Analysis

  • max time kernel
    137s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    24-03-2022 21:02

General

  • Target

    3d85cd032360a85b03cdf182a052bde12ab8084ba19a82b7cdff2cbba06b89e9.msi

  • Size

    865KB

  • MD5

    8296e7857eb86fe59e304ff64b48d839

  • SHA1

    9696bc7a2708e3ec4ff53aa951928c4f69083684

  • SHA256

    3d85cd032360a85b03cdf182a052bde12ab8084ba19a82b7cdff2cbba06b89e9

  • SHA512

    84d5f99db5ab010c7610d89165a40029faa1bd4d632492a5b6f92126992e2f92c8e00fa76de7b3f3b75abe598246e0b894d9972f0a556221049d03eedf58e0ad

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3d85cd032360a85b03cdf182a052bde12ab8084ba19a82b7cdff2cbba06b89e9.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4208
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1F711C6C2D4EBC96365DCCA210F3C41F C
      2⤵
      • Loads dropped DLL
      PID:2028
  • C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
    1⤵
      PID:2624

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads