Analysis
-
max time kernel
290s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/11/2024, 07:49
Static task
static1
Behavioral task
behavioral1
Sample
788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe
Resource
win10v2004-20241007-en
General
-
Target
788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe
-
Size
210.1MB
-
MD5
88522a49bbbe8fa508d805bffcbf55f9
-
SHA1
52ea90f5ef64019de5967e7e29656a8b8694f684
-
SHA256
788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606
-
SHA512
362f93bf28fec5f991859affebfbf185bd29ae70a3cd21f711d18d420c4722750848d2cee27ce169c3537d6bee5f3aaa69fe78784d48d7cbefdcb745c9df0993
-
SSDEEP
3145728:cQmmTrU4zKydLCpTx93/jkwLFNL7+drKngCrGv3v0oA3yS22NsJ80JABcqh:pmAzzKygp19/jJ+dOIfdA3y0sJ8Cax
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1892 setup.exe -
Loads dropped DLL 9 IoCs
pid Process 1952 788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe 1892 setup.exe 1816 MsiExec.exe 1892 setup.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe 1816 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: setup.exe File opened (read-only) \??\P: setup.exe File opened (read-only) \??\V: setup.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Y: setup.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: setup.exe File opened (read-only) \??\X: setup.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: setup.exe File opened (read-only) \??\G: setup.exe File opened (read-only) \??\Z: setup.exe File opened (read-only) \??\Q: setup.exe File opened (read-only) \??\U: setup.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: setup.exe File opened (read-only) \??\J: setup.exe File opened (read-only) \??\L: setup.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: setup.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: setup.exe File opened (read-only) \??\M: setup.exe File opened (read-only) \??\T: setup.exe File opened (read-only) \??\S: setup.exe File opened (read-only) \??\W: setup.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: setup.exe File opened (read-only) \??\N: setup.exe File opened (read-only) \??\R: setup.exe -
resource yara_rule behavioral1/files/0x000400000001d3d7-244.dat upx behavioral1/memory/1952-247-0x00000000109E0000-0x0000000010EE4000-memory.dmp upx behavioral1/memory/1892-249-0x0000000000400000-0x0000000000904000-memory.dmp upx behavioral1/memory/1892-307-0x0000000000400000-0x0000000000904000-memory.dmp upx behavioral1/memory/1892-318-0x0000000000400000-0x0000000000904000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1892 setup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 1716 msiexec.exe Token: SeTakeOwnershipPrivilege 1716 msiexec.exe Token: SeSecurityPrivilege 1716 msiexec.exe Token: SeCreateTokenPrivilege 1892 setup.exe Token: SeAssignPrimaryTokenPrivilege 1892 setup.exe Token: SeLockMemoryPrivilege 1892 setup.exe Token: SeIncreaseQuotaPrivilege 1892 setup.exe Token: SeMachineAccountPrivilege 1892 setup.exe Token: SeTcbPrivilege 1892 setup.exe Token: SeSecurityPrivilege 1892 setup.exe Token: SeTakeOwnershipPrivilege 1892 setup.exe Token: SeLoadDriverPrivilege 1892 setup.exe Token: SeSystemProfilePrivilege 1892 setup.exe Token: SeSystemtimePrivilege 1892 setup.exe Token: SeProfSingleProcessPrivilege 1892 setup.exe Token: SeIncBasePriorityPrivilege 1892 setup.exe Token: SeCreatePagefilePrivilege 1892 setup.exe Token: SeCreatePermanentPrivilege 1892 setup.exe Token: SeBackupPrivilege 1892 setup.exe Token: SeRestorePrivilege 1892 setup.exe Token: SeShutdownPrivilege 1892 setup.exe Token: SeDebugPrivilege 1892 setup.exe Token: