56e791cc8e07df049102c8d489a27c08ce231b90ac97eb97c741ddeb236fec24

Analysis

max time kernel
132s
max time network
121s
platform
windows7_x64
resource
win7-en-20211208
submitted
03-02-2022 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

N-72kzbfcz 2d2e1q.msi
Size

952KB
MD5

7d577d8a871c7340f56660b1e4389601
SHA1

6e2a1cb4eb564634baab2c1649fdaed7f92d7943
SHA256

56e791cc8e07df049102c8d489a27c08ce231b90ac97eb97c741ddeb236fec24
SHA512

03a1693e8f4be065bb4e84ff7c8e56e4c2e3a59092c38a0d503fe30032f5d67d2f0cab75dbe36751da456015ef1f7d81d343d6253fc418f661c4003c0eaae72c

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 28 IoCs

Processes:

MsiExec.exe

flow	pid	process
5	1632	MsiExec.exe
6	1632	MsiExec.exe
7	1632	MsiExec.exe
8	1632	MsiExec.exe
9	1632	MsiExec.exe
10	1632	MsiExec.exe
11	1632	MsiExec.exe
12	1632	MsiExec.exe
13	1632	MsiExec.exe
14	1632	MsiExec.exe
15	1632	MsiExec.exe
16	1632	MsiExec.exe
18	1632	MsiExec.exe
19	1632	MsiExec.exe
20	1632	MsiExec.exe
21	1632	MsiExec.exe
22	1632	MsiExec.exe
23	1632	MsiExec.exe
24	1632	MsiExec.exe
25	1632	MsiExec.exe
26	1632	MsiExec.exe
27	1632	MsiExec.exe
28	1632	MsiExec.exe
29	1632	MsiExec.exe
30	1632	MsiExec.exe
32	1632	MsiExec.exe
33	1632	MsiExec.exe
34	1632	MsiExec.exe

Loads dropped DLL 6 IoCs

Processes:

MsiExec.exe

pid process

1632 MsiExec.exe
1632 MsiExec.exe
1632 MsiExec.exe
1632 MsiExec.exe
1632 MsiExec.exe
1632 MsiExec.exe

pid	process
1632	MsiExec.exe
1632	MsiExec.exe
1632	MsiExec.exe
1632	MsiExec.exe
1632	MsiExec.exe
1632	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIC4E7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC779.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFD1A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\2b192.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB1F0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB7BB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC370.tmp	msiexec.exe
File created	C:\Windows\Installer\2b192.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB867.tmp	msiexec.exe
File created	C:\Windows\Installer\2b194.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\2b194.ipi	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1032 msiexec.exe
1032 msiexec.exe

pid	process
1032	msiexec.exe
1032	msiexec.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1604	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeSecurityPrivilege	1032	msiexec.exe
Token: SeCreateTokenPrivilege	1604	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1604	msiexec.exe
Token: SeLockMemoryPrivilege	1604	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1604	msiexec.exe
Token: SeMachineAccountPrivilege	1604	msiexec.exe
Token: SeTcbPrivilege	1604	msiexec.exe
Token: SeSecurityPrivilege	1604	msiexec.exe
Token: SeTakeOwnershipPrivilege	1604	msiexec.exe
Token: SeLoadDriverPrivilege	1604	msiexec.exe
Token: SeSystemProfilePrivilege	1604	msiexec.exe
Token: SeSystemtimePrivilege	1604	msiexec.exe
Token: SeProfSingleProcessPrivilege	1604	msiexec.exe
Token: SeIncBasePriorityPrivilege	1604	msiexec.exe
Token: SeCreatePagefilePrivilege	1604	msiexec.exe
Token: SeCreatePermanentPrivilege	1604	msiexec.exe
Token: SeBackupPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1604	msiexec.exe
Token: SeShutdownPrivilege	1604	msiexec.exe
Token: SeDebugPrivilege	1604	msiexec.exe
Token: SeAuditPrivilege	1604	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1604	msiexec.exe
Token: SeChangeNotifyPrivilege	1604	msiexec.exe
Token: SeRemoteShutdownPrivilege	1604	msiexec.exe
Token: SeUndockPrivilege	1604	msiexec.exe
Token: SeSyncAgentPrivilege	1604	msiexec.exe
Token: SeEnableDelegationPrivilege	1604	msiexec.exe
Token: SeManageVolumePrivilege	1604	msiexec.exe
Token: SeImpersonatePrivilege	1604	msiexec.exe
Token: SeCreateGlobalPrivilege	1604	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe
Token: SeRestorePrivilege	1032	msiexec.exe
Token: SeTakeOwnershipPrivilege	1032	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1604 msiexec.exe
1604 msiexec.exe

