16c665c37bbaf5563de58cb57b97b75bdd5b319db112633728ba41744fa48932

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

micstream-setup-x64.exe
Size

1.1MB
MD5

a4f86bee27071fba654ca442d52c6a5a
SHA1

90f947ecafb26683842765a446e184a84869d36f
SHA256

16c665c37bbaf5563de58cb57b97b75bdd5b319db112633728ba41744fa48932
SHA512

70d3113d5783b014fdbb66c132c1d7305c616104d7850d8635c1d94f30fd3c8ccb1b6a66e08701713ae6f478a13c83b75f433bbc6cc8add2021e2244a0b85669
SSDEEP

24576:Hdppd60FSCOxtwYXIopInNPQTnxx6dIV81tPK:HdppPFSCEt/IopiY5V8zi

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	micstream-setup-x64.exe

Loads dropped DLL 2 IoCs

pid	Process
1052	MsiExec.exe
1052	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4860	msiexec.exe
Token: SeSecurityPrivilege	3044	msiexec.exe
Token: SeCreateTokenPrivilege	4860	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4860	msiexec.exe
Token: SeLockMemoryPrivilege	4860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4860	msiexec.exe
Token: SeMachineAccountPrivilege	4860	msiexec.exe
Token: SeTcbPrivilege	4860	msiexec.exe
Token: SeSecurityPrivilege	4860	msiexec.exe
Token: SeTakeOwnershipPrivilege	4860	msiexec.exe
Token: SeLoadDriverPrivilege	4860	msiexec.exe
Token: SeSystemProfilePrivilege	4860	msiexec.exe
Token: SeSystemtimePrivilege	4860	msiexec.exe
Token: SeProfSingleProcessPrivilege	4860	msiexec.exe
Token: SeIncBasePriorityPrivilege	4860	msiexec.exe
Token: SeCreatePagefilePrivilege	4860	msiexec.exe
Token: SeCreatePermanentPrivilege	4860	msiexec.exe
Token: SeBackupPrivilege	4860	msiexec.exe
Token: SeRestorePrivilege	4860	msiexec.exe
Token: SeShutdownPrivilege	4860	msiexec.exe
Token: SeDebugPrivilege	4860	msiexec.exe
Token: SeAuditPrivilege	4860	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4860	msiexec.exe
Token: SeChangeNotifyPrivilege	4860	msiexec.exe
Token: SeRemoteShutdownPrivilege	4860	msiexec.exe
Token: SeUndockPrivilege	4860	msiexec.exe
Token: SeSyncAgentPrivilege	4860	msiexec.exe
Token: SeEnableDelegationPrivilege	4860	msiexec.exe
Token: SeManageVolumePrivilege	4860	msiexec.exe
Token: SeImpersonatePrivilege	4860	msiexec.exe
Token: SeCreateGlobalPrivilege	4860	msiexec.exe
Token: SeCreateTokenPrivilege	4860	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4860	msiexec.exe
Token: SeLockMemoryPrivilege	4860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4860	msiexec.exe
Token: SeMachineAccountPrivilege	4860	msiexec.exe
Token: SeTcbPrivilege	4860	msiexec.exe
Token: SeSecurityPrivilege	4860	msiexec.exe
Token: SeTakeOwnershipPrivilege	4860	msiexec.exe
Token: SeLoadDriverPrivilege	4860	msiexec.exe
Token: SeSystemProfilePrivilege	4860	msiexec.exe
Token: SeSystemtimePrivilege	4860	msiexec.exe
Token: SeProfSingleProcessPrivilege	4860	msiexec.exe
Token: SeIncBasePriorityPrivilege	4860	msiexec.exe
Token: SeCreatePagefilePrivilege	4860	msiexec.exe
Token: SeCreatePermanentPrivilege	4860	msiexec.exe
Token: SeBackupPrivilege	4860	msiexec.exe
Token: SeRestorePrivilege	4860	msiexec.exe
Token: SeShutdownPrivilege	4860	msiexec.exe
Token: SeDebugPrivilege	4860	msiexec.exe
Token: SeAuditPrivilege	4860	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4860	msiexec.exe
Token: SeChangeNotifyPrivilege	4860	msiexec.exe
Token: SeRemoteShutdownPrivilege	4860	msiexec.exe
Token: SeUndockPrivilege	4860	msiexec.exe
Token: SeSyncAgentPrivilege	4860	msiexec.exe
Token: SeEnableDelegationPrivilege	4860	msiexec.exe
Token: SeManageVolumePrivilege	4860	msiexec.exe
Token: SeImpersonatePrivilege	4860	msiexec.exe
Token: SeCreateGlobalPrivilege	4860	msiexec.exe
Token: SeCreateTokenPrivilege	4860	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4860	msiexec.exe
Token: SeLockMemoryPrivilege	4860	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4860	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 4860	2600	micstream-setup-x64.exe	82
PID 2600 wrote to memory of 4860	2600	micstream-setup-x64.exe	82
PID 3044 wrote to memory of 1052	3044	msiexec.exe	85
PID 3044 wrote to memory of 1052	3044	msiexec.exe	85
PID 3044 wrote to memory of 1052	3044	msiexec.exe	85

C:\Users\Admin\AppData\Local\Temp\micstream-setup-x64.exe
"C:\Users\Admin\AppData\Local\Temp\micstream-setup-x64.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\system32\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /package "C:\Users\Admin\AppData\Local\Temp\micstream-setup.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4860

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8BFE3874424ED95D527A53D5C372D5D9 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI6DFC.tmp

Filesize
285KB

MD5
b77a2a2768b9cc78a71bbffb9812b978

SHA1
b70e27eb446fe1c3bc8ea03dabbee2739a782e04

SHA256
f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0

SHA512
a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\micstream-setup.msi

Filesize
1.1MB

MD5
6d88aee5f872c03a654690c5e56bab10

SHA1
20542f43c2478e4bca0d41fa1475c1d8e1d2d0b9

SHA256
dfe45d904ab74bde2331849eb886010cd920c899cbd68c34bf2ea2f18e4245cf

SHA512
5a85a30bed7c89a4c068404c4777ebeb57b58e3bc01c904230ec57eb875df03f1848440ba6486f1fb4d0fd27aefd18cddb2c3426bc645841f1b9bfdddf7eeed7

Download Submit
memory/2600-0-0x00007FFAAB233000-0x00007FFAAB235000-memory.dmp

Filesize
8KB

Download
memory/2600-1-0x0000019A5DE00000-0x0000019A5DF22000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads