Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
22-11-2021 07:55
General
-
Target
ee408fa74fbfe568a05b0bbeff2e4339.msi
-
Size
4.0MB
-
MD5
ee408fa74fbfe568a05b0bbeff2e4339
-
SHA1
0e8e7da9769102123a1bd8ad0d22e48338d20495
-
SHA256
abe6b696965b8e856ccb20587f8a2fc8327169557e0083cebeab58e14a9d0560
-
SHA512
290d475b870da3d3e436d67b6aed192e1f68be592ee2b9eb70b2731596c8ce13be7c0bfd0192d63b57d4d103cca4f5a6d781ccf8dba17234f73c247de21162ac
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ee408fa74fbfe568a05b0bbeff2e4339.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A551B1154E189681CFA4DCC7C2271C292⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSIB6E1.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSIB81A.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
C:\Windows\Installer\MSIB878.tmpMD5
0872fc86ddb1c0c51beab1deaaa80218
SHA1abe143cfe0053d6e93c042815f020ff4714794bc
SHA25699f2f155dfed73c33416e82ca6cd8f6dc66abbf50513a5e2a857d12e49504c60
SHA5121b15ea0122d5adef9098381a2dc9659257ba13704fc4b51105c535044c94e370b9ea24e70c836e85cd0b4c9cc4dab63522c74af2ab913619984e86c27888a346
-
\Windows\Installer\MSIB6E1.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSIB81A.tmpMD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
\Windows\Installer\MSIB878.tmpMD5
0872fc86ddb1c0c51beab1deaaa80218
SHA1abe143cfe0053d6e93c042815f020ff4714794bc
SHA25699f2f155dfed73c33416e82ca6cd8f6dc66abbf50513a5e2a857d12e49504c60
SHA5121b15ea0122d5adef9098381a2dc9659257ba13704fc4b51105c535044c94e370b9ea24e70c836e85cd0b4c9cc4dab63522c74af2ab913619984e86c27888a346
-
memory/768-55-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmpFilesize
8KB
-
memory/836-57-0x0000000000000000-mapping.dmp
-
memory/836-58-0x0000000075A01000-0x0000000075A03000-memory.dmpFilesize
8KB