185e7914fb334360e83bb85bc6cdf7e3311b77f49197748b271803484050d38d

Analysis

max time kernel
109s
max time network
131s
platform
windows10_x64
resource
win10v200430
submitted
10/07/2020, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ada66908-1faf-4e78-8582-239d6d90c2cf.msi
Size

1.7MB
MD5

4c2f959dcda49fa48d8dc13a7eac6b3b
SHA1

d270aedb78fe928e425ecc4f2f1b5c9c38dca764
SHA256

185e7914fb334360e83bb85bc6cdf7e3311b77f49197748b271803484050d38d
SHA512

aabde1125b7167bbd2b2734df099e07b92382dd579429652fd7f0a28705c744befad6b3d428cb09c4fea524ef421dd7a17f621957fa55d4592550176592df37f

Score

7^/10

persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 3564	2484	msiexec.exe	70
PID 2484 wrote to memory of 3564	2484	msiexec.exe	70
PID 2484 wrote to memory of 3564	2484	msiexec.exe	70

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3564	MsiExec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4755.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\23a40.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43D7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B69.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI432A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4445.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7F0666E5-9A6B-4F70-9E81-530C35837E3F}	msiexec.exe
File created	C:\Windows\Installer\23a40.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI46D7.tmp	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2416	msiexec.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2416	msiexec.exe
Token: SeSecurityPrivilege	2484	msiexec.exe
Token: SeCreateTokenPrivilege	2416	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2416	msiexec.exe
Token: SeLockMemoryPrivilege	2416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2416	msiexec.exe
Token: SeMachineAccountPrivilege	2416	msiexec.exe
Token: SeTcbPrivilege	2416	msiexec.exe
Token: SeSecurityPrivilege	2416	msiexec.exe
Token: SeTakeOwnershipPrivilege	2416	msiexec.exe
Token: SeLoadDriverPrivilege	2416	msiexec.exe
Token: SeSystemProfilePrivilege	2416	msiexec.exe
Token: SeSystemtimePrivilege	2416	msiexec.exe
Token: SeProfSingleProcessPrivilege	2416	msiexec.exe
Token: SeIncBasePriorityPrivilege	2416	msiexec.exe
Token: SeCreatePagefilePrivilege	2416	msiexec.exe
Token: SeCreatePermanentPrivilege	2416	msiexec.exe
Token: SeBackupPrivilege	2416	msiexec.exe
Token: SeRestorePrivilege	2416	msiexec.exe
Token: SeShutdownPrivilege	2416	msiexec.exe
Token: SeDebugPrivilege	2416	msiexec.exe
Token: SeAuditPrivilege	2416	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2416	msiexec.exe
Token: SeChangeNotifyPrivilege	2416	msiexec.exe
Token: SeRemoteShutdownPrivilege	2416	msiexec.exe
Token: SeUndockPrivilege	2416	msiexec.exe
Token: SeSyncAgentPrivilege	2416	msiexec.exe
Token: SeEnableDelegationPrivilege	2416	msiexec.exe
Token: SeManageVolumePrivilege	2416	msiexec.exe
Token: SeImpersonatePrivilege	2416	msiexec.exe
Token: SeCreateGlobalPrivilege	2416	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
3564	MsiExec.exe
3564	MsiExec.exe
3564	MsiExec.exe
3564	MsiExec.exe
3564	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2484	msiexec.exe
2484	msiexec.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\win68 = "C:\\Users\\Public\\owzmotqa.msi /quiet"	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ada66908-1faf-4e78-8582-239d6d90c2cf.msi
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2484
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F8FC78BEBD3E76E41498D2AFA3F97E38
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Loads dropped DLL
  - Adds Run entry to start application
  PID:3564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...