24f0bb6cba35e87f01d6ea92761171a535c691ce9225348cb2605760d5b12462

General

Target

c2e1f22a3443076326f1920cf9923c69.msi
Size

360KB
MD5

c2e1f22a3443076326f1920cf9923c69
SHA1

6932c2dfca6c51efefbbb6b7af1af2abd7f6b96a
SHA256

24f0bb6cba35e87f01d6ea92761171a535c691ce9225348cb2605760d5b12462
SHA512

b0e4d3188b933a0822a51396bea3ca28c21a0bfe57ed1d4706e3c4631fec2717be9e180210981aeec086549754c744a7bfcbe57d38ad2bc930708096ba26b7e5

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

Processes:

MsiExec.exe

pid process

1344 MsiExec.exe
1344 MsiExec.exe
1344 MsiExec.exe
1344 MsiExec.exe

pid	process
1344	MsiExec.exe
1344	MsiExec.exe
1344	MsiExec.exe
1344	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIDFE4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE3BD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE40C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB428.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6cde20.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE37E.tmp	msiexec.exe
File created	C:\Windows\Installer\6cde22.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\dbcode21mk.log	msiexec.exe
File created	C:\Windows\Installer\6cde20.msi	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1276 msiexec.exe
1276 msiexec.exe

pid	process
1276	msiexec.exe
1276	msiexec.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	948	msiexec.exe
Token: SeIncreaseQuotaPrivilege	948	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeSecurityPrivilege	1276	msiexec.exe
Token: SeCreateTokenPrivilege	948	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	948	msiexec.exe
Token: SeLockMemoryPrivilege	948	msiexec.exe
Token: SeIncreaseQuotaPrivilege	948	msiexec.exe
Token: SeMachineAccountPrivilege	948	msiexec.exe
Token: SeTcbPrivilege	948	msiexec.exe
Token: SeSecurityPrivilege	948	msiexec.exe
Token: SeTakeOwnershipPrivilege	948	msiexec.exe
Token: SeLoadDriverPrivilege	948	msiexec.exe
Token: SeSystemProfilePrivilege	948	msiexec.exe
Token: SeSystemtimePrivilege	948	msiexec.exe
Token: SeProfSingleProcessPrivilege	948	msiexec.exe
Token: SeIncBasePriorityPrivilege	948	msiexec.exe
Token: SeCreatePagefilePrivilege	948	msiexec.exe
Token: SeCreatePermanentPrivilege	948	msiexec.exe
Token: SeBackupPrivilege	948	msiexec.exe
Token: SeRestorePrivilege	948	msiexec.exe
Token: SeShutdownPrivilege	948	msiexec.exe
Token: SeDebugPrivilege	948	msiexec.exe
Token: SeAuditPrivilege	948	msiexec.exe
Token: SeSystemEnvironmentPrivilege	948	msiexec.exe
Token: SeChangeNotifyPrivilege	948	msiexec.exe
Token: SeRemoteShutdownPrivilege	948	msiexec.exe
Token: SeUndockPrivilege	948	msiexec.exe
Token: SeSyncAgentPrivilege	948	msiexec.exe
Token: SeEnableDelegationPrivilege	948	msiexec.exe
Token: SeManageVolumePrivilege	948	msiexec.exe
Token: SeImpersonatePrivilege	948	msiexec.exe
Token: SeCreateGlobalPrivilege	948	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

948 msiexec.exe

pid	process
948	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1276 wrote to memory of 1344	1276	msiexec.exe	MsiExec.exe
PID 1276 wrote to memory of 1344	1276	msiexec.exe	MsiExec.exe
PID 1276 wrote to memory of 1344	1276	msiexec.exe	MsiExec.exe
PID 1276 wrote to memory of 1344	1276	msiexec.exe	MsiExec.exe
PID 1276 wrote to memory of 1344	1276	msiexec.exe	MsiExec.exe
PID 1276 wrote to memory of 1344	1276	msiexec.exe	MsiExec.exe
PID 1276 wrote to memory of 1344	1276	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c2e1f22a3443076326f1920cf9923c69.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:948

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8CA4A729F4B6A4B61C27A8BBDCADDCA5
2⤵
- Loads dropped DLL
PID:1344

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSIDFE4.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
C:\Windows\Installer\MSIE37E.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
C:\Windows\Installer\MSIE3BD.tmp
Filesize
118KB

MD5
4b49c57cbefa1d2773da1f95338e294d

SHA1
108ea90d8a42cf31f7d8d7710b5fd713ca048ef9

SHA256
68c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08

SHA512
42c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165

Download Submit
C:\Windows\Installer\MSIE40C.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
\Windows\Installer\MSIDFE4.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
\Windows\Installer\MSIE37E.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
\Windows\Installer\MSIE3BD.tmp
Filesize
118KB

MD5
4b49c57cbefa1d2773da1f95338e294d

SHA1
108ea90d8a42cf31f7d8d7710b5fd713ca048ef9

SHA256
68c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08

SHA512
42c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165

Download Submit
\Windows\Installer\MSIE40C.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
memory/948-54-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download
memory/1344-57-0x0000000075301000-0x0000000075303000-memory.dmp

Filesize
8KB

Download
memory/1344-56-0x0000000000000000-mapping.dmp

Download
memory/1344-67-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/1344-66-0x00000000743F0000-0x0000000074455000-memory.dmp

Filesize
404KB

Download
memory/1344-69-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1344-68-0x0000000074410000-0x0000000074460000-memory.dmp

Filesize
320KB

Download
memory/1344-70-0x00000000743F0000-0x0000000074455000-memory.dmp

Filesize
404KB

Download
memory/1344-73-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/1344-72-0x0000000000210000-0x0000000000213000-memory.dmp

Filesize
12KB

Download
memory/1344-71-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/1344-74-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads