d314cbad13af12a9bcc3178b54b78d477a1f3e7dc49f562d3a0b2e87e1387539

General

Target

1.msi
Size

279KB
MD5

996ed694f0957931dd986e12ad361aea
SHA1

7a7577b960d8025a97e49ebe03ae8cc0b936b697
SHA256

d314cbad13af12a9bcc3178b54b78d477a1f3e7dc49f562d3a0b2e87e1387539
SHA512

4c9310ce8cfb1a92a575fd95256726ee9602a5596e93b89bf8d87743b1a048bb9e3425d8decd803b3e0cb41068fe2a24d433c3b56760c9fc31fa1a6974a91ff8

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

MsiExec.exe

flow pid process

3 1792 MsiExec.exe
4 1792 MsiExec.exe
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

1792 MsiExec.exe
1792 MsiExec.exe

flow	pid	process
3	1792	MsiExec.exe
4	1792	MsiExec.exe

pid	process
1792	MsiExec.exe
1792	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI283B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f761b7e.ipi	msiexec.exe
File created	C:\Windows\Installer\f761b7c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f761b7c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C28.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2195.tmp	msiexec.exe
File created	C:\Windows\Installer\f761b7e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1980 msiexec.exe
1980 msiexec.exe

pid	process
1980	msiexec.exe
1980	msiexec.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1052	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeSecurityPrivilege	1980	msiexec.exe
Token: SeCreateTokenPrivilege	1052	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1052	msiexec.exe
Token: SeLockMemoryPrivilege	1052	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1052	msiexec.exe
Token: SeMachineAccountPrivilege	1052	msiexec.exe
Token: SeTcbPrivilege	1052	msiexec.exe
Token: SeSecurityPrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeLoadDriverPrivilege	1052	msiexec.exe
Token: SeSystemProfilePrivilege	1052	msiexec.exe
Token: SeSystemtimePrivilege	1052	msiexec.exe
Token: SeProfSingleProcessPrivilege	1052	msiexec.exe
Token: SeIncBasePriorityPrivilege	1052	msiexec.exe
Token: SeCreatePagefilePrivilege	1052	msiexec.exe
Token: SeCreatePermanentPrivilege	1052	msiexec.exe
Token: SeBackupPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeShutdownPrivilege	1052	msiexec.exe
Token: SeDebugPrivilege	1052	msiexec.exe
Token: SeAuditPrivilege	1052	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1052	msiexec.exe
Token: SeChangeNotifyPrivilege	1052	msiexec.exe
Token: SeRemoteShutdownPrivilege	1052	msiexec.exe
Token: SeUndockPrivilege	1052	msiexec.exe
Token: SeSyncAgentPrivilege	1052	msiexec.exe
Token: SeEnableDelegationPrivilege	1052	msiexec.exe
Token: SeManageVolumePrivilege	1052	msiexec.exe
Token: SeImpersonatePrivilege	1052	msiexec.exe
Token: SeCreateGlobalPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1052 msiexec.exe
1052 msiexec.exe

pid	process
1052	msiexec.exe
1052	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1980 wrote to memory of 1792	1980	msiexec.exe	MsiExec.exe
PID 1980 wrote to memory of 1792	1980	msiexec.exe	MsiExec.exe
PID 1980 wrote to memory of 1792	1980	msiexec.exe	MsiExec.exe
PID 1980 wrote to memory of 1792	1980	msiexec.exe	MsiExec.exe
PID 1980 wrote to memory of 1792	1980	msiexec.exe	MsiExec.exe
PID 1980 wrote to memory of 1792	1980	msiexec.exe	MsiExec.exe
PID 1980 wrote to memory of 1792	1980	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1052

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B19F54ADD0DC38275996E9C4DCF3A051
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI1C28.tmp
MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSI2195.tmp
MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSI1C28.tmp
MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSI2195.tmp
MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
memory/1052-55-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/1792-57-0x0000000000000000-mapping.dmp

Download
memory/1792-58-0x0000000075D41000-0x0000000075D43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads