f0190f7407d0c6e1a4dfea3bd0967db95cd9c89274dafc1043524ff213840743

Resubmissions

02-10-2021 16:02

211002-tg7znsedh5 10

26-09-2021 14:41

210926-r2e4aafaa8 10

Analysis

max time kernel
150s
max time network
29s
platform
windows7_x64
resource
win7-en-20210920
submitted
26-09-2021 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adobe-Indesign-Business-Plan-Template-Free.msi

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	968	msiexec.exe
4	968	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
984	MSID074.tmp
596	MSID074.tmp

Loads dropped DLL 14 IoCs

pid	Process
984	MSID074.tmp
912	MsiExec.exe
596	MSID074.tmp
596	MSID074.tmp
596	MSID074.tmp
596	MSID074.tmp
596	MSID074.tmp
596	MSID074.tmp
596	MSID074.tmp
596	MSID074.tmp
596	MSID074.tmp
596	MSID074.tmp
912	MsiExec.exe
1480	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1012	powershell.exe
1480	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	968	msiexec.exe
Token: SeRestorePrivilege	768	msiexec.exe
Token: SeTakeOwnershipPrivilege	768	msiexec.exe
Token: SeSecurityPrivilege	768	msiexec.exe
Token: SeCreateTokenPrivilege	968	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	968	msiexec.exe
Token: SeLockMemoryPrivilege	968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	968	msiexec.exe
Token: SeMachineAccountPrivilege	968	msiexec.exe
Token: SeTcbPrivilege	968	msiexec.exe
Token: SeSecurityPrivilege	968	msiexec.exe
Token: SeTakeOwnershipPrivilege	968	msiexec.exe
Token: SeLoadDriverPrivilege	968	msiexec.exe
Token: SeSystemProfilePrivilege	968	msiexec.exe
Token: SeSystemtimePrivilege	968	msiexec.exe
Token: SeProfSingleProcessPrivilege	968	msiexec.exe
Token: SeIncBasePriorityPrivilege	968	msiexec.exe
Token: SeCreatePagefilePrivilege	968	msiexec.exe
Token: SeCreatePermanentPrivilege	968	msiexec.exe
Token: SeBackupPrivilege	968	msiexec.exe
Token: SeRestorePrivilege	968	msiexec.exe
Token: SeShutdownPrivilege	968	msiexec.exe
Token: SeDebugPrivilege	968	msiexec.exe
Token: SeAuditPrivilege	968	msiexec.exe
Token: SeSystemEnvironmentPrivilege	968	msiexec.exe
Token: SeChangeNotifyPrivilege	968	msiexec.exe
Token: SeRemoteShutdownPrivilege	968	msiexec.exe
Token: SeUndockPrivilege	968	msiexec.exe
Token: SeSyncAgentPrivilege	968	msiexec.exe
Token: SeEnableDelegationPrivilege	968	msiexec.exe
Token: SeManageVolumePrivilege	968	msiexec.exe
Token: SeImpersonatePrivilege	968	msiexec.exe
Token: SeCreateGlobalPrivilege	968	msiexec.exe
Token: SeCreateTokenPrivilege	968	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	968	msiexec.exe
Token: SeLockMemoryPrivilege	968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	968	msiexec.exe
Token: SeMachineAccountPrivilege	968	msiexec.exe
Token: SeTcbPrivilege	968	msiexec.exe
Token: SeSecurityPrivilege	968	msiexec.exe
Token: SeTakeOwnershipPrivilege	968	msiexec.exe
Token: SeLoadDriverPrivilege	968	msiexec.exe
Token: SeSystemProfilePrivilege	968	msiexec.exe
Token: SeSystemtimePrivilege	968	msiexec.exe
Token: SeProfSingleProcessPrivilege	968	msiexec.exe
Token: SeIncBasePriorityPrivilege	968	msiexec.exe
Token: SeCreatePagefilePrivilege	968	msiexec.exe
Token: SeCreatePermanentPrivilege	968	msiexec.exe
Token: SeBackupPrivilege	968	msiexec.exe
Token: SeRestorePrivilege	968	msiexec.exe
Token: SeShutdownPrivilege	968	msiexec.exe
Token: SeDebugPrivilege	968	msiexec.exe
Token: SeAuditPrivilege	968	msiexec.exe
Token: SeSystemEnvironmentPrivilege	968	msiexec.exe
Token: SeChangeNotifyPrivilege	968	msiexec.exe
Token: SeRemoteShutdownPrivilege	968	msiexec.exe
Token: SeUndockPrivilege	968	msiexec.exe
Token: SeSyncAgentPrivilege	968	msiexec.exe
Token: SeEnableDelegationPrivilege	968	msiexec.exe
Token: SeManageVolumePrivilege	968	msiexec.exe
Token: SeImpersonatePrivilege	968	msiexec.exe
Token: SeCreateGlobalPrivilege	968	msiexec.exe
Token: SeCreateTokenPrivilege	968	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
968	msiexec.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 912	768	msiexec.exe	28
PID 768 wrote to memory of 912	768	msiexec.exe	28
PID 768 wrote to memory of 912	768	msiexec.exe	28
PID 768 wrote to memory of 912	768	msiexec.exe	28
PID 768 wrote to memory of 912	768	msiexec.exe	28
PID 768 wrote to memory of 912	768	msiexec.exe	28
PID 768 wrote to memory of 912	768	msiexec.exe	28
PID 968 wrote to memory of 984	968	msiexec.exe	29
PID 968 wrote to memory of 984	968	msiexec.exe	29
PID 968 wrote to memory of 984	968	msiexec.exe	29
PID 968 wrote to memory of 984	968	msiexec.exe	29
PID 968 wrote to memory of 984	968	msiexec.exe	29
PID 968 wrote to memory of 984	968	msiexec.exe	29
PID 968 wrote to memory of 984	968	msiexec.exe	29
PID 984 wrote to memory of 596	984	MSID074.tmp	30
PID 984 wrote to memory of 596	984	MSID074.tmp	30
PID 984 wrote to memory of 596	984	MSID074.tmp	30
PID 984 wrote to memory of 596	984	MSID074.tmp	30
PID 984 wrote to memory of 596	984	MSID074.tmp	30
PID 984 wrote to memory of 596	984	MSID074.tmp	30
PID 984 wrote to memory of 596	984	MSID074.tmp	30
PID 912 wrote to memory of 1012	912	MsiExec.exe	31
PID 912 wrote to memory of 1012	912	MsiExec.exe	31
PID 912 wrote to memory of 1012	912	MsiExec.exe	31
PID 912 wrote to memory of 1012	912	MsiExec.exe	31
PID 768 wrote to memory of 1480	768	msiexec.exe	33
PID 768 wrote to memory of 1480	768	msiexec.exe	33
PID 768 wrote to memory of 1480	768	msiexec.exe	33
PID 768 wrote to memory of 1480	768	msiexec.exe	33
PID 768 wrote to memory of 1480	768	msiexec.exe	33
PID 768 wrote to memory of 1480	768	msiexec.exe	33
PID 768 wrote to memory of 1480	768	msiexec.exe	33

