Overview

overview

8

Static

static

10

b9e49c59ff...b2.msi

windows7_x64

8

b9e49c59ff...b2.msi

windows10_x64

8

Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    23-11-2021 15:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9e49c59ff734f7bdb5f4cc35b1d8bb2.msi

  • Size

    264KB

  • MD5

    b9e49c59ff734f7bdb5f4cc35b1d8bb2

  • SHA1

    4321a500fbe210d4d4b020d92fe211da05cb5065

  • SHA256

    fedd8610da159a593c56d0685ce7d579beaab9ccf00487a980ae9b6bf9ff743c

  • SHA512

    667391e80098f9a24204040a740634f8712f7a3a07b502924c7489abc0af4f0f7d5ff97537949c5de8254279f0279f46f9d265c919f0789a4619a73b53cd8c13

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 5 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b9e49c59ff734f7bdb5f4cc35b1d8bb2.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3196
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 6ACBC60C841C57ED64A55441DC44637C
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:1316

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Installer\MSIC257.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • C:\Windows\Installer\MSIC96C.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • \Windows\Installer\MSIC257.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • \Windows\Installer\MSIC96C.tmp
    MD5

    9f1e5d66c2889018daef4aef604eebc4

    SHA1

    b80294261c8a1635e16e14f55a3d76889ff2c857

    SHA256

    02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

    SHA512

    8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

    Download Submit

  • memory/1316-122-0x0000000000000000-mapping.dmp

    Download

  • memory/1316-124-0x0000000000620000-0x0000000000621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1316-123-0x0000000000620000-0x0000000000621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3196-119-0x000001F37BC00000-0x000001F37BC02000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3196-118-0x000001F37BC00000-0x000001F37BC02000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3508-120-0x000001DB58EE0000-0x000001DB58EE2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3508-121-0x000001DB58EE0000-0x000001DB58EE2000-memory.dmp

    Filesize

    8KB

    Download