SeAuditPrivilege 1892 setup.exe Token: SeSystemEnvironmentPrivilege 1892 setup.exe Token: SeChangeNotifyPrivilege 1892 setup.exe Token: SeRemoteShutdownPrivilege 1892 setup.exe Token: SeUndockPrivilege 1892 setup.exe Token: SeSyncAgentPrivilege 1892 setup.exe Token: SeEnableDelegationPrivilege 1892 setup.exe Token: SeManageVolumePrivilege 1892 setup.exe Token: SeImpersonatePrivilege 1892 setup.exe Token: SeCreateGlobalPrivilege 1892 setup.exe Token: SeCreateTokenPrivilege 1892 setup.exe Token: SeAssignPrimaryTokenPrivilege 1892 setup.exe Token: SeLockMemoryPrivilege 1892 setup.exe Token: SeIncreaseQuotaPrivilege 1892 setup.exe Token: SeMachineAccountPrivilege 1892 setup.exe Token: SeTcbPrivilege 1892 setup.exe Token: SeSecurityPrivilege 1892 setup.exe Token: SeTakeOwnershipPrivilege 1892 setup.exe Token: SeLoadDriverPrivilege 1892 setup.exe Token: SeSystemProfilePrivilege 1892 setup.exe Token: SeSystemtimePrivilege 1892 setup.exe Token: SeProfSingleProcessPrivilege 1892 setup.exe Token: SeIncBasePriorityPrivilege 1892 setup.exe Token: SeCreatePagefilePrivilege 1892 setup.exe Token: SeCreatePermanentPrivilege 1892 setup.exe Token: SeBackupPrivilege 1892 setup.exe Token: SeRestorePrivilege 1892 setup.exe Token: SeShutdownPrivilege 1892 setup.exe Token: SeDebugPrivilege 1892 setup.exe Token: SeAuditPrivilege 1892 setup.exe Token: SeSystemEnvironmentPrivilege 1892 setup.exe Token: SeChangeNotifyPrivilege 1892 setup.exe Token: SeRemoteShutdownPrivilege 1892 setup.exe Token: SeUndockPrivilege 1892 setup.exe Token: SeSyncAgentPrivilege 1892 setup.exe Token: SeEnableDelegationPrivilege 1892 setup.exe Token: SeManageVolumePrivilege 1892 setup.exe Token: SeImpersonatePrivilege 1892 setup.exe Token: SeCreateGlobalPrivilege 1892 setup.exe Token: SeCreateTokenPrivilege 1892 setup.exe Token: SeAssignPrimaryTokenPrivilege 1892 setup.exe Token: SeLockMemoryPrivilege 1892 setup.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1892 setup.exe 1892 setup.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1952 wrote to memory of 1892 1952 788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe 31 PID 1952 wrote to memory of 1892 1952 788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe 31 PID 1952 wrote to memory of 1892 1952 788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe 31 PID 1952 wrote to memory of 1892 1952 788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe 31 PID 1952 wrote to memory of 1892 1952 788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe 31 PID 1952 wrote to memory of 1892 1952 788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe 31 PID 1952 wrote to memory of 1892 1952 788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe 31 PID 1716 wrote to memory of 1816 1716 msiexec.exe 33 PID 1716 wrote to memory of 1816 1716 msiexec.exe 33 PID 1716 wrote to memory of 1816 1716 msiexec.exe 33 PID 1716 wrote to memory of 1816 1716 msiexec.exe 33 PID 1716 wrote to memory of 1816 1716 msiexec.exe 33 PID 1716 wrote to memory of 1816 1716 msiexec.exe 33 PID 1716 wrote to memory of 1816 1716 msiexec.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe"C:\Users\Admin\AppData\Local\Temp\788ef6c03b347c7bf72c5c6a207ac6f362812fe728bd579b7645bc92aca4b606.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\setup.exe"C:\National Instruments Downloads\LabVIEW\2011f3\Run-Time Engine\Standard\setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1892
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9629A863C0F0814D711B51207181FC54 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5c5ff3a28e9fbb505ad7087246ce975eb
