24f0bb6cba35e87f01d6ea92761171a535c691ce9225348cb2605760d5b12462

Analysis

max time kernel
186s
max time network
427s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2022 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2e1f22a3443076326f1920cf9923c69.msi
Size

360KB
MD5

c2e1f22a3443076326f1920cf9923c69
SHA1

6932c2dfca6c51efefbbb6b7af1af2abd7f6b96a
SHA256

24f0bb6cba35e87f01d6ea92761171a535c691ce9225348cb2605760d5b12462
SHA512

b0e4d3188b933a0822a51396bea3ca28c21a0bfe57ed1d4706e3c4631fec2717be9e180210981aeec086549754c744a7bfcbe57d38ad2bc930708096ba26b7e5

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

Processes:

MsiExec.exe

pid process

1380 MsiExec.exe
1380 MsiExec.exe
1380 MsiExec.exe
1380 MsiExec.exe
1380 MsiExec.exe

pid	process
1380	MsiExec.exe
1380	MsiExec.exe
1380	MsiExec.exe
1380	MsiExec.exe
1380	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF598.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{80395032-1630-4C4B-A997-0A7CCB72C75B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3100.tmp	msiexec.exe
File created	C:\Windows\Installer\e5b6936.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5b6936.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI692.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI296D.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\dbcode21mk.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC37B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI672.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

4708 msiexec.exe
4708 msiexec.exe

pid	process
4708	msiexec.exe
4708	msiexec.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4312	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4312	msiexec.exe
Token: SeSecurityPrivilege	4708	msiexec.exe
Token: SeCreateTokenPrivilege	4312	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4312	msiexec.exe
Token: SeLockMemoryPrivilege	4312	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4312	msiexec.exe
Token: SeMachineAccountPrivilege	4312	msiexec.exe
Token: SeTcbPrivilege	4312	msiexec.exe
Token: SeSecurityPrivilege	4312	msiexec.exe
Token: SeTakeOwnershipPrivilege	4312	msiexec.exe
Token: SeLoadDriverPrivilege	4312	msiexec.exe
Token: SeSystemProfilePrivilege	4312	msiexec.exe
Token: SeSystemtimePrivilege	4312	msiexec.exe
Token: SeProfSingleProcessPrivilege	4312	msiexec.exe
Token: SeIncBasePriorityPrivilege	4312	msiexec.exe
Token: SeCreatePagefilePrivilege	4312	msiexec.exe
Token: SeCreatePermanentPrivilege	4312	msiexec.exe
Token: SeBackupPrivilege	4312	msiexec.exe
Token: SeRestorePrivilege	4312	msiexec.exe
Token: SeShutdownPrivilege	4312	msiexec.exe
Token: SeDebugPrivilege	4312	msiexec.exe
Token: SeAuditPrivilege	4312	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4312	msiexec.exe
Token: SeChangeNotifyPrivilege	4312	msiexec.exe
Token: SeRemoteShutdownPrivilege	4312	msiexec.exe
Token: SeUndockPrivilege	4312	msiexec.exe
Token: SeSyncAgentPrivilege	4312	msiexec.exe
Token: SeEnableDelegationPrivilege	4312	msiexec.exe
Token: SeManageVolumePrivilege	4312	msiexec.exe
Token: SeImpersonatePrivilege	4312	msiexec.exe
Token: SeCreateGlobalPrivilege	4312	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

4312 msiexec.exe

pid	process
4312	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 4708 wrote to memory of 1380	4708	msiexec.exe	MsiExec.exe
PID 4708 wrote to memory of 1380	4708	msiexec.exe	MsiExec.exe
PID 4708 wrote to memory of 1380	4708	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c2e1f22a3443076326f1920cf9923c69.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4312

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AE5320920A2CF074353F49F61511ABAC
2⤵
- Loads dropped DLL
PID:1380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI296D.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
C:\Windows\Installer\MSI296D.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
C:\Windows\Installer\MSI672.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
C:\Windows\Installer\MSI672.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
C:\Windows\Installer\MSI692.tmp
Filesize
118KB

MD5
4b49c57cbefa1d2773da1f95338e294d

SHA1
108ea90d8a42cf31f7d8d7710b5fd713ca048ef9

SHA256
68c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08

SHA512
42c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165

Download Submit
C:\Windows\Installer\MSI692.tmp
Filesize
118KB

MD5
4b49c57cbefa1d2773da1f95338e294d

SHA1
108ea90d8a42cf31f7d8d7710b5fd713ca048ef9

SHA256
68c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08

SHA512
42c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165

Download Submit
C:\Windows\Installer\MSIC37B.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
C:\Windows\Installer\MSIC37B.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
C:\Windows\Installer\MSIF598.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
C:\Windows\Installer\MSIF598.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
memory/1380-146-0x0000000003290000-0x0000000003293000-memory.dmp

Filesize
12KB

Download
memory/1380-137-0x0000000074DF0000-0x0000000074E55000-memory.dmp

Filesize
404KB

Download
memory/1380-142-0x0000000074DF0000-0x0000000074E55000-memory.dmp

Filesize
404KB

Download
memory/1380-143-0x00000000033D0000-0x00000000033D3000-memory.dmp

Filesize
12KB

Download
memory/1380-144-0x0000000074E10000-0x0000000074E60000-memory.dmp

Filesize
320KB

Download
memory/1380-145-0x00000000033E0000-0x00000000033E3000-memory.dmp

Filesize
12KB

Download
memory/1380-130-0x0000000000000000-mapping.dmp

Download
memory/1380-134-0x0000000003290000-0x0000000003293000-memory.dmp

Filesize
12KB

Download
memory/1380-150-0x00000000033D0000-0x00000000033D3000-memory.dmp

Filesize
12KB

Download
memory/1380-149-0x0000000074DF0000-0x0000000074E55000-memory.dmp

Filesize
404KB

Download
memory/1380-133-0x0000000074DF0000-0x0000000074E55000-memory.dmp

Filesize
404KB

Download
memory/1380-151-0x00000000033E0000-0x00000000033E3000-memory.dmp

Filesize
12KB

Download
memory/1380-152-0x0000000074E10000-0x0000000074E60000-memory.dmp

Filesize
320KB

Download
memory/1380-153-0x0000000074DF0000-0x0000000074E55000-memory.dmp

Filesize
404KB

Download