bbdf4c8d657e3123bd009ab086758bfd707f9b8c7f5fabb22783c4cb81784ca8

Analysis

max time kernel
422s
max time network
447s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-es
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-eslocale:es-esos:windows10-ltsc 2021-x64systemwindows
submitted
22/01/2025, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

468KB
MD5

5b8919735858ed14281644d2c240100e
SHA1

7f6375515e18679cf457f2bad67892db5a217555
SHA256

b78712b6fbe78bbdb57b25f985262e38e061811e244aa39297fd5a0c91d80ffa
SHA512

34d8faa0a71f02afff0699be326962938c36c55ba175a35f6a214bc1038f0bd1731f9a2566651a4dc932fc7814aa11bfec4533e5fe499dba3dfef910547c8ad4
SSDEEP

6144:w1p3HAzqXU1jsNVRbIf7m6A5f4LT9XTj8Tu6eezwJ:w1p3H6mUlKVRcf7lUsXcTus

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
1040	MsiExec.exe
1040	MsiExec.exe
1040	MsiExec.exe
1040	MsiExec.exe
1040	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1656	msiexec.exe
Token: SeSecurityPrivilege	4556	msiexec.exe
Token: SeCreateTokenPrivilege	1656	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1656	msiexec.exe
Token: SeLockMemoryPrivilege	1656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1656	msiexec.exe
Token: SeMachineAccountPrivilege	1656	msiexec.exe
Token: SeTcbPrivilege	1656	msiexec.exe
Token: SeSecurityPrivilege	1656	msiexec.exe
Token: SeTakeOwnershipPrivilege	1656	msiexec.exe
Token: SeLoadDriverPrivilege	1656	msiexec.exe
Token: SeSystemProfilePrivilege	1656	msiexec.exe
Token: SeSystemtimePrivilege	1656	msiexec.exe
Token: SeProfSingleProcessPrivilege	1656	msiexec.exe
Token: SeIncBasePriorityPrivilege	1656	msiexec.exe
Token: SeCreatePagefilePrivilege	1656	msiexec.exe
Token: SeCreatePermanentPrivilege	1656	msiexec.exe
Token: SeBackupPrivilege	1656	msiexec.exe
Token: SeRestorePrivilege	1656	msiexec.exe
Token: SeShutdownPrivilege	1656	msiexec.exe
Token: SeDebugPrivilege	1656	msiexec.exe
Token: SeAuditPrivilege	1656	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1656	msiexec.exe
Token: SeChangeNotifyPrivilege	1656	msiexec.exe
Token: SeRemoteShutdownPrivilege	1656	msiexec.exe
Token: SeUndockPrivilege	1656	msiexec.exe
Token: SeSyncAgentPrivilege	1656	msiexec.exe
Token: SeEnableDelegationPrivilege	1656	msiexec.exe
Token: SeManageVolumePrivilege	1656	msiexec.exe
Token: SeImpersonatePrivilege	1656	msiexec.exe
Token: SeCreateGlobalPrivilege	1656	msiexec.exe
Token: SeCreateTokenPrivilege	1656	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1656	msiexec.exe
Token: SeLockMemoryPrivilege	1656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1656	msiexec.exe
Token: SeMachineAccountPrivilege	1656	msiexec.exe
Token: SeTcbPrivilege	1656	msiexec.exe
Token: SeSecurityPrivilege	1656	msiexec.exe
Token: SeTakeOwnershipPrivilege	1656	msiexec.exe
Token: SeLoadDriverPrivilege	1656	msiexec.exe
Token: SeSystemProfilePrivilege	1656	msiexec.exe
Token: SeSystemtimePrivilege	1656	msiexec.exe
Token: SeProfSingleProcessPrivilege	1656	msiexec.exe
Token: SeIncBasePriorityPrivilege	1656	msiexec.exe
Token: SeCreatePagefilePrivilege	1656	msiexec.exe
Token: SeCreatePermanentPrivilege	1656	msiexec.exe
Token: SeBackupPrivilege	1656	msiexec.exe
Token: SeRestorePrivilege	1656	msiexec.exe
Token: SeShutdownPrivilege	1656	msiexec.exe
Token: SeDebugPrivilege	1656	msiexec.exe
Token: SeAuditPrivilege	1656	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1656	msiexec.exe
Token: SeChangeNotifyPrivilege	1656	msiexec.exe
Token: SeRemoteShutdownPrivilege	1656	msiexec.exe
Token: SeUndockPrivilege	1656	msiexec.exe
Token: SeSyncAgentPrivilege	1656	msiexec.exe
Token: SeEnableDelegationPrivilege	1656	msiexec.exe
Token: SeManageVolumePrivilege	1656	msiexec.exe
Token: SeImpersonatePrivilege	1656	msiexec.exe
Token: SeCreateGlobalPrivilege	1656	msiexec.exe
Token: SeCreateTokenPrivilege	1656	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1656	msiexec.exe
Token: SeLockMemoryPrivilege	1656	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1656	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1656	1468	setup.exe	82
PID 1468 wrote to memory of 1656	1468	setup.exe	82
PID 1468 wrote to memory of 1656	1468	setup.exe	82
PID 4556 wrote to memory of 1040	4556	msiexec.exe	85
PID 4556 wrote to memory of 1040	4556	msiexec.exe	85
PID 4556 wrote to memory of 1040	4556	msiexec.exe	85

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\msiexec.exe
  C:\Windows\SysWOW64\\msiexec.exe SETUP_USED=1 /I "C:\Users\Admin\AppData\Local\Temp\openoffice4115.msi"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1656

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 21537FFEEE8D36F77B3EB4BE5BBDD195 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIA7F8.tmp

Filesize
164KB

MD5
34480728b3a659a7bc4bea865c25668d

SHA1
4ca4a1a5df7cb116ffa35e106705f2a2c20b0738

SHA256
a5b9ccf58eab9e907a151860f5630da52ae939625fd7065a05947c5e4376a09a

SHA512
6c6bf290e20d57477b9ee366e44d6c2559f27364063b03c23cf1687e41d5b9b44547f53751ea6b920bcb6471431443deafe4b0a638cd0ec4d7de903260cd978e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA971.tmp

Filesize
88KB

MD5
55b453d7a244d96e10754ab033c45728

SHA1
7f927a511987022bb009f48ee152a4e91aa877f0

SHA256
f8da2aac476ad890fd32a25e7e3ebd85a352b92f8134092d8df0b6a7702b1c32

SHA512
21df0e08f5f3c05e6caf8085dab94dd9eb1248141cda974e7af9ec47d0249909c55bc599a88930f7421576cb834b44b84f8d858cbea770c3f11a5d397e30b731

Download Submit