1e6a10285e26e0e09b0c7871069514e51b3ff5b70a3e1462dd4c4465ea92d05c

Analysis

max time kernel
130s
max time network
129s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Java.Ratty.2.7240.27857.msi
Size

967KB
MD5

baf22cec89fe346b6811157fa3c7ea94
SHA1

8de2ff5457647978af1f67c8410c09a7b2877501
SHA256

1e6a10285e26e0e09b0c7871069514e51b3ff5b70a3e1462dd4c4465ea92d05c
SHA512

33c4131c52c0cce738de925cd551c5ce306d50ed2c3e169f54a7778461e749bd7134bbd3b9c1e88fc34f13ce06da45b0ff3f3dda826e45705b0706a10c9f09b2

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1992	MsiExec.exe
1992	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI735E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6AC4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E2F.tmp	msiexec.exe
File created	C:\Windows\Installer\f746fa5.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1500	msiexec.exe
1500	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
364	msiexec.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	364	msiexec.exe
Token: SeIncreaseQuotaPrivilege	364	msiexec.exe
Token: SeRestorePrivilege	1500	msiexec.exe
Token: SeTakeOwnershipPrivilege	1500	msiexec.exe
Token: SeSecurityPrivilege	1500	msiexec.exe
Token: SeCreateTokenPrivilege	364	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	364	msiexec.exe
Token: SeLockMemoryPrivilege	364	msiexec.exe
Token: SeIncreaseQuotaPrivilege	364	msiexec.exe
Token: SeMachineAccountPrivilege	364	msiexec.exe
Token: SeTcbPrivilege	364	msiexec.exe
Token: SeSecurityPrivilege	364	msiexec.exe
Token: SeTakeOwnershipPrivilege	364	msiexec.exe
Token: SeLoadDriverPrivilege	364	msiexec.exe
Token: SeSystemProfilePrivilege	364	msiexec.exe
Token: SeSystemtimePrivilege	364	msiexec.exe
Token: SeProfSingleProcessPrivilege	364	msiexec.exe
Token: SeIncBasePriorityPrivilege	364	msiexec.exe
Token: SeCreatePagefilePrivilege	364	msiexec.exe
Token: SeCreatePermanentPrivilege	364	msiexec.exe
Token: SeBackupPrivilege	364	msiexec.exe
Token: SeRestorePrivilege	364	msiexec.exe
Token: SeShutdownPrivilege	364	msiexec.exe
Token: SeDebugPrivilege	364	msiexec.exe
Token: SeAuditPrivilege	364	msiexec.exe
Token: SeSystemEnvironmentPrivilege	364	msiexec.exe
Token: SeChangeNotifyPrivilege	364	msiexec.exe
Token: SeRemoteShutdownPrivilege	364	msiexec.exe
Token: SeUndockPrivilege	364	msiexec.exe
Token: SeSyncAgentPrivilege	364	msiexec.exe
Token: SeEnableDelegationPrivilege	364	msiexec.exe
Token: SeManageVolumePrivilege	364	msiexec.exe
Token: SeImpersonatePrivilege	364	msiexec.exe
Token: SeCreateGlobalPrivilege	364	msiexec.exe
Token: SeRestorePrivilege	1500	msiexec.exe
Token: SeTakeOwnershipPrivilege	1500	msiexec.exe
Token: SeRestorePrivilege	1500	msiexec.exe
Token: SeTakeOwnershipPrivilege	1500	msiexec.exe
Token: SeRestorePrivilege	1500	msiexec.exe
Token: SeTakeOwnershipPrivilege	1500	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
364	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1992	1500	msiexec.exe	27
PID 1500 wrote to memory of 1992	1500	msiexec.exe	27
PID 1500 wrote to memory of 1992	1500	msiexec.exe	27
PID 1500 wrote to memory of 1992	1500	msiexec.exe	27
PID 1500 wrote to memory of 1992	1500	msiexec.exe	27
PID 1500 wrote to memory of 1992	1500	msiexec.exe	27
PID 1500 wrote to memory of 1992	1500	msiexec.exe	27

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Java.Ratty.2.7240.27857.msi
1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:364

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2E54CE6EB24DDEDF5F8C99C1F8D0A096
  2⤵
  - Loads dropped DLL
  PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/364-0-0x0000000005030000-0x0000000005034000-memory.dmp

Filesize
16KB

Download
memory/364-1-0x0000000003F30000-0x0000000003F34000-memory.dmp

Filesize
16KB

Download
memory/1500-7-0x0000000001240000-0x0000000001244000-memory.dmp

Filesize
16KB

Download
memory/1500-8-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download