec.exe Token: SeTakeOwnershipPrivilege 2144 msiexec.exe Token: SeRestorePrivilege 2144 msiexec.exe Token: SeTakeOwnershipPrivilege 2144 msiexec.exe Token: SeRestorePrivilege 2144 msiexec.exe Token: SeTakeOwnershipPrivilege 2144 msiexec.exe Token: SeRestorePrivilege 2144 msiexec.exe Token: SeTakeOwnershipPrivilege 2144 msiexec.exe Token: SeRestorePrivilege 2144 msiexec.exe Token: SeTakeOwnershipPrivilege 2144 msiexec.exe Token: SeRestorePrivilege 2144 msiexec.exe Token: SeTakeOwnershipPrivilege 2144 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2136 msiexec.exe 2136 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2908 2144 msiexec.exe 31 PID 2144 wrote to memory of 2908 2144 msiexec.exe 31 PID 2144 wrote to memory of 2908 2144 msiexec.exe 31 PID 2144 wrote to memory of 2908 2144 msiexec.exe 31 PID 2144 wrote to memory of 2908 2144 msiexec.exe 31 PID 2144 wrote to memory of 2908 2144 msiexec.exe 31 PID 2144 wrote to memory of 2908 2144 msiexec.exe 31
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\app__v6.15.8_t.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2136
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 314703A7A44EC927421729382757D0C42⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
Filesize
1.1MB
MD51a2b237796742c26b11a008d0b175e29
SHA1cfd5affcfb3b6fd407e58dfc7187fad4f186ea18
SHA25681e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730
SHA5123135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5
-
Filesize
870KB
MD56119e62d8047032a715ba0670fc476c5
SHA152e639024460bf111c469e95fb011c07d6fc89e8
SHA256bc31f85266df2cdfdbe22149937105388fa3adc17e3646fa4a167736e819af77
SHA512e7301fa21f01f7f7562b853e9bb246ed051951e3cef152bb0b3558d4863f141edbbc0c4d439c30f51f9997805490f131a5e4cd00872b61ccb08ba9d200f811d8