Analysis
-
max time kernel
63s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30-11-2024 00:21
Static task
static1
Behavioral task
behavioral1
Sample
LauncherPred8.3.389 stablesetup.msi
Resource
win7-20240729-en
General
-
Target
LauncherPred8.3.389 stablesetup.msi
-
Size
3.1MB
-
MD5
028578212baa7456aae40d4bdb5792e5
-
SHA1
fd9037a16f327a64f8b2fd8ff9f6664ae307ca39
-
SHA256
bdb79800e4177b59b3830ae7cc996a41fc2b560593e7b51e02408c062f8d4449
-
SHA512
66961e2be5b19aa30c2bb50f7ca502aa8e451299b2f1b5a6b9f3e6c82486e13dd9f18857553e8ff65912ffea9708ed8cab6da704c1bf5bba57944143ca7b1867
-
SSDEEP
49152:muoukMo27Epq0n8Toc4Ur8r6F5mCmR+Ov0Rn0rItYcuwwERO9qZFTvqPvO6Ezvsk:1Yn8ToWo6AvAYcuwr9qrn
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI80E5.tmp msiexec.exe File created C:\Windows\Installer\f777f6d.msi msiexec.exe File opened for modification C:\Windows\Installer\f777f6d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7FAB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8067.tmp msiexec.exe -
Loads dropped DLL 3 IoCs
pid Process 2972 MsiExec.exe 2972 MsiExec.exe 2972 MsiExec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeShutdownPrivilege 1096 msiexec.exe Token: SeIncreaseQuotaPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 2096 msiexec.exe Token: SeTakeOwnershipPrivilege 2096 msiexec.exe Token: SeSecurityPrivilege 2096 msiexec.exe Token: SeCreateTokenPrivilege 1096 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1096 msiexec.exe Token: SeLockMemoryPrivilege 1096 msiexec.exe Token: SeIncreaseQuotaPrivilege 1096 msiexec.exe Token: SeMachineAccountPrivilege 1096 msiexec.exe Token: SeTcbPrivilege 1096 msiexec.exe Token: SeSecurityPrivilege 1096 msiexec.exe Token: SeTakeOwnershipPrivilege 1096 msiexec.exe Token: SeLoadDriverPrivilege 1096 msiexec.exe Token: SeSystemProfilePrivilege 1096 msiexec.exe Token: SeSystemtimePrivilege 1096 msiexec.exe Token: SeProfSingleProcessPrivilege 1096 msiexec.exe Token: SeIncBasePriorityPrivilege 1096 msiexec.exe Token: SeCreatePagefilePrivilege 1096 msiexec.exe Token: SeCreatePermanentPrivilege 1096 msiexec.exe Token: SeBackupPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1096 msiexec.exe Token: SeShutdownPrivilege 1096 msiexec.exe Token: SeDebugPrivilege 1096 msiexec.exe Token: SeAuditPrivilege 1096 msiexec.exe Token: SeSystemEnvironmentPrivilege 1096 msiexec.exe Token: SeChangeNotifyPrivilege 1096 msiexec.exe Token: SeRemoteShutdownPrivilege 1096 msiexec.exe Token: SeUndockPrivilege 1096 msiexec.exe Token: SeSyncAgentPrivilege 1096 msiexec.exe Token: SeEnableDelegationPrivilege 1096 msiexec.exe Token: SeManageVolumePrivilege 1096 msiexec.exe Token: SeImpersonatePrivilege 1096 msiexec.exe Token: SeCreateGlobalPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 2096 msiexec.exe Token: SeTakeOwnershipPrivilege 2096 msiexec.exe Token: SeRestorePrivilege 2096 msiexec.exe Token: SeTakeOwnershipPrivilege 2096 msiexec.exe Token: SeRestorePrivilege 2096 msiexec.exe Token: SeTakeOwnershipPrivilege 2096 msiexec.exe Token: SeRestorePrivilege 2096 msiexec.exe Token: SeTakeOwnershipPrivilege 2096 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1096 msiexec.exe 1096 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2972 2096 msiexec.exe 31 PID 2096 wrote to memory of 2972 2096 msiexec.exe 31 PID 2096 wrote to memory of 2972 2096 msiexec.exe 31 PID 2096 wrote to memory of 2972 2096 msiexec.exe 31 PID 2096 wrote to memory of 2972 2096 msiexec.exe 31 PID 2096 wrote to memory of 2972 2096 msiexec.exe 31 PID 2096 wrote to memory of 2972 2096 msiexec.exe 31
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\LauncherPred8.3.389 stablesetup.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1096
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 91D089A71BC15686A41353A07143796E2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD53c9799fcbe08ed98d94a266e3743eddd
SHA196e76818a51f3e844d6f98d11a877bc91dbfbbd8
SHA25677ccf372f422c44ecf86330ee333f73716c242b8080dbe378c4b9b3e1df8b49d
SHA512e21478112c03d1909a2061e0a834a89bb85e31e555f682fb34287d35d679f6d51a8a1747fac2c54db36397a7a6480f34ff5992b6463aaeb43d2f11ef8abface5
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
1.1MB
MD57768d9d4634bf3dc159cebb6f3ea4718
SHA1a297e0e4dd61ee8f5e88916af1ee6596cd216f26
SHA256745de246181eb58f48224e6433c810ffbaa67fba330c616f03a7361fb1edb121
SHA512985bbf38667609f6a422a22af34d9382ae4112e7995f87b6053a683a0aaa647e17ba70a7a83b5e1309f201fc12a53db3c13ffd2b0fad44c1374fff6f07059cbf