Analysis
-
max time kernel
119s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
15-10-2021 12:17
Behavioral task
behavioral1
Sample
1.msi
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
1.msi
Resource
win7-en-20211014
Behavioral task
behavioral3
Sample
1.msi
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
1.msi
Resource
win11
Behavioral task
behavioral5
Sample
1.msi
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
1.msi
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
1.msi
Resource
win10-de-20210920
General
-
Target
1.msi
-
Size
279KB
-
MD5
996ed694f0957931dd986e12ad361aea
-
SHA1
7a7577b960d8025a97e49ebe03ae8cc0b936b697
-
SHA256
d314cbad13af12a9bcc3178b54b78d477a1f3e7dc49f562d3a0b2e87e1387539
-
SHA512
4c9310ce8cfb1a92a575fd95256726ee9602a5596e93b89bf8d87743b1a048bb9e3425d8decd803b3e0cb41068fe2a24d433c3b56760c9fc31fa1a6974a91ff8
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
MsiExec.exeflow pid process 3 1792 MsiExec.exe 4 1792 MsiExec.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 1792 MsiExec.exe 1792 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI283B.tmp msiexec.exe File opened for modification C:\Windows\Installer\f761b7e.ipi msiexec.exe File created C:\Windows\Installer\f761b7c.msi msiexec.exe File opened for modification C:\Windows\Installer\f761b7c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1C28.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2195.tmp msiexec.exe File created C:\Windows\Installer\f761b7e.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1980 msiexec.exe 1980 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1052 msiexec.exe Token: SeIncreaseQuotaPrivilege 1052 msiexec.exe Token: SeRestorePrivilege 1980 msiexec.exe Token: SeTakeOwnershipPrivilege 1980 msiexec.exe Token: SeSecurityPrivilege 1980 msiexec.exe Token: SeCreateTokenPrivilege 1052 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1052 msiexec.exe Token: SeLockMemoryPrivilege 1052 msiexec.exe Token: SeIncreaseQuotaPrivilege 1052 msiexec.exe Token: SeMachineAccountPrivilege 1052 msiexec.exe Token: SeTcbPrivilege 1052 msiexec.exe Token: SeSecurityPrivilege 1052 msiexec.exe Token: SeTakeOwnershipPrivilege 1052 msiexec.exe Token: SeLoadDriverPrivilege 1052 msiexec.exe Token: SeSystemProfilePrivilege 1052 msiexec.exe Token: SeSystemtimePrivilege 1052 msiexec.exe Token: SeProfSingleProcessPrivilege 1052 msiexec.exe Token: SeIncBasePriorityPrivilege 1052 msiexec.exe Token: SeCreatePagefilePrivilege 1052 msiexec.exe Token: SeCreatePermanentPrivilege 1052 msiexec.exe Token: SeBackupPrivilege 1052 msiexec.exe Token: SeRestorePrivilege 1052 msiexec.exe Token: SeShutdownPrivilege 1052 msiexec.exe Token: SeDebugPrivilege 1052 msiexec.exe Token: SeAuditPrivilege 1052 msiexec.exe Token: SeSystemEnvironmentPrivilege 1052 msiexec.exe Token: SeChangeNotifyPrivilege 1052 msiexec.exe Token: SeRemoteShutdownPrivilege 1052 msiexec.exe Token: SeUndockPrivilege 1052 msiexec.exe Token: SeSyncAgentPrivilege 1052 msiexec.exe Token: SeEnableDelegationPrivilege 1052 msiexec.exe Token: SeManageVolumePrivilege 1052 msiexec.exe Token: SeImpersonatePrivilege 1052 msiexec.exe Token: SeCreateGlobalPrivilege 1052 msiexec.exe Token: SeRestorePrivilege 1980 msiexec.exe Token: SeTakeOwnershipPrivilege 1980 msiexec.exe Token: SeRestorePrivilege 1980 msiexec.exe Token: SeTakeOwnershipPrivilege 1980 msiexec.exe Token: SeRestorePrivilege 1980 msiexec.exe Token: SeTakeOwnershipPrivilege 1980 msiexec.exe Token: SeRestorePrivilege 1980 msiexec.exe Token: SeTakeOwnershipPrivilege 1980 msiexec.exe Token: SeRestorePrivilege 1980 msiexec.exe Token: SeTakeOwnershipPrivilege 1980 msiexec.exe Token: SeRestorePrivilege 1980 msiexec.exe Token: SeTakeOwnershipPrivilege 1980 msiexec.exe Token: SeRestorePrivilege 1980 msiexec.exe Token: SeTakeOwnershipPrivilege 1980 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1052 msiexec.exe 1052 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
msiexec.exedescription pid process target process PID 1980 wrote to memory of 1792 1980 msiexec.exe MsiExec.exe PID 1980 wrote to memory of 1792 1980 msiexec.exe MsiExec.exe PID 1980 wrote to memory of 1792 1980 msiexec.exe MsiExec.exe PID 1980 wrote to memory of 1792 1980 msiexec.exe MsiExec.exe PID 1980 wrote to memory of 1792 1980 msiexec.exe MsiExec.exe PID 1980 wrote to memory of 1792 1980 msiexec.exe MsiExec.exe PID 1980 wrote to memory of 1792 1980 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B19F54ADD0DC38275996E9C4DCF3A0512⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI1C28.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSI2195.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSI1C28.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSI2195.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
memory/1052-55-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmpFilesize
8KB
-
memory/1792-57-0x0000000000000000-mapping.dmp
-
memory/1792-58-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB