56eff77b029b5f56c47d11fe58878627065dbeacbc3108d50d98a83420152c2b

Resubmissions

21-11-2024 14:47

241121-r5vm5ssqfs 7

21-11-2024 12:34

241121-prryzsslaw 7

21-11-2024 12:25

241121-plqhzawqbn 7

Analysis

max time kernel
435s
max time network
444s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-11-2024 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QuickTimeInstaller.exe
Size

40.0MB
MD5

1a762049bef7fc3a53014833757de2d2
SHA1

e906b9b585a02c08270316fd21f8f5ce0081526a
SHA256

56eff77b029b5f56c47d11fe58878627065dbeacbc3108d50d98a83420152c2b
SHA512

b030994a6a0bab58ca135205770cc5bfd1830628573116836b30c7865b91314be767a5b6453a143464bddda263dd3487b763209bee6f1eb94240de74a2613c8e
SSDEEP

786432:ypGoHCbrFwMp9H25FtfGhJ4wNvMpZzSPwjs9jNdpS1o0K9:yPinmMeQhJhCV49hG1o/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3168	QuickTimeInstallerAdmin.exe

Loads dropped DLL 7 IoCs

pid	Process
1004	MsiExec.exe
1004	MsiExec.exe
1004	MsiExec.exe
1004	MsiExec.exe
1004	MsiExec.exe
1004	MsiExec.exe
1004	MsiExec.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
15	3672	msiexec.exe
17	3672	msiexec.exe
19	3672	msiexec.exe
21	3672	msiexec.exe
24	3672	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QuickTimeInstallerAdmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QuickTimeInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1004	MsiExec.exe
1004	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	5024	QuickTimeInstaller.exe
Token: SeIncBasePriorityPrivilege	5024	QuickTimeInstaller.exe
Token: SeShutdownPrivilege	3672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3672	msiexec.exe
Token: SeSecurityPrivilege	4272	msiexec.exe
Token: SeCreateTokenPrivilege	3672	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3672	msiexec.exe
Token: SeLockMemoryPrivilege	3672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3672	msiexec.exe
Token: SeMachineAccountPrivilege	3672	msiexec.exe
Token: SeTcbPrivilege	3672	msiexec.exe
Token: SeSecurityPrivilege	3672	msiexec.exe
Token: SeTakeOwnershipPrivilege	3672	msiexec.exe
Token: SeLoadDriverPrivilege	3672	msiexec.exe
Token: SeSystemProfilePrivilege	3672	msiexec.exe
Token: SeSystemtimePrivilege	3672	msiexec.exe
Token: SeProfSingleProcessPrivilege	3672	msiexec.exe
Token: SeIncBasePriorityPrivilege	3672	msiexec.exe
Token: SeCreatePagefilePrivilege	3672	msiexec.exe
Token: SeCreatePermanentPrivilege	3672	msiexec.exe
Token: SeBackupPrivilege	3672	msiexec.exe
Token: SeRestorePrivilege	3672	msiexec.exe
Token: SeShutdownPrivilege	3672	msiexec.exe
Token: SeDebugPrivilege	3672	msiexec.exe
Token: SeAuditPrivilege	3672	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3672	msiexec.exe
Token: SeChangeNotifyPrivilege	3672	msiexec.exe
Token: SeRemoteShutdownPrivilege	3672	msiexec.exe
Token: SeUndockPrivilege	3672	msiexec.exe
Token: SeSyncAgentPrivilege	3672	msiexec.exe
Token: SeEnableDelegationPrivilege	3672	msiexec.exe
Token: SeManageVolumePrivilege	3672	msiexec.exe
Token: SeImpersonatePrivilege	3672	msiexec.exe
Token: SeCreateGlobalPrivilege	3672	msiexec.exe
Token: SeCreateTokenPrivilege	3672	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3672	msiexec.exe
Token: SeLockMemoryPrivilege	3672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3672	msiexec.exe
Token: SeMachineAccountPrivilege	3672	msiexec.exe
Token: SeTcbPrivilege	3672	msiexec.exe
Token: SeSecurityPrivilege	3672	msiexec.exe
Token: SeTakeOwnershipPrivilege	3672	msiexec.exe
Token: SeLoadDriverPrivilege	3672	msiexec.exe
Token: SeSystemProfilePrivilege	3672	msiexec.exe
Token: SeSystemtimePrivilege	3672	msiexec.exe
Token: SeProfSingleProcessPrivilege	3672	msiexec.exe
Token: SeIncBasePriorityPrivilege	3672	msiexec.exe
Token: SeCreatePagefilePrivilege	3672	msiexec.exe
Token: SeCreatePermanentPrivilege	3672	msiexec.exe
Token: SeBackupPrivilege	3672	msiexec.exe
Token: SeRestorePrivilege	3672	msiexec.exe
Token: SeShutdownPrivilege	3672	msiexec.exe
Token: SeDebugPrivilege	3672	msiexec.exe
Token: SeAuditPrivilege	3672	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3672	msiexec.exe
Token: SeChangeNotifyPrivilege	3672	msiexec.exe
Token: SeRemoteShutdownPrivilege	3672	msiexec.exe
Token: SeUndockPrivilege	3672	msiexec.exe
Token: SeSyncAgentPrivilege	3672	msiexec.exe
Token: SeEnableDelegationPrivilege	3672	msiexec.exe
Token: SeManageVolumePrivilege	3672	msiexec.exe
Token: SeImpersonatePrivilege	3672	msiexec.exe
Token: SeCreateGlobalPrivilege	3672	msiexec.exe
Token: SeCreateTokenPrivilege	3672	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3672	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 3672	5024	QuickTimeInstaller.exe	81
PID 5024 wrote to memory of 3672	5024	QuickTimeInstaller.exe	81
PID 5024 wrote to memory of 3672	5024	QuickTimeInstaller.exe	81
PID 4272 wrote to memory of 1004	4272	msiexec.exe	89
PID 4272 wrote to memory of 1004	4272	msiexec.exe	89
PID 4272 wrote to memory of 1004	4272	msiexec.exe	89
PID 1004 wrote to memory of 3168	1004	MsiExec.exe	93
PID 1004 wrote to memory of 3168	1004	MsiExec.exe	93
PID 1004 wrote to memory of 3168	1004	MsiExec.exe	93