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Adobe-Indesign-Business-Plan-Template-Free.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Local\Temp\MSID074.tmp
  "C:\Users\Admin\AppData\Local\Temp\MSID074.tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\Temp\{AE72E311-0897-4B71-A72E-A67359D69859}\.cr\MSID074.tmp
    "C:\Windows\Temp\{AE72E311-0897-4B71-A72E-A67359D69859}\.cr\MSID074.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\MSID074.tmp" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:596

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5EA81B05D07DF3177271DC52D7DF206E C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssD480.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiD44E.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrD44F.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrD450.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1012
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 38BAA0A4C0E98CFD271CD0DF0D2DB1CE C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/596-88-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/596-77-0x0000000005321000-0x0000000005322000-memory.dmp

Filesize
4KB

Download
memory/596-84-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/596-104-0x000000000533A000-0x000000000533B000-memory.dmp

Filesize
4KB

Download
memory/596-79-0x0000000005323000-0x0000000005324000-memory.dmp

Filesize
4KB

Download
memory/596-89-0x0000000005324000-0x0000000005325000-memory.dmp

Filesize
4KB

Download
memory/596-75-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/596-74-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/596-94-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/596-99-0x0000000005329000-0x000000000533A000-memory.dmp

Filesize
68KB

Download
memory/968-54-0x000007FEFC4F1000-0x000007FEFC4F3000-memory.dmp

Filesize
8KB

Download
memory/984-59-0x0000000076B61000-0x0000000076B63000-memory.dmp

Filesize
8KB

Download
memory/1012-80-0x00000000023A2000-0x00000000023A4000-memory.dmp

Filesize
8KB

Download
memory/1012-76-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1012-78-0x00000000023A1000-0x00000000023A2000-memory.dmp

Filesize
4KB

Download