Overview
overview
6Static
static
3155�...վ.url
windows7-x64
1155�...վ.url
windows10-2004-x64
1EULA.html
windows7-x64
3EULA.html
windows10-2004-x64
3Lz0/Keygen.exe
windows7-x64
3Lz0/Keygen.exe
windows10-2004-x64
3Readme.html
windows7-x64
3Readme.html
windows10-2004-x64
3Setup.msi
windows7-x64
6Setup.msi
windows10-2004-x64
6Analysis
-
max time kernel
92s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 03:07
Static task
static1
Behavioral task
behavioral1
Sample
155ɫվ.url
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
155ɫվ.url
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
EULA.html
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
EULA.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Lz0/Keygen.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
Lz0/Keygen.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Readme.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
Readme.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Setup.msi
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
Setup.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
Setup.msi
-
Size
7.3MB
-
MD5
560a8e2842ffbdcb9c438ed98c3c7ea2
-
SHA1
ab0ec461c63a755c81fa3a1ccc534205a3292d74
-
SHA256
88c3274ceb62c11ee714fcb93e1e43d15ec00f7d2fef0098f2099143b7c7b4a1
-
SHA512
4f345ff29fb1d7d21ec453e4cf6d1cb58804730ae55eac7372c2ccb3d82faaba42b4158b724b0066c04b39ada94dcfd3c6bffc169148d955e9755e02e938e625
-
SSDEEP
196608:WQLJ4AtkYDsrLGPlpI0NRqw+ArPcqAcF3Ms2g6me:WQLJ4H6srLx0NRqwrPcqZ8fm
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 3228 msiexec.exe 6 3228 msiexec.exe 8 3228 msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3228 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 3228 msiexec.exe Token: SeIncreaseQuotaPrivilege 3228 msiexec.exe Token: SeSecurityPrivilege 856 msiexec.exe Token: SeCreateTokenPrivilege 3228 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3228 msiexec.exe Token: SeLockMemoryPrivilege 3228 msiexec.exe Token: SeIncreaseQuotaPrivilege 3228 msiexec.exe Token: SeMachineAccountPrivilege 3228 msiexec.exe Token: SeTcbPrivilege 3228 msiexec.exe Token: SeSecurityPrivilege 3228 msiexec.exe Token: SeTakeOwnershipPrivilege 3228 msiexec.exe Token: SeLoadDriverPrivilege 3228 msiexec.exe Token: SeSystemProfilePrivilege 3228 msiexec.exe Token: SeSystemtimePrivilege 3228 msiexec.exe Token: SeProfSingleProcessPrivilege 3228 msiexec.exe Token: SeIncBasePriorityPrivilege 3228 msiexec.exe Token: SeCreatePagefilePrivilege 3228 msiexec.exe Token: SeCreatePermanentPrivilege 3228 msiexec.exe Token: SeBackupPrivilege 3228 msiexec.exe Token: SeRestorePrivilege 3228 msiexec.exe Token: SeShutdownPrivilege 3228 msiexec.exe Token: SeDebugPrivilege 3228 msiexec.exe Token: SeAuditPrivilege 3228 msiexec.exe Token: SeSystemEnvironmentPrivilege 3228 msiexec.exe Token: SeChangeNotifyPrivilege 3228 msiexec.exe Token: SeRemoteShutdownPrivilege 3228 msiexec.exe Token: SeUndockPrivilege 3228 msiexec.exe Token: SeSyncAgentPrivilege 3228 msiexec.exe Token: SeEnableDelegationPrivilege 3228 msiexec.exe Token: SeManageVolumePrivilege 3228 msiexec.exe Token: SeImpersonatePrivilege 3228 msiexec.exe Token: SeCreateGlobalPrivilege 3228 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3228 msiexec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3228
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:856