pid	process
1604	msiexec.exe
1604	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1032 wrote to memory of 1632	1032	msiexec.exe	MsiExec.exe
PID 1032 wrote to memory of 1632	1032	msiexec.exe	MsiExec.exe
PID 1032 wrote to memory of 1632	1032	msiexec.exe	MsiExec.exe
PID 1032 wrote to memory of 1632	1032	msiexec.exe	MsiExec.exe
PID 1032 wrote to memory of 1632	1032	msiexec.exe	MsiExec.exe
PID 1032 wrote to memory of 1632	1032	msiexec.exe	MsiExec.exe
PID 1032 wrote to memory of 1632	1032	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\N-72kzbfcz 2d2e1q.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1604

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 24AA0589A427D085572E1B5EB2A491DD
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSIB1F0.tmp
MD5
d90ab57e6c584f90fbbea74b566216e3

SHA1
4616e59aed33848f5870e5e1fe865f932721a162

SHA256
44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

SHA512
5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

Download Submit
C:\Windows\Installer\MSIB7BB.tmp
MD5
d90ab57e6c584f90fbbea74b566216e3

SHA1
4616e59aed33848f5870e5e1fe865f932721a162

SHA256
44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

SHA512
5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

Download Submit
C:\Windows\Installer\MSIB867.tmp
MD5
d90ab57e6c584f90fbbea74b566216e3

SHA1
4616e59aed33848f5870e5e1fe865f932721a162

SHA256
44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

SHA512
5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

Download Submit
C:\Windows\Installer\MSIC4E7.tmp
MD5
06bf05c1b207c1340db60571ee6ef552

SHA1
64b9ad03c6827a320633336c5e53c974d950ef67

SHA256
2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

SHA512
a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

Download Submit
C:\Windows\Installer\MSIC779.tmp
MD5
06bf05c1b207c1340db60571ee6ef552

SHA1
64b9ad03c6827a320633336c5e53c974d950ef67

SHA256
2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

SHA512
a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

Download Submit
C:\Windows\Installer\MSIFD1A.tmp
MD5
06bf05c1b207c1340db60571ee6ef552

SHA1
64b9ad03c6827a320633336c5e53c974d950ef67

SHA256
2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

SHA512
a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

Download Submit
\Windows\Installer\MSIB1F0.tmp
MD5
d90ab57e6c584f90fbbea74b566216e3

SHA1
4616e59aed33848f5870e5e1fe865f932721a162

SHA256
44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

SHA512
5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

Download Submit
\Windows\Installer\MSIB7BB.tmp
MD5
d90ab57e6c584f90fbbea74b566216e3

SHA1
4616e59aed33848f5870e5e1fe865f932721a162

SHA256
44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

SHA512
5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

Download Submit
\Windows\Installer\MSIB867.tmp
MD5
d90ab57e6c584f90fbbea74b566216e3

SHA1
4616e59aed33848f5870e5e1fe865f932721a162

SHA256
44ffc4959be0ddb18b02d59c75e78e3e721992e362a2f90cae19adb3271886b9

SHA512
5b13fe1e34f4ec05ccacaf57fc67f49993e5d950e5396e715686749ddae0b18d5f2d70b3cd3a9ada3389db269213e915f19fd10a54330eaecd765475844e6695

Download Submit
\Windows\Installer\MSIC4E7.tmp
MD5
06bf05c1b207c1340db60571ee6ef552

SHA1
64b9ad03c6827a320633336c5e53c974d950ef67

SHA256
2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

SHA512
a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

Download Submit
\Windows\Installer\MSIC779.tmp
MD5
06bf05c1b207c1340db60571ee6ef552

SHA1
64b9ad03c6827a320633336c5e53c974d950ef67

SHA256
2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

SHA512
a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

Download Submit
\Windows\Installer\MSIFD1A.tmp
MD5
06bf05c1b207c1340db60571ee6ef552

SHA1
64b9ad03c6827a320633336c5e53c974d950ef67

SHA256
2ffdeb634dcd556e84b56d8546f5f4840b9b2c14706290230f37bb43b15da901

SHA512
a66bda9de66a30495bf592f80b8bdae1b1b6340c37a2f6eb3fabf881a1cf107b626968df42ae319cb0cd5e27b88f0c6fe753f2cc57637430b217855108bc9b81

Download Submit
memory/1604-54-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmp

Filesize
8KB

Download
memory/1632-56-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download