630793d812d85e763f5042ec21cfa2d5da436ee535fdd1ccd00b52c45f82ccb9

General

Target

d13d644d111ba1ad4a95d7c6dfd9b669.msi
Size

264KB
MD5

d13d644d111ba1ad4a95d7c6dfd9b669
SHA1

3c9871a124d2eebeb68ebbfd49fe9b05320a4972
SHA256

630793d812d85e763f5042ec21cfa2d5da436ee535fdd1ccd00b52c45f82ccb9
SHA512

4f03ce84adfb108da2245914949a6a133b479d05fbde75ced318ad4142d34aebea0d318bdbfd66fd876e3fa146e9cd8379a32b4ebed3a5e37dd9624cf63a7ddb

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

MsiExec.exe

flow pid process

13 1516 MsiExec.exe
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

1516 MsiExec.exe
1516 MsiExec.exe

flow	pid	process
13	1516	MsiExec.exe

pid	process
1516	MsiExec.exe
1516	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 5 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIC506.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7F5.tmp	msiexec.exe
File created	C:\Windows\Installer\f75c46a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f75c46a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2372	msiexec.exe
Token: SeSecurityPrivilege	2508	msiexec.exe
Token: SeCreateTokenPrivilege	2372	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2372	msiexec.exe
Token: SeLockMemoryPrivilege	2372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2372	msiexec.exe
Token: SeMachineAccountPrivilege	2372	msiexec.exe
Token: SeTcbPrivilege	2372	msiexec.exe
Token: SeSecurityPrivilege	2372	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	msiexec.exe
Token: SeLoadDriverPrivilege	2372	msiexec.exe
Token: SeSystemProfilePrivilege	2372	msiexec.exe
Token: SeSystemtimePrivilege	2372	msiexec.exe
Token: SeProfSingleProcessPrivilege	2372	msiexec.exe
Token: SeIncBasePriorityPrivilege	2372	msiexec.exe
Token: SeCreatePagefilePrivilege	2372	msiexec.exe
Token: SeCreatePermanentPrivilege	2372	msiexec.exe
Token: SeBackupPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	2372	msiexec.exe
Token: SeShutdownPrivilege	2372	msiexec.exe
Token: SeDebugPrivilege	2372	msiexec.exe
Token: SeAuditPrivilege	2372	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2372	msiexec.exe
Token: SeChangeNotifyPrivilege	2372	msiexec.exe
Token: SeRemoteShutdownPrivilege	2372	msiexec.exe
Token: SeUndockPrivilege	2372	msiexec.exe
Token: SeSyncAgentPrivilege	2372	msiexec.exe
Token: SeEnableDelegationPrivilege	2372	msiexec.exe
Token: SeManageVolumePrivilege	2372	msiexec.exe
Token: SeImpersonatePrivilege	2372	msiexec.exe
Token: SeCreateGlobalPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exeMsiExec.exe

pid process

2372 msiexec.exe
1516 MsiExec.exe

pid	process
2372	msiexec.exe
1516	MsiExec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2508 wrote to memory of 1516	2508	msiexec.exe	MsiExec.exe
PID 2508 wrote to memory of 1516	2508	msiexec.exe	MsiExec.exe
PID 2508 wrote to memory of 1516	2508	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d13d644d111ba1ad4a95d7c6dfd9b669.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2372

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B3EDDF755949C0A7639F7B6C3494AF4E
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSIC506.tmp
MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSIC7F5.tmp
MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSIC506.tmp
MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSIC7F5.tmp
MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
memory/1516-119-0x0000000000000000-mapping.dmp

Download
memory/1516-120-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1516-121-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2372-116-0x000001D9F65A0000-0x000001D9F65A2000-memory.dmp

Filesize
8KB

Download
memory/2372-115-0x000001D9F65A0000-0x000001D9F65A2000-memory.dmp

Filesize
8KB

Download
memory/2508-117-0x000001AE91AA0000-0x000001AE91AA2000-memory.dmp

Filesize
8KB

Download
memory/2508-118-0x000001AE91AA0000-0x000001AE91AA2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads