f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2

General

Target

LauncherPred8.3.37Stablesetup.msi
Size

11.4MB
MD5

c628123d2539f5ae51b37a06bd179fc7
SHA1

139dfe6164e7c6ba6e2360673cf75801fd2add36
SHA256

f5dfa6b5d19d9334c69d24dd98f13cb30badacb6403b03afc47af4e267cbe0c2
SHA512

3cc3af8065b138719bae90720aeb37b15bb9412631aba972dab1d8d42e7507fd1d4ba231c96a0fe4b32b67e450594a95fe6d0fbc858bf2018b02b6d83ccda567
SSDEEP

196608:oEGAvNE+MNqCjsict52JykNWmKoahv02bfHJNeh5XK3zQlstPGaVB4L0iJP:QCBAK5XmooaBYhtKklkG

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 5 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f76733d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76733d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI73C9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI74F2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7570.tmp	msiexec.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exe

pid process

2816 MsiExec.exe
2816 MsiExec.exe
2816 MsiExec.exe
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

2820 msiexec.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

MsiExec.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe

pid	process
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe

pid	process
2820	msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2820	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2820	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeSecurityPrivilege	2780	msiexec.exe
Token: SeCreateTokenPrivilege	2820	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2820	msiexec.exe
Token: SeLockMemoryPrivilege	2820	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2820	msiexec.exe
Token: SeMachineAccountPrivilege	2820	msiexec.exe
Token: SeTcbPrivilege	2820	msiexec.exe
Token: SeSecurityPrivilege	2820	msiexec.exe
Token: SeTakeOwnershipPrivilege	2820	msiexec.exe
Token: SeLoadDriverPrivilege	2820	msiexec.exe
Token: SeSystemProfilePrivilege	2820	msiexec.exe
Token: SeSystemtimePrivilege	2820	msiexec.exe
Token: SeProfSingleProcessPrivilege	2820	msiexec.exe
Token: SeIncBasePriorityPrivilege	2820	msiexec.exe
Token: SeCreatePagefilePrivilege	2820	msiexec.exe
Token: SeCreatePermanentPrivilege	2820	msiexec.exe
Token: SeBackupPrivilege	2820	msiexec.exe
Token: SeRestorePrivilege	2820	msiexec.exe
Token: SeShutdownPrivilege	2820	msiexec.exe
Token: SeDebugPrivilege	2820	msiexec.exe
Token: SeAuditPrivilege	2820	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2820	msiexec.exe
Token: SeChangeNotifyPrivilege	2820	msiexec.exe
Token: SeRemoteShutdownPrivilege	2820	msiexec.exe
Token: SeUndockPrivilege	2820	msiexec.exe
Token: SeSyncAgentPrivilege	2820	msiexec.exe
Token: SeEnableDelegationPrivilege	2820	msiexec.exe
Token: SeManageVolumePrivilege	2820	msiexec.exe
Token: SeImpersonatePrivilege	2820	msiexec.exe
Token: SeCreateGlobalPrivilege	2820	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2820 msiexec.exe
2820 msiexec.exe

pid	process
2820	msiexec.exe
2820	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2780 wrote to memory of 2816	2780	msiexec.exe	MsiExec.exe
PID 2780 wrote to memory of 2816	2780	msiexec.exe	MsiExec.exe
PID 2780 wrote to memory of 2816	2780	msiexec.exe	MsiExec.exe
PID 2780 wrote to memory of 2816	2780	msiexec.exe	MsiExec.exe
PID 2780 wrote to memory of 2816	2780	msiexec.exe	MsiExec.exe
PID 2780 wrote to memory of 2816	2780	msiexec.exe	MsiExec.exe
PID 2780 wrote to memory of 2816	2780	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\LauncherPred8.3.37Stablesetup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2820

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AD8E03032E18DCA173A8FC0F42534324
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Privilege Escalation

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Defense Evasion

System Binary Proxy Execution

1

T1218

Msiexec

1

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI671e5.LOG

Filesize
21KB

MD5
46e2621f053ee84d59b739e2b683a73a

SHA1
cb46121203206df9969bcd13d6c9b8bf7e08ecd3

SHA256
5fadd954d408498e4b6a30b64ed1317518f16cda5036b177efefaf119fe44b5a

SHA512
7b82f9ea40240ea34f48e8af81595e04ea5bc0bf26b6d0a7ffe357f0df95f3d0540842ff60a72bb11320ff53f97840a5f447287e31b8edaa8840736c5fc5818e

Download Submit
C:\Windows\Installer\MSI73C9.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
C:\Windows\Installer\MSI7570.tmp

Filesize
1.1MB

MD5
7768d9d4634bf3dc159cebb6f3ea4718

SHA1
a297e0e4dd61ee8f5e88916af1ee6596cd216f26

SHA256
745de246181eb58f48224e6433c810ffbaa67fba330c616f03a7361fb1edb121

SHA512
985bbf38667609f6a422a22af34d9382ae4112e7995f87b6053a683a0aaa647e17ba70a7a83b5e1309f201fc12a53db3c13ffd2b0fad44c1374fff6f07059cbf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads