f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2

General

Target

LauncherPred8.3.37Stablesetup.msi
Size

11.4MB
MD5

c628123d2539f5ae51b37a06bd179fc7
SHA1

139dfe6164e7c6ba6e2360673cf75801fd2add36
SHA256

f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2
SHA512

3cc3af8065b138719bae90720aeb37b15bb9412631aba972dab1d8d42e7507fd1d4ba231c96a0fe4b32b67e450594a95fe6d0fbc858bf2018b02b6d83ccda567
SSDEEP

196608:oEGAvNE+MNqCjsict52JykNWmKoahv02bfHJNeh5XK3zQlstPGaVB4L0iJP:QCBAK5XmooaBYhtKklkG

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 5 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI7CDD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E07.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E56.tmp	msiexec.exe
File created	C:\Windows\Installer\f767c9f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f767c9f.msi	msiexec.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exe

pid process

2796 MsiExec.exe
2796 MsiExec.exe
2796 MsiExec.exe
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

2256 msiexec.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

MsiExec.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe

pid	process
2796	MsiExec.exe
2796	MsiExec.exe
2796	MsiExec.exe

pid	process
2256	msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2256	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2256	msiexec.exe
Token: SeRestorePrivilege	2308	msiexec.exe
Token: SeTakeOwnershipPrivilege	2308	msiexec.exe
Token: SeSecurityPrivilege	2308	msiexec.exe
Token: SeCreateTokenPrivilege	2256	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2256	msiexec.exe
Token: SeLockMemoryPrivilege	2256	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2256	msiexec.exe
Token: SeMachineAccountPrivilege	2256	msiexec.exe
Token: SeTcbPrivilege	2256	msiexec.exe
Token: SeSecurityPrivilege	2256	msiexec.exe
Token: SeTakeOwnershipPrivilege	2256	msiexec.exe
Token: SeLoadDriverPrivilege	2256	msiexec.exe
Token: SeSystemProfilePrivilege	2256	msiexec.exe
Token: SeSystemtimePrivilege	2256	msiexec.exe
Token: SeProfSingleProcessPrivilege	2256	msiexec.exe
Token: SeIncBasePriorityPrivilege	2256	msiexec.exe
Token: SeCreatePagefilePrivilege	2256	msiexec.exe
Token: SeCreatePermanentPrivilege	2256	msiexec.exe
Token: SeBackupPrivilege	2256	msiexec.exe
Token: SeRestorePrivilege	2256	msiexec.exe
Token: SeShutdownPrivilege	2256	msiexec.exe
Token: SeDebugPrivilege	2256	msiexec.exe
Token: SeAuditPrivilege	2256	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2256	msiexec.exe
Token: SeChangeNotifyPrivilege	2256	msiexec.exe
Token: SeRemoteShutdownPrivilege	2256	msiexec.exe
Token: SeUndockPrivilege	2256	msiexec.exe
Token: SeSyncAgentPrivilege	2256	msiexec.exe
Token: SeEnableDelegationPrivilege	2256	msiexec.exe
Token: SeManageVolumePrivilege	2256	msiexec.exe
Token: SeImpersonatePrivilege	2256	msiexec.exe
Token: SeCreateGlobalPrivilege	2256	msiexec.exe
Token: SeRestorePrivilege	2308	msiexec.exe
Token: SeTakeOwnershipPrivilege	2308	msiexec.exe
Token: SeRestorePrivilege	2308	msiexec.exe
Token: SeTakeOwnershipPrivilege	2308	msiexec.exe
Token: SeRestorePrivilege	2308	msiexec.exe
Token: SeTakeOwnershipPrivilege	2308	msiexec.exe
Token: SeRestorePrivilege	2308	msiexec.exe
Token: SeTakeOwnershipPrivilege	2308	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2256 msiexec.exe
2256 msiexec.exe

pid	process
2256	msiexec.exe
2256	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2308 wrote to memory of 2796	2308	msiexec.exe	MsiExec.exe
PID 2308 wrote to memory of 2796	2308	msiexec.exe	MsiExec.exe
PID 2308 wrote to memory of 2796	2308	msiexec.exe	MsiExec.exe
PID 2308 wrote to memory of 2796	2308	msiexec.exe	MsiExec.exe
PID 2308 wrote to memory of 2796	2308	msiexec.exe	MsiExec.exe
PID 2308 wrote to memory of 2796	2308	msiexec.exe	MsiExec.exe
PID 2308 wrote to memory of 2796	2308	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\LauncherPred8.3.37Stablesetup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2256

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DB03C0515FDFF0D9B218E1C7C4F11B0E
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Privilege Escalation

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Defense Evasion

System Binary Proxy Execution

1

T1218

Msiexec

1

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI67b67.LOG

Filesize
21KB

MD5
ec8dd307c694b32ca1468344e959bdf5

SHA1
b710a43667fa598a8e52cd6bfe537c276ab7bd61

SHA256
9337ff19d9b37bfe41f765eae84cf5a2c1cf7e0fea1cc144e940c6d809983bf5

SHA512
02edf36f31f056841f31764b0ac23d0854463f286b727003b18468cb06789a83a1d5e636bea723d3985f334708d44e53a6c367324d1854aa0622fc019d0cd533

Download Submit
C:\Windows\Installer\MSI7CDD.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSI7E56.tmp

Filesize
1.1MB

MD5
7768d9d4634bf3dc159cebb6f3ea4718

SHA1
a297e0e4dd61ee8f5e88916af1ee6596cd216f26

SHA256
745de246181eb58f48224e6433c810ffbaa67fba330c616f03a7361fb1edb121

SHA512
985bbf38667609f6a422a22af34d9382ae4112e7995f87b6053a683a0aaa647e17ba70a7a83b5e1309f201fc12a53db3c13ffd2b0fad44c1374fff6f07059cbf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads