Overview

overview

10

Static

static

10

DOC#848#158945.msi

windows7_x64

8

DOC#848#158945.msi

windows10_x64

8

Analysis

  • max time kernel
    110s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    02/12/2021, 23:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DOC#848#158945.msi

  • Size

    264KB

  • MD5

    c5b778c6e4b1410a079457c50193a0d5

  • SHA1

    6abd263dbc4487e80db003eaf66f1843792eab0b

  • SHA256

    50356478881e585ac8020c4e471f7494aef7cebae0bc2b98b6c106fd3b6c5ddf

  • SHA512

    2a6e412743f2b35f73e74a4846130a2ac0703ee479d76e4132bd2b1f2c5a12b000aafccb40a2015543d5e58cf7dad1f707ac99b260aa43fa16939d3022eba6fe

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 5 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\DOC#848#158945.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3456
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F816B7311D6123A3CE3BA33EAEA3E264
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:3488

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1152-118-0x00000162C5980000-0x00000162C5982000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1152-117-0x00000162C5980000-0x00000162C5982000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3456-116-0x000001F346770000-0x000001F346772000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3456-115-0x000001F346770000-0x000001F346772000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3488-120-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3488-121-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

    Download