a54fe8044d12684b941ada860b515252623e9ddc1ae880ad370320fc0c2d5947

Analysis

max time kernel
69s
max time network
143s
platform
windows10_x64
resource
win10v20201028
submitted
13-01-2021 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOC-49B8OP200.msi
Size

1015KB
MD5

472a5b55e3ffd9c7e3f3b355bf7cae40
SHA1

cf26c9f79529c897cd76fec9270d4ead9c235aa1
SHA256

a54fe8044d12684b941ada860b515252623e9ddc1ae880ad370320fc0c2d5947
SHA512

e7ce58cce7c899afde04f1f47cd78283edcb876d5bbb70c2dd9b03df9be6bc14abec3066968e5d4e8ceefe656ebf99cd04ab0da61be8a33ecc4ef06bda2b9a5f

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

MsiExec.exe

flow pid process

11 3580 MsiExec.exe
13 3580 MsiExec.exe
15 3580 MsiExec.exe
17 3580 MsiExec.exe
Loads dropped DLL 6 IoCs

Processes:

MsiExec.exe

pid process

3580 MsiExec.exe
3580 MsiExec.exe
3580 MsiExec.exe
3580 MsiExec.exe
3580 MsiExec.exe
3580 MsiExec.exe

flow	pid	process
11	3580	MsiExec.exe
13	3580	MsiExec.exe
15	3580	MsiExec.exe
17	3580	MsiExec.exe

pid	process
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe
3580	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f745644.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI577C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5FE9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6367.tmp	msiexec.exe
File created	C:\Windows\Installer\f745644.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI60A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6114.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{317CA777-5852-40BC-AE26-244067E1280D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI63B6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI65AC.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

3992 msiexec.exe
3992 msiexec.exe

pid	process
3992	msiexec.exe
3992	msiexec.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	576	msiexec.exe
Token: SeSecurityPrivilege	3992	msiexec.exe
Token: SeCreateTokenPrivilege	576	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	576	msiexec.exe
Token: SeLockMemoryPrivilege	576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	576	msiexec.exe
Token: SeMachineAccountPrivilege	576	msiexec.exe
Token: SeTcbPrivilege	576	msiexec.exe
Token: SeSecurityPrivilege	576	msiexec.exe
Token: SeTakeOwnershipPrivilege	576	msiexec.exe
Token: SeLoadDriverPrivilege	576	msiexec.exe
Token: SeSystemProfilePrivilege	576	msiexec.exe
Token: SeSystemtimePrivilege	576	msiexec.exe
Token: SeProfSingleProcessPrivilege	576	msiexec.exe
Token: SeIncBasePriorityPrivilege	576	msiexec.exe
Token: SeCreatePagefilePrivilege	576	msiexec.exe
Token: SeCreatePermanentPrivilege	576	msiexec.exe
Token: SeBackupPrivilege	576	msiexec.exe
Token: SeRestorePrivilege	576	msiexec.exe
Token: SeShutdownPrivilege	576	msiexec.exe
Token: SeDebugPrivilege	576	msiexec.exe
Token: SeAuditPrivilege	576	msiexec.exe
Token: SeSystemEnvironmentPrivilege	576	msiexec.exe
Token: SeChangeNotifyPrivilege	576	msiexec.exe
Token: SeRemoteShutdownPrivilege	576	msiexec.exe
Token: SeUndockPrivilege	576	msiexec.exe
Token: SeSyncAgentPrivilege	576	msiexec.exe
Token: SeEnableDelegationPrivilege	576	msiexec.exe
Token: SeManageVolumePrivilege	576	msiexec.exe
Token: SeImpersonatePrivilege	576	msiexec.exe
Token: SeCreateGlobalPrivilege	576	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msiexec.exe

pid process

576 msiexec.exe
576 msiexec.exe
576 msiexec.exe

pid	process
576	msiexec.exe
576	msiexec.exe
576	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 3992 wrote to memory of 3580	3992	msiexec.exe	MsiExec.exe
PID 3992 wrote to memory of 3580	3992	msiexec.exe	MsiExec.exe
PID 3992 wrote to memory of 3580	3992	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\DOC-49B8OP200.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 52734FFBB7F3175FEE4CE353D40E8179
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI45087.LOG

MD5
2d2f049494b10427516332517151b149

SHA1
d85b2b2705a4a4b4e1a4dbfb700d20e440f3069e

SHA256
d80d723550e0c4a2521058fff64443bd0d22a0873d62d86977b25efd5730ae40

SHA512
cf086a90c389c774ea2433c34fb9ac26e5d99ff93d130fa843a03658b928dd5ce84ec1035f85026283523707e64ce99c55f079c5014c945edeea1d75c8c0c195

