9015936f2891016026c8e4b7317ea2f36f976bec13d9763068f004f9cc3b7a6d

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-en-20211014
submitted
16-11-2021 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16- 838594.msi
Size

264KB
MD5

c0b81ddd61e2036eeeaa57ffec65eb0a
SHA1

190fc125a9d5bdd899c270ed4b0d604e0d22fb5e
SHA256

9015936f2891016026c8e4b7317ea2f36f976bec13d9763068f004f9cc3b7a6d
SHA512

1f065f5f03307a851b6d56ac123a06c3a2af03dd66ffa06f54483d385217729e17e92365ca9fe098eaeaeba9fbdf52c0a7671f7925b3719490f10dacbbb56aae

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

MsiExec.exe

flow	pid	Process
2	1948	MsiExec.exe

Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid	Process
1948	MsiExec.exe
1948	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 4 IoCs

Processes:

msiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE4A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE6F6.tmp	msiexec.exe
File created	C:\Windows\Installer\f75e418.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f75e418.msi	msiexec.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	1644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1644	msiexec.exe
Token: SeRestorePrivilege	1516	msiexec.exe
Token: SeTakeOwnershipPrivilege	1516	msiexec.exe
Token: SeSecurityPrivilege	1516	msiexec.exe
Token: SeCreateTokenPrivilege	1644	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1644	msiexec.exe
Token: SeLockMemoryPrivilege	1644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1644	msiexec.exe
Token: SeMachineAccountPrivilege	1644	msiexec.exe
Token: SeTcbPrivilege	1644	msiexec.exe
Token: SeSecurityPrivilege	1644	msiexec.exe
Token: SeTakeOwnershipPrivilege	1644	msiexec.exe
Token: SeLoadDriverPrivilege	1644	msiexec.exe
Token: SeSystemProfilePrivilege	1644	msiexec.exe
Token: SeSystemtimePrivilege	1644	msiexec.exe
Token: SeProfSingleProcessPrivilege	1644	msiexec.exe
Token: SeIncBasePriorityPrivilege	1644	msiexec.exe
Token: SeCreatePagefilePrivilege	1644	msiexec.exe
Token: SeCreatePermanentPrivilege	1644	msiexec.exe
Token: SeBackupPrivilege	1644	msiexec.exe
Token: SeRestorePrivilege	1644	msiexec.exe
Token: SeShutdownPrivilege	1644	msiexec.exe
Token: SeDebugPrivilege	1644	msiexec.exe
Token: SeAuditPrivilege	1644	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1644	msiexec.exe
Token: SeChangeNotifyPrivilege	1644	msiexec.exe
Token: SeRemoteShutdownPrivilege	1644	msiexec.exe
Token: SeUndockPrivilege	1644	msiexec.exe
Token: SeSyncAgentPrivilege	1644	msiexec.exe
Token: SeEnableDelegationPrivilege	1644	msiexec.exe
Token: SeManageVolumePrivilege	1644	msiexec.exe
Token: SeImpersonatePrivilege	1644	msiexec.exe
Token: SeCreateGlobalPrivilege	1644	msiexec.exe
Token: SeRestorePrivilege	1516	msiexec.exe
Token: SeTakeOwnershipPrivilege	1516	msiexec.exe
Token: SeRestorePrivilege	1516	msiexec.exe
Token: SeTakeOwnershipPrivilege	1516	msiexec.exe
Token: SeRestorePrivilege	1516	msiexec.exe
Token: SeTakeOwnershipPrivilege	1516	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
1644	msiexec.exe
1644	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

msiexec.exe

description	pid	Process	procid_target
PID 1516 wrote to memory of 1948	1516	msiexec.exe	29
PID 1516 wrote to memory of 1948	1516	msiexec.exe	29
PID 1516 wrote to memory of 1948	1516	msiexec.exe	29
PID 1516 wrote to memory of 1948	1516	msiexec.exe	29
PID 1516 wrote to memory of 1948	1516	msiexec.exe	29
PID 1516 wrote to memory of 1948	1516	msiexec.exe	29
PID 1516 wrote to memory of 1948	1516	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\16- 838594.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1644

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 994576A8A734B14357B6B247514E7486
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSIE4A4.tmp

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSIE6F6.tmp

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSIE4A4.tmp

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSIE6F6.tmp

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
memory/1644-55-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

Filesize
8KB

Download
memory/1948-57-0x0000000000000000-mapping.dmp

Download
memory/1948-58-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download