Managed XDR

token.msi — malware analysis report

File info

Filename
token.msi
File type
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: WkSupport, Author: CodecMei, Keywords: Installer, Comments: This installer database contains the logic and data required to install WkSupport., Template: Intel;7177, Revision Number: {38C7D319-ED89-4AF8-AEDC-279CBCEE89FC}, Create Time/Date: Sat Aug 10 11:55:50 2024, Last Saved Time/Date: Sat Aug 10 11:55:50 2024, Number of Pages: 500, Number of Words: 8, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
File size
1.5 MB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
e8936e51146ebf088d1de44ee5ba4e798ef5f912
SHA256
b9e414fcb3f95cb7067f6d8bc7982bceaf2c417fde2c695c81851a922454b5b1
MD5
94e517a96d7ab0eb52901a4733949ce6

Signatures

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_queries_computername: Retrieves the computer name
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_queries_computername: Retrieves the computer name

Other

yara_rules: Static rules
creates_exe: Creates executable files in the file system
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call