Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
23-11-2021 15:14
Static task
static1
Behavioral task
behavioral1
Sample
b9e49c59ff734f7bdb5f4cc35b1d8bb2.msi
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
b9e49c59ff734f7bdb5f4cc35b1d8bb2.msi
Resource
win10-en-20211104
General
-
Target
b9e49c59ff734f7bdb5f4cc35b1d8bb2.msi
-
Size
264KB
-
MD5
b9e49c59ff734f7bdb5f4cc35b1d8bb2
-
SHA1
4321a500fbe210d4d4b020d92fe211da05cb5065
-
SHA256
fedd8610da159a593c56d0685ce7d579beaab9ccf00487a980ae9b6bf9ff743c
-
SHA512
667391e80098f9a24204040a740634f8712f7a3a07b502924c7489abc0af4f0f7d5ff97537949c5de8254279f0279f46f9d265c919f0789a4619a73b53cd8c13
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid Process 7 1316 MsiExec.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid Process 1316 MsiExec.exe 1316 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in Windows directory 5 IoCs
Processes:
msiexec.exedescription ioc Process File created C:\Windows\Installer\f75c18c.msi msiexec.exe File opened for modification C:\Windows\Installer\f75c18c.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIC257.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC96C.tmp msiexec.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
msiexec.exemsiexec.exedescription pid Process Token: SeShutdownPrivilege 3196 msiexec.exe Token: SeIncreaseQuotaPrivilege 3196 msiexec.exe Token: SeSecurityPrivilege 3508 msiexec.exe Token: SeCreateTokenPrivilege 3196 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3196 msiexec.exe Token: SeLockMemoryPrivilege 3196 msiexec.exe Token: SeIncreaseQuotaPrivilege 3196 msiexec.exe Token: SeMachineAccountPrivilege 3196 msiexec.exe Token: SeTcbPrivilege 3196 msiexec.exe Token: SeSecurityPrivilege 3196 msiexec.exe Token: SeTakeOwnershipPrivilege 3196 msiexec.exe Token: SeLoadDriverPrivilege 3196 msiexec.exe Token: SeSystemProfilePrivilege 3196 msiexec.exe Token: SeSystemtimePrivilege 3196 msiexec.exe Token: SeProfSingleProcessPrivilege 3196 msiexec.exe Token: SeIncBasePriorityPrivilege 3196 msiexec.exe Token: SeCreatePagefilePrivilege 3196 msiexec.exe Token: SeCreatePermanentPrivilege 3196 msiexec.exe Token: SeBackupPrivilege 3196 msiexec.exe Token: SeRestorePrivilege 3196 msiexec.exe Token: SeShutdownPrivilege 3196 msiexec.exe Token: SeDebugPrivilege 3196 msiexec.exe Token: SeAuditPrivilege 3196 msiexec.exe Token: SeSystemEnvironmentPrivilege 3196 msiexec.exe Token: SeChangeNotifyPrivilege 3196 msiexec.exe Token: SeRemoteShutdownPrivilege 3196 msiexec.exe Token: SeUndockPrivilege 3196 msiexec.exe Token: SeSyncAgentPrivilege 3196 msiexec.exe Token: SeEnableDelegationPrivilege 3196 msiexec.exe Token: SeManageVolumePrivilege 3196 msiexec.exe Token: SeImpersonatePrivilege 3196 msiexec.exe Token: SeCreateGlobalPrivilege 3196 msiexec.exe Token: SeRestorePrivilege 3508 msiexec.exe Token: SeTakeOwnershipPrivilege 3508 msiexec.exe Token: SeRestorePrivilege 3508 msiexec.exe Token: SeTakeOwnershipPrivilege 3508 msiexec.exe Token: SeRestorePrivilege 3508 msiexec.exe Token: SeTakeOwnershipPrivilege 3508 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid Process 3196 msiexec.exe 3196 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
msiexec.exedescription pid Process procid_target PID 3508 wrote to memory of 1316 3508 msiexec.exe 70 PID 3508 wrote to memory of 1316 3508 msiexec.exe 70 PID 3508 wrote to memory of 1316 3508 msiexec.exe 70
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b9e49c59ff734f7bdb5f4cc35b1d8bb2.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3196
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6ACBC60C841C57ED64A55441DC44637C2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1316
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
MD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
MD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b
-
MD5
9f1e5d66c2889018daef4aef604eebc4
SHA1b80294261c8a1635e16e14f55a3d76889ff2c857
SHA25602a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
SHA5128f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b