Download Submit
C:\Windows\Installer\MSI577C.tmp

MD5
a3b4d222a755f43b34a0963f13f77500

SHA1
e3bd216f35434287197082745b9f789b9a4f93c6

SHA256
9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54

SHA512
7baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50

Download Submit
C:\Windows\Installer\MSI5FE9.tmp

MD5
a3b4d222a755f43b34a0963f13f77500

SHA1
e3bd216f35434287197082745b9f789b9a4f93c6

SHA256
9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54

SHA512
7baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50

Download Submit
C:\Windows\Installer\MSI60A6.tmp

MD5
a3b4d222a755f43b34a0963f13f77500

SHA1
e3bd216f35434287197082745b9f789b9a4f93c6

SHA256
9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54

SHA512
7baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50

Download Submit
C:\Windows\Installer\MSI6114.tmp

MD5
a3b4d222a755f43b34a0963f13f77500

SHA1
e3bd216f35434287197082745b9f789b9a4f93c6

SHA256
9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54

SHA512
7baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50

Download Submit
C:\Windows\Installer\MSI63B6.tmp

MD5
b81fc21f9ea3d9c1d947389fc32c7d66

SHA1
d8e957a0555b3d8e1b30bb3f30b11e564b9d854e

SHA256
e0b42df2cb2b631b98213cc4b23273ebe71ae91e78bcb1218b4d81a2627328c6

SHA512
e977f44c4db748f355fbbcab65bfada4f2f639832350c83bef7ec29c54d20fc47e40d9815f2c5c4cae3e61b2ffe443a14fe1033c3fa8faf16aca1e5120cc0639

Download Submit
C:\Windows\Installer\MSI65AC.tmp

MD5
b81fc21f9ea3d9c1d947389fc32c7d66

SHA1
d8e957a0555b3d8e1b30bb3f30b11e564b9d854e

SHA256
e0b42df2cb2b631b98213cc4b23273ebe71ae91e78bcb1218b4d81a2627328c6

SHA512
e977f44c4db748f355fbbcab65bfada4f2f639832350c83bef7ec29c54d20fc47e40d9815f2c5c4cae3e61b2ffe443a14fe1033c3fa8faf16aca1e5120cc0639

Download Submit
\Windows\Installer\MSI577C.tmp

MD5
a3b4d222a755f43b34a0963f13f77500

SHA1
e3bd216f35434287197082745b9f789b9a4f93c6

SHA256
9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54

SHA512
7baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50

Download Submit
\Windows\Installer\MSI5FE9.tmp

MD5
a3b4d222a755f43b34a0963f13f77500

SHA1
e3bd216f35434287197082745b9f789b9a4f93c6

SHA256
9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54

SHA512
7baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50

Download Submit
\Windows\Installer\MSI60A6.tmp

MD5
a3b4d222a755f43b34a0963f13f77500

SHA1
e3bd216f35434287197082745b9f789b9a4f93c6

SHA256
9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54

SHA512
7baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50

Download Submit
\Windows\Installer\MSI6114.tmp

MD5
a3b4d222a755f43b34a0963f13f77500

SHA1
e3bd216f35434287197082745b9f789b9a4f93c6

SHA256
9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54

SHA512
7baf4279fe8409db2a10638b060d2f19259be82363180c521a83f786d64c5b6e5b024ebeeedb163773d9d19efa1f1da036b55a94cc4009108eb2b910c64a3e50

Download Submit
\Windows\Installer\MSI63B6.tmp

MD5
b81fc21f9ea3d9c1d947389fc32c7d66

SHA1
d8e957a0555b3d8e1b30bb3f30b11e564b9d854e

SHA256
e0b42df2cb2b631b98213cc4b23273ebe71ae91e78bcb1218b4d81a2627328c6

SHA512
e977f44c4db748f355fbbcab65bfada4f2f639832350c83bef7ec29c54d20fc47e40d9815f2c5c4cae3e61b2ffe443a14fe1033c3fa8faf16aca1e5120cc0639

Download Submit
\Windows\Installer\MSI65AC.tmp

MD5
b81fc21f9ea3d9c1d947389fc32c7d66

SHA1
d8e957a0555b3d8e1b30bb3f30b11e564b9d854e

SHA256
e0b42df2cb2b631b98213cc4b23273ebe71ae91e78bcb1218b4d81a2627328c6

SHA512
e977f44c4db748f355fbbcab65bfada4f2f639832350c83bef7ec29c54d20fc47e40d9815f2c5c4cae3e61b2ffe443a14fe1033c3fa8faf16aca1e5120cc0639

Download Submit
memory/3580-3-0x0000000000000000-mapping.dmp

Download