Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
27/09/2024, 20:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dsi_setup.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
dsi_setup.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral3
Sample
新云软件.url
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral4
Sample
新云软件.url
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
dsi_setup.exe
-
Size
6.7MB
-
MD5
af3c653d418aeb74f356f85e8eaeff63
-
SHA1
bbe6547ab532c0dd6fef81b78603424d5c1fdbf0
-
SHA256
6aebd0cdb4c3744cf3cd8215ad20f9e636dd2a084c9fcd05116ed3a7ec8c3f35
-
SHA512
f74d2b399dcc4dbd90ab0e904ee2aa75c7184cd1685af7073dcb9896b0cfc3ff5b9249a01c757443c9d51f3dd6de580d18e064380b4fb2e391353d314006733a
-
SSDEEP
196608:tTnCozblrWqGPRzGMiIvhIpsvL7wpn5hjuJ:NCPqGPRKMFvasvM5h
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2360 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS8E23204158DA47349262B3FB4D35AB37_3_8.MSI dsi_setup.exe File opened for modification C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS8E23204158DA47349262B3FB4D35AB37_3_8.MSI dsi_setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dsi_setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2688 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2688 msiexec.exe Token: SeIncreaseQuotaPrivilege 2688 msiexec.exe Token: SeRestorePrivilege 2668 msiexec.exe Token: SeTakeOwnershipPrivilege 2668 msiexec.exe Token: SeSecurityPrivilege 2668 msiexec.exe Token: SeCreateTokenPrivilege 2688 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2688 msiexec.exe Token: SeLockMemoryPrivilege 2688 msiexec.exe Token: SeIncreaseQuotaPrivilege 2688 msiexec.exe Token: SeMachineAccountPrivilege 2688 msiexec.exe Token: SeTcbPrivilege 2688 msiexec.exe Token: SeSecurityPrivilege 2688 msiexec.exe Token: SeTakeOwnershipPrivilege 2688 msiexec.exe Token: SeLoadDriverPrivilege 2688 msiexec.exe Token: SeSystemProfilePrivilege 2688 msiexec.exe Token: SeSystemtimePrivilege 2688 msiexec.exe Token: SeProfSingleProcessPrivilege 2688 msiexec.exe Token: SeIncBasePriorityPrivilege 2688 msiexec.exe Token: SeCreatePagefilePrivilege 2688 msiexec.exe Token: SeCreatePermanentPrivilege 2688 msiexec.exe Token: SeBackupPrivilege 2688 msiexec.exe Token: SeRestorePrivilege 2688 msiexec.exe Token: SeShutdownPrivilege 2688 msiexec.exe Token: SeDebugPrivilege 2688 msiexec.exe Token: SeAuditPrivilege 2688 msiexec.exe Token: SeSystemEnvironmentPrivilege 2688 msiexec.exe Token: SeChangeNotifyPrivilege 2688 msiexec.exe Token: SeRemoteShutdownPrivilege 2688 msiexec.exe Token: SeUndockPrivilege 2688 msiexec.exe Token: SeSyncAgentPrivilege 2688 msiexec.exe Token: SeEnableDelegationPrivilege 2688 msiexec.exe Token: SeManageVolumePrivilege 2688 msiexec.exe Token: SeImpersonatePrivilege 2688 msiexec.exe Token: SeCreateGlobalPrivilege 2688 msiexec.exe Token: SeCreateTokenPrivilege 2688 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2688 msiexec.exe Token: SeLockMemoryPrivilege 2688 msiexec.exe Token: SeIncreaseQuotaPrivilege 2688 msiexec.exe Token: SeMachineAccountPrivilege 2688 msiexec.exe Token: SeTcbPrivilege 