Analysis
-
max time kernel
121s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-02-2022 12:30
Static task
static1
Behavioral task
behavioral1
Sample
90f613caa131c663e32aabc31b5fccc99edcfa874110d51cd627531d3a67b16d.msi
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
90f613caa131c663e32aabc31b5fccc99edcfa874110d51cd627531d3a67b16d.msi
Resource
win10v2004-en-20220113
General
-
Target
90f613caa131c663e32aabc31b5fccc99edcfa874110d51cd627531d3a67b16d.msi
-
Size
382KB
-
MD5
63bed40e369b76379b47818ba912ee43
-
SHA1
11c72a1239ffe8b6bcd2f5418c369b044f3bfc4a
-
SHA256
90f613caa131c663e32aabc31b5fccc99edcfa874110d51cd627531d3a67b16d
-
SHA512
aa1be6812f84d8cf205cac1878d8eca1c3d345d7807e3804b6814028b74b3355fd68b90f804b3973ef40aac8bc6d395fa4063b1aca23e9394d0aa74a551f5174
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 944 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeShutdownPrivilege 944 msiexec.exe Token: SeIncreaseQuotaPrivilege 944 msiexec.exe Token: SeRestorePrivilege 560 msiexec.exe Token: SeTakeOwnershipPrivilege 560 msiexec.exe Token: SeSecurityPrivilege 560 msiexec.exe Token: SeCreateTokenPrivilege 944 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 944 msiexec.exe Token: SeLockMemoryPrivilege 944 msiexec.exe Token: SeIncreaseQuotaPrivilege 944 msiexec.exe Token: SeMachineAccountPrivilege 944 msiexec.exe Token: SeTcbPrivilege 944 msiexec.exe Token: SeSecurityPrivilege 944 msiexec.exe Token: SeTakeOwnershipPrivilege 944 msiexec.exe Token: SeLoadDriverPrivilege 944 msiexec.exe Token: SeSystemProfilePrivilege 944 msiexec.exe Token: SeSystemtimePrivilege 944 msiexec.exe Token: SeProfSingleProcessPrivilege 944 msiexec.exe Token: SeIncBasePriorityPrivilege 944 msiexec.exe Token: SeCreatePagefilePrivilege 944 msiexec.exe Token: SeCreatePermanentPrivilege 944 msiexec.exe Token: SeBackupPrivilege 944 msiexec.exe Token: SeRestorePrivilege 944 msiexec.exe Token: SeShutdownPrivilege 944 msiexec.exe Token: SeDebugPrivilege 944 msiexec.exe Token: SeAuditPrivilege 944 msiexec.exe Token: SeSystemEnvironmentPrivilege 944 msiexec.exe Token: SeChangeNotifyPrivilege 944 msiexec.exe Token: SeRemoteShutdownPrivilege 944 msiexec.exe Token: SeUndockPrivilege 944 msiexec.exe Token: SeSyncAgentPrivilege 944 msiexec.exe Token: SeEnableDelegationPrivilege 944 msiexec.exe Token: SeManageVolumePrivilege 944 msiexec.exe Token: SeImpersonatePrivilege 944 msiexec.exe Token: SeCreateGlobalPrivilege 944 msiexec.exe Token: SeBackupPrivilege 808 vssvc.exe Token: SeRestorePrivilege 808 vssvc.exe Token: SeAuditPrivilege 808 vssvc.exe Token: SeBackupPrivilege 560 msiexec.exe Token: SeRestorePrivilege 560 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 944 msiexec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\90f613caa131c663e32aabc31b5fccc99edcfa874110d51cd627531d3a67b16d.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:944
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:560
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:808