C:\Users\Admin\AppData\Local\Temp\QuickTimeInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\QuickTimeInstaller.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QuickTime.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3672

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9509938F46E01B24D909B68A7C46049E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QuickTimeInstallerAdmin.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QuickTimeInstallerAdmin.exe" /evt E4E1 /pid 1004 /mon 1056 964
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QuickTime.msi

Filesize
27.1MB

MD5
5376b2262b6e9773801520b6735c6de9

SHA1
fbddb7e5d7f06ff4e5c65d57c01ef27c0bca7ca5

SHA256
03ea287b99df2605a9d32b0fe9096d811b8c7ed1654f822ff76f7e172e0ed0b8

SHA512
cce529666d0f33ee347cb001bb0d37d07c25473545b3a6de6efa44f93f1326b520a822c7b46061b7de2690c0144485d62520fbf757217167ec1bbd131f78f826

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QuickTimeInstallerAdmin.exe

Filesize
78KB

MD5
621ed0e1d558cd598cc423b61bfa1f04

SHA1
2a0fca94934e9614ac6ae7c4e0f593f01f17ddab

SHA256
12f4f1d2003ab8de46c7dd67e885a90c517a0a4596953fe796bf0c3754112043

SHA512
f6f1f5c22fd4b10c4a8d69048a47c31c558d6fc8a8acb14cf37b32f0c3677ea12dc0d5e8beada4fedb059c14029103bb210fd490d85185375eea3d42fb6e9ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI980A.tmp

Filesize
134KB

MD5
fc09fd1c7a4e16ab8a5e9106f1344bf2

SHA1
8b07a5259b8f3a2ecb4758ab745ae3e8f7b9d652

SHA256
f3569339784a54ac40e0ba00b86e225ac0804e8112956dec6b1ea805d514f638

SHA512
d787551ccbfabbf9dca17e50e1a508dd4afe124220d201f923e864a0e8f54c4abc58d1d11d20fc5c1913917c87a78e8e661f3c76b4cc55f77a798d24622257cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9915.tmp

Filesize
426KB

MD5
1f847c95adf4f7fe0956d815cb17d907

SHA1
0d3638822942ad4d9c0d492c5df5fb33f36fa178

SHA256
10db6192b63c7260405597f9f8a1eb54a9f4f49b34a87b68be04bb8bd815da1d

SHA512
23062dc0d3f1c157615c5679ad03c76242659bfbe08a5ebd8d85ce2af05925c4fdcc0e789d5e278afc9235dd9472b038aff2bce5e27f4ba8c7f18cf084d81ccf

Download Submit