Analysis

  • max time kernel
    422s
  • max time network
    447s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-es
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-eslocale:es-esos:windows10-ltsc 2021-x64systemwindows
  • submitted
    22/01/2025, 15:18

General

  • Target

    setup.exe

  • Size

    468KB

  • MD5

    5b8919735858ed14281644d2c240100e

  • SHA1

    7f6375515e18679cf457f2bad67892db5a217555

  • SHA256

    b78712b6fbe78bbdb57b25f985262e38e061811e244aa39297fd5a0c91d80ffa

  • SHA512

    34d8faa0a71f02afff0699be326962938c36c55ba175a35f6a214bc1038f0bd1731f9a2566651a4dc932fc7814aa11bfec4533e5fe499dba3dfef910547c8ad4

  • SSDEEP

    6144:w1p3HAzqXU1jsNVRbIf7m6A5f4LT9XTj8Tu6eezwJ:w1p3H6mUlKVRcf7lUsXcTus

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\SysWOW64\\msiexec.exe SETUP_USED=1 /I "C:\Users\Admin\AppData\Local\Temp\openoffice4115.msi"
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1656
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4556
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 21537FFEEE8D36F77B3EB4BE5BBDD195 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSIA7F8.tmp

    Filesize

    164KB

    MD5

    34480728b3a659a7bc4bea865c25668d

    SHA1

    4ca4a1a5df7cb116ffa35e106705f2a2c20b0738

    SHA256

    a5b9ccf58eab9e907a151860f5630da52ae939625fd7065a05947c5e4376a09a

    SHA512

    6c6bf290e20d57477b9ee366e44d6c2559f27364063b03c23cf1687e41d5b9b44547f53751ea6b920bcb6471431443deafe4b0a638cd0ec4d7de903260cd978e

  • C:\Users\Admin\AppData\Local\Temp\MSIA971.tmp

    Filesize

    88KB

    MD5

    55b453d7a244d96e10754ab033c45728

    SHA1

    7f927a511987022bb009f48ee152a4e91aa877f0

    SHA256

    f8da2aac476ad890fd32a25e7e3ebd85a352b92f8134092d8df0b6a7702b1c32

    SHA512

    21df0e08f5f3c05e6caf8085dab94dd9eb1248141cda974e7af9ec47d0249909c55bc599a88930f7421576cb834b44b84f8d858cbea770c3f11a5d397e30b731