Analysis
-
max time kernel
144s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 22:11
Static task
static1
Behavioral task
behavioral1
Sample
3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe
Resource
win7-20240903-en
General
-
Target
3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe
-
Size
9.1MB
-
MD5
308c04f14ff0bff5e554d5975473f5b3
-
SHA1
3e52120b1a88ea5b6a958fa5605c80f3b6b36b19
-
SHA256
3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9
-
SHA512
4fe68d69be8db7185196445e5577e69fb3f7600212e3bad5a51d629a8d5dfd5847a8e3b15532b1cc34465ed27c2c005b1938bf6b9fc6119092910e96bad7a99e
-
SSDEEP
196608:9xNufAVuSI58ehsqy3QP0K5OuTf2EugphAV:9WfuI5qT3Q8YOub2QhAV
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 2696 MsiExec.exe 2696 MsiExec.exe 2696 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\O: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\Y: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\U: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\S: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\Z: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\G: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\J: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\L: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\N: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\I: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\K: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\R: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\V: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\T: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\X: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeSecurityPrivilege 2844 msiexec.exe Token: SeCreateTokenPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeAssignPrimaryTokenPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeLockMemoryPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeIncreaseQuotaPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeMachineAccountPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeTcbPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSecurityPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeTakeOwnershipPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeLoadDriverPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSystemProfilePrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSystemtimePrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeProfSingleProcessPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeIncBasePriorityPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeCreatePagefilePrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeCreatePermanentPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeBackupPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeRestorePrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeShutdownPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeDebugPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeAuditPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSystemEnvironmentPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeChangeNotifyPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeRemoteShutdownPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeUndockPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSyncAgentPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeEnableDelegationPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeManageVolumePrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeImpersonatePrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeCreateGlobalPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeCreateTokenPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeAssignPrimaryTokenPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeLockMemoryPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeIncreaseQuotaPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeMachineAccountPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeTcbPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSecurityPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeTakeOwnershipPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeLoadDriverPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSystemProfilePrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSystemtimePrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeProfSingleProcessPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeIncBasePriorityPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeCreatePagefilePrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeCreatePermanentPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeBackupPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeRestorePrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeShutdownPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeDebugPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeAuditPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSystemEnvironmentPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeChangeNotifyPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeRemoteShutdownPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeUndockPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSyncAgentPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeEnableDelegationPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeManageVolumePrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeImpersonatePrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeCreateGlobalPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeCreateTokenPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeAssignPrimaryTokenPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeLockMemoryPrivilege 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe 2204 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2844 wrote to memory of 2696 2844 msiexec.exe 32 PID 2844 wrote to memory of 2696 2844 msiexec.exe 32 PID 2844 wrote to memory of 2696 2844 msiexec.exe 32 PID 2844 wrote to memory of 2696 2844 msiexec.exe 32 PID 2844 wrote to memory of 2696 2844 msiexec.exe 32 PID 2844 wrote to memory of 2696 2844 msiexec.exe 32 PID 2844 wrote to memory of 2696 2844 msiexec.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe"C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2204
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2EFC99C9C4A4812446F4C7F8DCDFFD6E C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5d5a55a78cd38f45256807c7851619b7d
SHA19d8269120d1d096e9ab0192348f3b8f81f5f73d9
SHA256be83c8592906fd9651634b0823a2f45abe96aae082674568944c639b5b4a95dc
SHA512959e7410e3006cfef9d14315e8741e34b6e81c4f9160c5d66f3abd77ce72f55f907ab3a0e500780b5c0e0e017e8639f135cc258976b4ab4b9d1aaed6242ce9f1
-
Filesize
12KB
MD55f6253cff5a8b031bfb3b161079d0d86
SHA17645b13610583fb67247c74cf5af08ff848079e7
SHA25636d9bab35d1e4b50045bf902f5d42b6f865488c75f6e60fc00a6cd6f69034ab0
SHA512d1fdc364bedf931512000fbf05e854d5aceccb48abb9ec49e68476a5dc2907267490290d92acbb267ffb7bdba9b7a1c88f1eb77830cf953443f4624995dabdc3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
436KB
MD55788efa607d26332d6d7f5e6a1f6bd6f
SHA1e7749843cc3e89bc81649087de4ad44c93d48bc6
SHA2569fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d
SHA512ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104
-
Filesize
875KB
MD501ab8034f722cbac50b8bcfc36e5b2e8
SHA1b25868af5713e37c398b712f19692edd7db2d858
SHA256e5c41b1af4d865b1b4b09a9fcb99a1f6eb2b2a75b148f4390298aff1ea348689
SHA51225e24e4d691b1fecc6991997ace400682bb812d48374f95a14e21a9045d7905f4630f4672e88b41afd7933b11fb81c10935e49aba337b15924cfc7e814ca2558
-
Filesize
575KB
MD58c1a778e0754301c97a660dbf3e8303b
SHA1f489c45cde796de0d23ee862948f5e50379dee60
SHA256000b773a448b107cbf3268fea3a0eec388daa71c5f911979c5d21f0cd8d6da54
SHA512010e76ed659f73cc263ce9b2d2635d775b296c10e53ba133fba6aacde02ed409b19f4c4e2ba6df7730ddc8669c818e99773f25854a1916ccf8acf9e459482fea
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2.8MB
MD5e91c8022c878fa58ae6eca30e6f49eda
SHA1f2daa2901f12893ef1d2623c1f066ad9252edc48
SHA256243236bb49beaa70cd4a8fba55941597213fc18ab444b8aa992c80f2d5ec05e6
SHA512abe25ba5c90a14c622773e257b0b330696985d0182090716ac1e2843dda20e9b19229fc45612e1eead708d17bd9b79615139a31cca072769d3dbd50f7389d55a