2688 msiexec.exe Token: SeSecurityPrivilege 2688 msiexec.exe Token: SeTakeOwnershipPrivilege 2688 msiexec.exe Token: SeLoadDriverPrivilege 2688 msiexec.exe Token: SeSystemProfilePrivilege 2688 msiexec.exe Token: SeSystemtimePrivilege 2688 msiexec.exe Token: SeProfSingleProcessPrivilege 2688 msiexec.exe Token: SeIncBasePriorityPrivilege 2688 msiexec.exe Token: SeCreatePagefilePrivilege 2688 msiexec.exe Token: SeCreatePermanentPrivilege 2688 msiexec.exe Token: SeBackupPrivilege 2688 msiexec.exe Token: SeRestorePrivilege 2688 msiexec.exe Token: SeShutdownPrivilege 2688 msiexec.exe Token: SeDebugPrivilege 2688 msiexec.exe Token: SeAuditPrivilege 2688 msiexec.exe Token: SeSystemEnvironmentPrivilege 2688 msiexec.exe Token: SeChangeNotifyPrivilege 2688 msiexec.exe Token: SeRemoteShutdownPrivilege 2688 msiexec.exe Token: SeUndockPrivilege 2688 msiexec.exe Token: SeSyncAgentPrivilege 2688 msiexec.exe Token: SeEnableDelegationPrivilege 2688 msiexec.exe Token: SeManageVolumePrivilege 2688 msiexec.exe Token: SeImpersonatePrivilege 2688 msiexec.exe Token: SeCreateGlobalPrivilege 2688 msiexec.exe Token: SeCreateTokenPrivilege 2688 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2688 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2688 2328 dsi_setup.exe 30 PID 2328 wrote to memory of 2688 2328 dsi_setup.exe 30 PID 2328 wrote to memory of 2688 2328 dsi_setup.exe 30 PID 2328 wrote to memory of 2688 2328 dsi_setup.exe 30 PID 2328 wrote to memory of 2688 2328 dsi_setup.exe 30 PID 2328 wrote to memory of 2688 2328 dsi_setup.exe 30 PID 2328 wrote to memory of 2688 2328 dsi_setup.exe 30 PID 2668 wrote to memory of 2360 2668 msiexec.exe 32 PID 2668 wrote to memory of 2360 2668 msiexec.exe 32 PID 2668 wrote to memory of 2360 2668 msiexec.exe 32 PID 2668 wrote to memory of 2360 2668 msiexec.exe 32 PID 2668 wrote to memory of 2360 2668 msiexec.exe 32 PID 2668 wrote to memory of 2360 2668 msiexec.exe 32 PID 2668 wrote to memory of 2360 2668 msiexec.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\dsi_setup.exe"C:\Users\Admin\AppData\Local\Temp\dsi_setup.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS8E23204158DA47349262B3FB4D35AB37_3_8.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\AppData\Local\Temp\dsi_setup.exe"2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2688
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DCA55C74030EC0D06EA47D2E9181D9DE C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS8E23204158DA47349262B3FB4D35AB37_3_8.MSI
Filesize6.7MB
MD5adc1f85c39c7aa5447f80aa7272251e2
SHA158bff74f9882d8fa30431d7e82d2e89a5bca7f21
SHA2561b0c17c887cfcf4553cb6e8889e89b5bbc52302cbd51aa62854610f9c89d5d50
SHA512c62d742da1fa84fdf3b93101139c754c049d8122a160b47b7150859260b1009d1a9bb18e2ab0be5775f4acdf1c34646f66313836f05fa6e8610769318a780844
-
Filesize
123KB
MD5246b351c9b333fafd274fb83dd087860
SHA163504c8a0d636938ec842ea17d21391c43db9d2e
SHA25656d667605d54fdd13dfc60603050e5076df0abbce818ea4785566412043a1478
SHA51296f1b8b8c1f40ffee04885af9b8d96dfc570f2ea4e89a1ed0a8d21803cef3ef20aa3f468034a2389320f7a991df7d85c375113f2c6070ebc5541bc39a68c1bb1