788f1abb67d6f21cf299e2f67a2b414d169e8ab16cc8a61bf698e5c7f1482999

Analysis

max time kernel
71s
max time network
24s
platform
windows7_x64
resource
win7-en-20211208
submitted
05-02-2022 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

788f1abb67d6f21cf299e2f67a2b414d169e8ab16cc8a61bf698e5c7f1482999.msi
Size

967KB
MD5

e435c7fe014ceb78e4bc09bf3f71c5d0
SHA1

d895c75ea47413b96df4673e929cb55dab912306
SHA256

788f1abb67d6f21cf299e2f67a2b414d169e8ab16cc8a61bf698e5c7f1482999
SHA512

e86a5d43dccbc44a6bdfd8967a51ec02d1741afda00d8fc6d63b45babf30e91a260603e9d3207160b9484a99fa7f3a8030674806c5b7f4e08188994b87f7c14a

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1980	MsiExec.exe
1980	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDD84.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\2d826.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICDB9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID604.tmp	msiexec.exe
File created	C:\Windows\Installer\2d826.ipi	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1816	msiexec.exe
1816	msiexec.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1740	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1816	msiexec.exe
Token: SeTakeOwnershipPrivilege	1816	msiexec.exe
Token: SeSecurityPrivilege	1816	msiexec.exe
Token: SeCreateTokenPrivilege	1740	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1740	msiexec.exe
Token: SeLockMemoryPrivilege	1740	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1740	msiexec.exe
Token: SeMachineAccountPrivilege	1740	msiexec.exe
Token: SeTcbPrivilege	1740	msiexec.exe
Token: SeSecurityPrivilege	1740	msiexec.exe
Token: SeTakeOwnershipPrivilege	1740	msiexec.exe
Token: SeLoadDriverPrivilege	1740	msiexec.exe
Token: SeSystemProfilePrivilege	1740	msiexec.exe
Token: SeSystemtimePrivilege	1740	msiexec.exe
Token: SeProfSingleProcessPrivilege	1740	msiexec.exe
Token: SeIncBasePriorityPrivilege	1740	msiexec.exe
Token: SeCreatePagefilePrivilege	1740	msiexec.exe
Token: SeCreatePermanentPrivilege	1740	msiexec.exe
Token: SeBackupPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1740	msiexec.exe
Token: SeShutdownPrivilege	1740	msiexec.exe
Token: SeDebugPrivilege	1740	msiexec.exe
Token: SeAuditPrivilege	1740	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1740	msiexec.exe
Token: SeChangeNotifyPrivilege	1740	msiexec.exe
Token: SeRemoteShutdownPrivilege	1740	msiexec.exe
Token: SeUndockPrivilege	1740	msiexec.exe
Token: SeSyncAgentPrivilege	1740	msiexec.exe
Token: SeEnableDelegationPrivilege	1740	msiexec.exe
Token: SeManageVolumePrivilege	1740	msiexec.exe
Token: SeImpersonatePrivilege	1740	msiexec.exe
Token: SeCreateGlobalPrivilege	1740	msiexec.exe
Token: SeRestorePrivilege	1816	msiexec.exe
Token: SeTakeOwnershipPrivilege	1816	msiexec.exe
Token: SeRestorePrivilege	1816	msiexec.exe
Token: SeTakeOwnershipPrivilege	1816	msiexec.exe
Token: SeRestorePrivilege	1816	msiexec.exe
Token: SeTakeOwnershipPrivilege	1816	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1740	msiexec.exe
1740	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1980	1816	msiexec.exe	28
PID 1816 wrote to memory of 1980	1816	msiexec.exe	28
PID 1816 wrote to memory of 1980	1816	msiexec.exe	28
PID 1816 wrote to memory of 1980	1816	msiexec.exe	28
PID 1816 wrote to memory of 1980	1816	msiexec.exe	28
PID 1816 wrote to memory of 1980	1816	msiexec.exe	28
PID 1816 wrote to memory of 1980	1816	msiexec.exe	28

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\788f1abb67d6f21cf299e2f67a2b414d169e8ab16cc8a61bf698e5c7f1482999.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24A80E38D0C2AD81B28C527C04A453C7
  2⤵
  - Loads dropped DLL
  PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1740-55-0x000007FEFC151000-0x000007FEFC153000-memory.dmp

Filesize
8KB

Download
memory/1980-57-0x0000000076511000-0x0000000076513000-memory.dmp

Filesize
8KB

Download