SHA1945d82d257d2de5349b5e553602ac34e282d4c22
SHA25697b1c44a59b9cd60513c61b55d977e0391fdde2c5cc21b9ff9ed75f8c390f749
SHA51239c8cbd9b6ed3a192f36279c2791c6b0bd3556eeca3c5c7ebfb5b2f7da7a87cc5667691d59b4a8aae323c1abb136442979cab791ef3d00e1329cb5d6dea8d23e
-
Filesize
56KB
MD597afaced2dff1b0487363ccf1fb4bfe1
SHA161f747d8c5147e65b4d9ba8bef83f6a6b3b58af6
SHA2560b0aa8c40d51e2acf41df41af876cf31524a8f104575889fe6f6be8e004a1eb4
SHA5121c8d2dfbbe60c1f2a02c4c7b99e1c313b088f3c5afdfc6ae12860d554df7adaf5e731efd987eb2a2ac3a7e7413fe04ac932bf90ba064343a5d6ffa55949ea3ad
-
Filesize
333B
MD5827fcdd358f6462a79a6c37e1e41e81e
SHA187137a04590291875615a93be67bd60062d3d888
SHA2566765d23f5f954ff107d8dc773ae331090588fc63140aa9354e1c0462d3387ab5
SHA5121b071bc763449291ea0ae2107e477ab98d8e5b90440a8f982fc2f3edabc7707a2970b8e3de336e92aac7992ac544fa699ae73bdbebc1d5bf9150d80b9cf1cd5a
-
Filesize
16KB
MD5aea7cf8eeca111976ff8cb44209dbb8f
SHA194a8d39b2f4b14a338cf190d8327b723431ade6e
SHA256ed4c7e6ae15a8b93af2761309a645f24bc5cbc1d4f02134fc056ddde0c7f3dae
SHA512c85f57173d4196c32668470d4f165b118f7424f88b95a7efd01a9c4fbac435bed426a7f779f5ad68a664d6e4629b5564e0f0ef5fda5d9434c6b9a81bbbcdfb66
-
Filesize
722B
MD5ab99fb1815b2928ac8e532d9b791eb96
SHA11148fa5977f6d5e0942ebd9e47e6e88a14917453
SHA2569a2990334e9c4e461611b3a2e6fefe323ad3ecc40e1a3d9c55cacdabae57c8a0
SHA512e68bd58025a37b9f6bbe35763dc86f782c73f92800935099dc9c87904426c3f83ffdcf1b1f8f5edc916ab1facb3995ffc47f55682185e2585d6d22ef2476ee9c
-
Filesize
487KB
MD59094fea68e41f237d278e4b3e1132981
SHA15a79ff5c25f1b7e8fbf213eb9a8cbd2c59feb264
SHA25611c4e79b10270ecfb63c66f77db9475b1280c7e0e22758e03870dd5448bf69af
SHA512ebdc71f0acbb349beed86d0b37c6c17b1db6ab2a9f53d2a318f8e4bc93de3ceba8674a96ea2648baac6e1f3cbc2036ff74d0c10318b77ded464cf2b0668c7e94
-
Filesize
84KB
MD5d1f4520539c80392ea62588ac7ae9cd9
SHA15ab039ead6a8b58099d970f002ea7e47342958bd
SHA256178cad1dc2cae7272c8b4157dda657c1e6cf5880a964a28846de0ed7a428d1df
SHA512cba04e16e3a00b7e9ca208f5599bcced93d43f46461bd85d96cc02abd7d0429fb1a0d5f41c4f3577a425956867922f455792fa0b50818e84619b523dc582df8c
-
Filesize
1024KB
MD5d28312bfe5f05b1bae9d23c942c5cd74
SHA1d7598ad7dd48a298cd362420e06da01a19f1ef83
SHA2564f3e5eefb71f9bd951147dd9c73a0aaa731b35b9a76e79aa76e990dcb7e99e72
SHA512d30ad99f36d57070410dfca2a1c807fc09450940db28f80101f8e0f53d6c475653f82c7c40c08f05f1a39fc669945960b20ad4e9129283da93e73bdee81b24ae
-
Filesize
4.7MB
MD51bbc24e1d2b489ea8bc89dd022d267f3
SHA110e8e374d1b7474286a469d3dc145e48e62d9219
SHA25693a57b53e469bb8763d799fdeddd8524dd7f38e91c6d894d41d6f17d45c9d076
SHA512d8ee0f23907d5b4e3f0d1d7bea7f0417fe3dd0e42ab1517d8ae3886e78e3941d0e4bdd957cc5e9d329ee5a280f5764844a42744d2165165211c2c655773f5869
-
Filesize
1.9MB
MD52c1ec8342660c4516737ed7433cd1896
SHA1470205b85a7b38f3d1aba86885ee5a3188ead27e
SHA256d790183c10d4a5ad277a45a897e7540b2ed9bfbd1de4c0babef08fe612fc6beb
SHA512a8bdabfaed3bf6dbb578688988827343ce240ff9435d36502c2ebef0405581c23ea39675991b59e66a6386ec401d0e39c600d01c5da0c1afe9b3af124dc8e91d
-
Filesize
1.4MB
MD56de87d67c9f9ef771bbdaa5965338ff5
SHA18957352035000b00a15b2a281f4b10c621b5c5b9
SHA256263978af3bd48ced50846e300e1770db0e77fc86c41648bec341b89eaa2f453d
SHA512f41773dd11b5f9bd3ceccc541ae06dfb8c0c953b9e790e7ef9ca1b607680e96c0d83a466fc48c38ce4f4fe8e225a3106b40a97169d50031397fd73e0e4e3d2e9
-
Filesize
43KB
MD51794273d68c05960f9f63c1d3161ff46
SHA193a30b99c20c9c5d3098af33a9d1e39a3a7d2632
SHA2560e98183cb6b3e86f856cee579304cd71121a37b184386bed89e73157cbaa9aa9
SHA512ed1cc815d8dd4b4d16e2b6aa65385c51853aea3ac6212f096abbc5461571693d4158db49ef20c5d5c3e18aff54e70812cd35d195d0e41517f421a1e1853d14bb