Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
17-11-2024 09:46
Static task
static1
Behavioral task
behavioral1
Sample
LauncherPred8.3.37Stablesetup.msi
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
LauncherPred8.3.37Stablesetup.msi
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
LauncherPred8.3.37Stablesetup.msi
Resource
win11-20241007-en
General
-
Target
LauncherPred8.3.37Stablesetup.msi
-
Size
11.4MB
-
MD5
c628123d2539f5ae51b37a06bd179fc7
-
SHA1
139dfe6164e7c6ba6e2360673cf75801fd2add36
-
SHA256
f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2
-
SHA512
3cc3af8065b138719bae90720aeb37b15bb9412631aba972dab1d8d42e7507fd1d4ba231c96a0fe4b32b67e450594a95fe6d0fbc858bf2018b02b6d83ccda567
-
SSDEEP
196608:oEGAvNE+MNqCjsict52JykNWmKoahv02bfHJNeh5XK3zQlstPGaVB4L0iJP:QCBAK5XmooaBYhtKklkG
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Installer\f769e13.msi msiexec.exe File opened for modification C:\Windows\Installer\f769e13.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9E71.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9FBA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA028.tmp msiexec.exe -
Loads dropped DLL 3 IoCs
pid Process 2660 MsiExec.exe 2660 MsiExec.exe 2660 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2616 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeShutdownPrivilege 2616 msiexec.exe Token: SeIncreaseQuotaPrivilege 2616 msiexec.exe Token: SeRestorePrivilege 2144 msiexec.exe Token: SeTakeOwnershipPrivilege 2144 msiexec.exe Token: SeSecurityPrivilege 2144 msiexec.exe Token: SeCreateTokenPrivilege 2616 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2616 msiexec.exe Token: SeLockMemoryPrivilege 2616 msiexec.exe Token: SeIncreaseQuotaPrivilege 2616 msiexec.exe Token: SeMachineAccountPrivilege 2616 msiexec.exe Token: SeTcbPrivilege 2616 msiexec.exe Token: SeSecurityPrivilege 2616 msiexec.exe Token: SeTakeOwnershipPrivilege 2616 msiexec.exe Token: SeLoadDriverPrivilege 2616 msiexec.exe Token: SeSystemProfilePrivilege 2616 msiexec.exe Token: SeSystemtimePrivilege 2616 msiexec.exe Token: SeProfSingleProcessPrivilege 2616 msiexec.exe Token: SeIncBasePriorityPrivilege 2616 msiexec.exe Token: SeCreatePagefilePrivilege 2616 msiexec.exe Token: SeCreatePermanentPrivilege 2616 msiexec.exe Token: SeBackupPrivilege 2616 msiexec.exe Token: SeRestorePrivilege 2616 msiexec.exe Token: SeShutdownPrivilege 2616 msiexec.exe Token: SeDebugPrivilege 2616 msiexec.exe Token: SeAuditPrivilege 2616 msiexec.exe Token: SeSystemEnvironmentPrivilege 2616 msiexec.exe Token: SeChangeNotifyPrivilege 2616 msiexec.exe Token: SeRemoteShutdownPrivilege 2616 msiexec.exe Token: SeUndockPrivilege 2616 msiexec.exe Token: SeSyncAgentPrivilege 2616 msiexec.exe Token: SeEnableDelegationPrivilege 2616 msiexec.exe Token: SeManageVolumePrivilege 2616 msiexec.exe Token: SeImpersonatePrivilege 2616 msiexec.exe Token: SeCreateGlobalPrivilege 2616 msiexec.exe Token: SeRestorePrivilege 2144 msiexec.exe Token: SeTakeOwnershipPrivilege 2144 msiexec.exe Token: SeRestorePrivilege 2144 msiexec.exe Token: SeTakeOwnershipPrivilege 2144 msiexec.exe Token: SeRestorePrivilege 2144 msiexec.exe Token: SeTakeOwnershipPrivilege 2144 msiexec.exe Token: SeRestorePrivilege 2144 msiexec.exe Token: SeTakeOwnershipPrivilege 2144 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2616 msiexec.exe 2616 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2660 2144 msiexec.exe 31 PID 2144 wrote to memory of 2660 2144 msiexec.exe 31 PID 2144 wrote to memory of 2660 2144 msiexec.exe 31 PID 2144 wrote to memory of 2660 2144 msiexec.exe 31 PID 2144 wrote to memory of 2660 2144 msiexec.exe 31 PID 2144 wrote to memory of 2660 2144 msiexec.exe 31 PID 2144 wrote to memory of 2660 2144 msiexec.exe 31
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\LauncherPred8.3.37Stablesetup.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2616
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A58E18B2862951A849DC5727A41B17272⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5af8552e496c71962ae4c0e1f63d73286
SHA1eb98c9245737d018660b5a9c77a04a3116bd6318
SHA2566c234cb8d589aa1e9b718d33f61f116ffd44659fc7d8f6440a31298a2b0d365d
SHA512c0994ce4fa052af3d19f20bad445f74aef3cabf664cc5a0b4610309367aade5369dfe93f2e8581bd88d370edecac24b0b4b000b0de1473b9c4bc73137324ac30
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
1.1MB
MD57768d9d4634bf3dc159cebb6f3ea4718
SHA1a297e0e4dd61ee8f5e88916af1ee6596cd216f26
SHA256745de246181eb58f48224e6433c810ffbaa67fba330c616f03a7361fb1edb121
SHA512985bbf38667609f6a422a22af34d9382ae4112e7995f87b6053a683a0aaa647e17ba70a7a83b5e1309f201fc12a53db3c13ffd2b0fad44c1374fff6f07059cbf