Analysis
-
max time kernel
137s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
24-03-2022 21:02
Static task
static1
Behavioral task
behavioral1
Sample
3d85cd032360a85b03cdf182a052bde12ab8084ba19a82b7cdff2cbba06b89e9.msi
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
3d85cd032360a85b03cdf182a052bde12ab8084ba19a82b7cdff2cbba06b89e9.msi
Resource
win10v2004-en-20220113
General
-
Target
3d85cd032360a85b03cdf182a052bde12ab8084ba19a82b7cdff2cbba06b89e9.msi
-
Size
865KB
-
MD5
8296e7857eb86fe59e304ff64b48d839
-
SHA1
9696bc7a2708e3ec4ff53aa951928c4f69083684
-
SHA256
3d85cd032360a85b03cdf182a052bde12ab8084ba19a82b7cdff2cbba06b89e9
-
SHA512
84d5f99db5ab010c7610d89165a40029faa1bd4d632492a5b6f92126992e2f92c8e00fa76de7b3f3b75abe598246e0b894d9972f0a556221049d03eedf58e0ad
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 2028 MsiExec.exe 2028 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4208 msiexec.exe Token: SeIncreaseQuotaPrivilege 4208 msiexec.exe Token: SeSecurityPrivilege 1088 msiexec.exe Token: SeCreateTokenPrivilege 4208 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4208 msiexec.exe Token: SeLockMemoryPrivilege 4208 msiexec.exe Token: SeIncreaseQuotaPrivilege 4208 msiexec.exe Token: SeMachineAccountPrivilege 4208 msiexec.exe Token: SeTcbPrivilege 4208 msiexec.exe Token: SeSecurityPrivilege 4208 msiexec.exe Token: SeTakeOwnershipPrivilege 4208 msiexec.exe Token: SeLoadDriverPrivilege 4208 msiexec.exe Token: SeSystemProfilePrivilege 4208 msiexec.exe Token: SeSystemtimePrivilege 4208 msiexec.exe Token: SeProfSingleProcessPrivilege 4208 msiexec.exe Token: SeIncBasePriorityPrivilege 4208 msiexec.exe Token: SeCreatePagefilePrivilege 4208 msiexec.exe Token: SeCreatePermanentPrivilege 4208 msiexec.exe Token: SeBackupPrivilege 4208 msiexec.exe Token: SeRestorePrivilege 4208 msiexec.exe Token: SeShutdownPrivilege 4208 msiexec.exe Token: SeDebugPrivilege 4208 msiexec.exe Token: SeAuditPrivilege 4208 msiexec.exe Token: SeSystemEnvironmentPrivilege 4208 msiexec.exe Token: SeChangeNotifyPrivilege 4208 msiexec.exe Token: SeRemoteShutdownPrivilege 4208 msiexec.exe Token: SeUndockPrivilege 4208 msiexec.exe Token: SeSyncAgentPrivilege 4208 msiexec.exe Token: SeEnableDelegationPrivilege 4208 msiexec.exe Token: SeManageVolumePrivilege 4208 msiexec.exe Token: SeImpersonatePrivilege 4208 msiexec.exe Token: SeCreateGlobalPrivilege 4208 msiexec.exe Token: SeCreateTokenPrivilege 4208 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4208 msiexec.exe Token: SeLockMemoryPrivilege 4208 msiexec.exe Token: SeIncreaseQuotaPrivilege 4208 msiexec.exe Token: SeMachineAccountPrivilege 4208 msiexec.exe Token: SeTcbPrivilege 4208 msiexec.exe Token: SeSecurityPrivilege 4208 msiexec.exe Token: SeTakeOwnershipPrivilege 4208 msiexec.exe Token: SeLoadDriverPrivilege 4208 msiexec.exe Token: SeSystemProfilePrivilege 4208 msiexec.exe Token: SeSystemtimePrivilege 4208 msiexec.exe Token: SeProfSingleProcessPrivilege 4208 msiexec.exe Token: SeIncBasePriorityPrivilege 4208 msiexec.exe Token: SeCreatePagefilePrivilege 4208 msiexec.exe Token: SeCreatePermanentPrivilege 4208 msiexec.exe Token: SeBackupPrivilege 4208 msiexec.exe Token: SeRestorePrivilege 4208 msiexec.exe Token: SeShutdownPrivilege 4208 msiexec.exe Token: SeDebugPrivilege 4208 msiexec.exe Token: SeAuditPrivilege 4208 msiexec.exe Token: SeSystemEnvironmentPrivilege 4208 msiexec.exe Token: SeChangeNotifyPrivilege 4208 msiexec.exe Token: SeRemoteShutdownPrivilege 4208 msiexec.exe Token: SeUndockPrivilege 4208 msiexec.exe Token: SeSyncAgentPrivilege 4208 msiexec.exe Token: SeEnableDelegationPrivilege 4208 msiexec.exe Token: SeManageVolumePrivilege 4208 msiexec.exe Token: SeImpersonatePrivilege 4208 msiexec.exe Token: SeCreateGlobalPrivilege 4208 msiexec.exe Token: SeCreateTokenPrivilege 4208 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4208 msiexec.exe Token: SeLockMemoryPrivilege 4208 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4208 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1088 wrote to memory of 2028 1088 msiexec.exe 82 PID 1088 wrote to memory of 2028 1088 msiexec.exe 82 PID 1088 wrote to memory of 2028 1088 msiexec.exe 82
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3d85cd032360a85b03cdf182a052bde12ab8084ba19a82b7cdff2cbba06b89e9.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4208
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1F711C6C2D4EBC96365DCCA210F3C41F C2⤵
- Loads dropped DLL
PID:2028
-
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask1⤵PID:2624