Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-11-2024 09:55
Static task
static1
Behavioral task
behavioral1
Sample
LauncherPred8.3.37Stablesetup.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
LauncherPred8.3.37Stablesetup.msi
Resource
win10v2004-20241007-en
General
-
Target
LauncherPred8.3.37Stablesetup.msi
-
Size
11.4MB
-
MD5
c628123d2539f5ae51b37a06bd179fc7
-
SHA1
139dfe6164e7c6ba6e2360673cf75801fd2add36
-
SHA256
f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2
-
SHA512
3cc3af8065b138719bae90720aeb37b15bb9412631aba972dab1d8d42e7507fd1d4ba231c96a0fe4b32b67e450594a95fe6d0fbc858bf2018b02b6d83ccda567
-
SSDEEP
196608:oEGAvNE+MNqCjsict52JykNWmKoahv02bfHJNeh5XK3zQlstPGaVB4L0iJP:QCBAK5XmooaBYhtKklkG
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI7CDD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7E07.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7E56.tmp msiexec.exe File created C:\Windows\Installer\f767c9f.msi msiexec.exe File opened for modification C:\Windows\Installer\f767c9f.msi msiexec.exe -
Loads dropped DLL 3 IoCs
pid Process 2796 MsiExec.exe 2796 MsiExec.exe 2796 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2256 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeShutdownPrivilege 2256 msiexec.exe Token: SeIncreaseQuotaPrivilege 2256 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeSecurityPrivilege 2308 msiexec.exe Token: SeCreateTokenPrivilege 2256 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2256 msiexec.exe Token: SeLockMemoryPrivilege 2256 msiexec.exe Token: SeIncreaseQuotaPrivilege 2256 msiexec.exe Token: SeMachineAccountPrivilege 2256 msiexec.exe Token: SeTcbPrivilege 2256 msiexec.exe Token: SeSecurityPrivilege 2256 msiexec.exe Token: SeTakeOwnershipPrivilege 2256 msiexec.exe Token: SeLoadDriverPrivilege 2256 msiexec.exe Token: SeSystemProfilePrivilege 2256 msiexec.exe Token: SeSystemtimePrivilege 2256 msiexec.exe Token: SeProfSingleProcessPrivilege 2256 msiexec.exe Token: SeIncBasePriorityPrivilege 2256 msiexec.exe Token: SeCreatePagefilePrivilege 2256 msiexec.exe Token: SeCreatePermanentPrivilege 2256 msiexec.exe Token: SeBackupPrivilege 2256 msiexec.exe Token: SeRestorePrivilege 2256 msiexec.exe Token: SeShutdownPrivilege 2256 msiexec.exe Token: SeDebugPrivilege 2256 msiexec.exe Token: SeAuditPrivilege 2256 msiexec.exe Token: SeSystemEnvironmentPrivilege 2256 msiexec.exe Token: SeChangeNotifyPrivilege 2256 msiexec.exe Token: SeRemoteShutdownPrivilege 2256 msiexec.exe Token: SeUndockPrivilege 2256 msiexec.exe Token: SeSyncAgentPrivilege 2256 msiexec.exe Token: SeEnableDelegationPrivilege 2256 msiexec.exe Token: SeManageVolumePrivilege 2256 msiexec.exe Token: SeImpersonatePrivilege 2256 msiexec.exe Token: SeCreateGlobalPrivilege 2256 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe Token: SeRestorePrivilege 2308 msiexec.exe Token: SeTakeOwnershipPrivilege 2308 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2256 msiexec.exe 2256 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2796 2308 msiexec.exe 31 PID 2308 wrote to memory of 2796 2308 msiexec.exe 31 PID 2308 wrote to memory of 2796 2308 msiexec.exe 31 PID 2308 wrote to memory of 2796 2308 msiexec.exe 31 PID 2308 wrote to memory of 2796 2308 msiexec.exe 31 PID 2308 wrote to memory of 2796 2308 msiexec.exe 31 PID 2308 wrote to memory of 2796 2308 msiexec.exe 31
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\LauncherPred8.3.37Stablesetup.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2256
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DB03C0515FDFF0D9B218E1C7C4F11B0E2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5ec8dd307c694b32ca1468344e959bdf5
SHA1b710a43667fa598a8e52cd6bfe537c276ab7bd61
SHA2569337ff19d9b37bfe41f765eae84cf5a2c1cf7e0fea1cc144e940c6d809983bf5
SHA51202edf36f31f056841f31764b0ac23d0854463f286b727003b18468cb06789a83a1d5e636bea723d3985f334708d44e53a6c367324d1854aa0622fc019d0cd533
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
1.1MB
MD57768d9d4634bf3dc159cebb6f3ea4718
SHA1a297e0e4dd61ee8f5e88916af1ee6596cd216f26
SHA256745de246181eb58f48224e6433c810ffbaa67fba330c616f03a7361fb1edb121
SHA512985bbf38667609f6a422a22af34d9382ae4112e7995f87b6053a683a0aaa647e17ba70a7a83b5e1309f201fc12a53db3c13ffd2b0fad44c1374fff6f07059cbf