Analysis
-
max time kernel
123s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14-10-2021 14:20
Behavioral task
behavioral1
Sample
d13d644d111ba1ad4a95d7c6dfd9b669.msi
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
d13d644d111ba1ad4a95d7c6dfd9b669.msi
Resource
win10-en-20210920
General
-
Target
d13d644d111ba1ad4a95d7c6dfd9b669.msi
-
Size
264KB
-
MD5
d13d644d111ba1ad4a95d7c6dfd9b669
-
SHA1
3c9871a124d2eebeb68ebbfd49fe9b05320a4972
-
SHA256
630793d812d85e763f5042ec21cfa2d5da436ee535fdd1ccd00b52c45f82ccb9
-
SHA512
4f03ce84adfb108da2245914949a6a133b479d05fbde75ced318ad4142d34aebea0d318bdbfd66fd876e3fa146e9cd8379a32b4ebed3a5e37dd9624cf63a7ddb
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 13 1516 MsiExec.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 1516 MsiExec.exe 1516 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Drops file in Windows directory 5 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSIC506.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC7F5.tmp msiexec.exe File created C:\Windows\Installer\f75c46a.msi msiexec.exe File opened for modification C:\Windows\Installer\f75c46a.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2372 msiexec.exe Token: SeIncreaseQuotaPrivilege 2372 msiexec.exe Token: SeSecurityPrivilege 2508 msiexec.exe Token: SeCreateTokenPrivilege 2372 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2372 msiexec.exe Token: SeLockMemoryPrivilege 2372 msiexec.exe Token: SeIncreaseQuotaPrivilege 2372 msiexec.exe Token: SeMachineAccountPrivilege 2372 msiexec.exe Token: SeTcbPrivilege 2372 msiexec.exe Token: SeSecurityPrivilege 2372 msiexec.exe Token: SeTakeOwnershipPrivilege 2372 msiexec.exe Token: SeLoadDriverPrivilege 2372 msiexec.exe Token: SeSystemProfilePrivilege 2372 msiexec.exe Token: SeSystemtimePrivilege 2372 msiexec.exe Token: SeProfSingleProcessPrivilege 2372 msiexec.exe Token: SeIncBasePriorityPrivilege 2372 msiexec.exe Token: SeCreatePagefilePrivilege 2372 msiexec.exe Token: SeCreatePermanentPrivilege 2372 msiexec.exe Token: SeBackupPrivilege 2372 msiexec.exe Token: SeRestorePrivilege 2372 msiexec.exe Token: SeShutdownPrivilege 2372 msiexec.exe Token: SeDebugPrivilege 2372 msiexec.exe Token: SeAuditPrivilege 2372 msiexec.exe Token: SeSystemEnvironmentPrivilege 2372 msiexec.exe Token: SeChangeNotifyPrivilege 2372 msiexec.exe Token: SeRemoteShutdownPrivilege 2372 msiexec.exe Token: SeUndockPrivilege 2372 msiexec.exe Token: SeSyncAgentPrivilege 2372 msiexec.exe Token: SeEnableDelegationPrivilege 2372 msiexec.exe Token: SeManageVolumePrivilege 2372 msiexec.exe Token: SeImpersonatePrivilege 2372 msiexec.exe Token: SeCreateGlobalPrivilege 2372 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeTakeOwnershipPrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeTakeOwnershipPrivilege 2508 msiexec.exe Token: SeRestorePrivilege 2508 msiexec.exe Token: SeTakeOwnershipPrivilege 2508 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exeMsiExec.exepid process 2372 msiexec.exe 1516 MsiExec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
msiexec.exedescription pid process target process PID 2508 wrote to memory of 1516 2508 msiexec.exe MsiExec.exe PID 2508 wrote to memory of 1516 2508 msiexec.exe MsiExec.exe PID 2508 wrote to memory of 1516 2508 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d13d644d111ba1ad4a95d7c6dfd9b669.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B3EDDF755949C0A7639F7B6C3494AF4E2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSIC506.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSIC7F5.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSIC506.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSIC7F5.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
memory/1516-119-0x0000000000000000-mapping.dmp
-
memory/1516-120-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1516-121-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/2372-116-0x000001D9F65A0000-0x000001D9F65A2000-memory.dmpFilesize
8KB
-
memory/2372-115-0x000001D9F65A0000-0x000001D9F65A2000-memory.dmpFilesize
8KB
-
memory/2508-117-0x000001AE91AA0000-0x000001AE91AA2000-memory.dmpFilesize
8KB
-
memory/2508-118-0x000001AE91AA0000-0x000001AE91AA2000-memory.dmpFilesize
8KB