73e88dfce5caf29dc4f746ea73327225926f6c006cab1a242ff8cace60f30d87

Analysis

max time kernel
617s
max time network
441s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
15-09-2022 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VengefulLeather.msi
Size

267.0MB
MD5

e487592d43f5ca2045a3ac4e635cd5e1
SHA1

06523feddb2be5089e154bdfe570e1cef2ad00d3
SHA256

a43fe5ebc7bb94b76b3031efb7f4e6cb3932066683ea55a214e6ae3e00b2822e
SHA512

5c08d9063c79cbf7efcdb83642a19b8dc4a8d905ca5279d19e8a1065d75e725789fc53fbd26480ea583eb374779d5256e2ca644419463b81d7fa3b3af7617405
SSDEEP

196608:OZCjrKC82BT3tT4j9mcMMkxbgWw6Zi5sS:OkjT82Bztkj4cMMWgi

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
668	MsiExec.exe
668	MsiExec.exe
668	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI2B07.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B01.tmp	msiexec.exe
File created	C:\Windows\Installer\6c26a4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c26a4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2D88.tmp	msiexec.exe
File created	C:\Windows\Installer\6c26a6.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B7F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c26a6.ipi	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
936	msiexec.exe
936	msiexec.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1300	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1300	msiexec.exe
Token: SeRestorePrivilege	936	msiexec.exe
Token: SeTakeOwnershipPrivilege	936	msiexec.exe
Token: SeSecurityPrivilege	936	msiexec.exe
Token: SeCreateTokenPrivilege	1300	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1300	msiexec.exe
Token: SeLockMemoryPrivilege	1300	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1300	msiexec.exe
Token: SeMachineAccountPrivilege	1300	msiexec.exe
Token: SeTcbPrivilege	1300	msiexec.exe
Token: SeSecurityPrivilege	1300	msiexec.exe
Token: SeTakeOwnershipPrivilege	1300	msiexec.exe
Token: SeLoadDriverPrivilege	1300	msiexec.exe
Token: SeSystemProfilePrivilege	1300	msiexec.exe
Token: SeSystemtimePrivilege	1300	msiexec.exe
Token: SeProfSingleProcessPrivilege	1300	msiexec.exe
Token: SeIncBasePriorityPrivilege	1300	msiexec.exe
Token: SeCreatePagefilePrivilege	1300	msiexec.exe
Token: SeCreatePermanentPrivilege	1300	msiexec.exe
Token: SeBackupPrivilege	1300	msiexec.exe
Token: SeRestorePrivilege	1300	msiexec.exe
Token: SeShutdownPrivilege	1300	msiexec.exe
Token: SeDebugPrivilege	1300	msiexec.exe
Token: SeAuditPrivilege	1300	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1300	msiexec.exe
Token: SeChangeNotifyPrivilege	1300	msiexec.exe
Token: SeRemoteShutdownPrivilege	1300	msiexec.exe
Token: SeUndockPrivilege	1300	msiexec.exe
Token: SeSyncAgentPrivilege	1300	msiexec.exe
Token: SeEnableDelegationPrivilege	1300	msiexec.exe
Token: SeManageVolumePrivilege	1300	msiexec.exe
Token: SeImpersonatePrivilege	1300	msiexec.exe
Token: SeCreateGlobalPrivilege	1300	msiexec.exe
Token: SeRestorePrivilege	936	msiexec.exe
Token: SeTakeOwnershipPrivilege	936	msiexec.exe
Token: SeRestorePrivilege	936	msiexec.exe
Token: SeTakeOwnershipPrivilege	936	msiexec.exe
Token: SeRestorePrivilege	936	msiexec.exe
Token: SeTakeOwnershipPrivilege	936	msiexec.exe
Token: SeRestorePrivilege	936	msiexec.exe
Token: SeTakeOwnershipPrivilege	936	msiexec.exe
Token: SeRestorePrivilege	936	msiexec.exe
Token: SeTakeOwnershipPrivilege	936	msiexec.exe
Token: SeRestorePrivilege	936	msiexec.exe
Token: SeTakeOwnershipPrivilege	936	msiexec.exe
Token: SeRestorePrivilege	936	msiexec.exe
Token: SeTakeOwnershipPrivilege	936	msiexec.exe
Token: SeRestorePrivilege	936	msiexec.exe
Token: SeTakeOwnershipPrivilege	936	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1300	msiexec.exe
1300	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
668	MsiExec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 668	936	msiexec.exe	28
PID 936 wrote to memory of 668	936	msiexec.exe	28
PID 936 wrote to memory of 668	936	msiexec.exe	28
PID 936 wrote to memory of 668	936	msiexec.exe	28
PID 936 wrote to memory of 668	936	msiexec.exe	28
PID 936 wrote to memory of 668	936	msiexec.exe	28
PID 936 wrote to memory of 668	936	msiexec.exe	28

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\VengefulLeather.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1300

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 47B28929DE2402DC5E153C291C406DDF
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI2B07.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSI2D88.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSI3B7F.tmp

Filesize
264.6MB

MD5
afddffa061874d57c30657ca8bfecba5

SHA1
c6f6b3a00a704ed1ddeaf1cc3277f92872b308cc

SHA256
72276ed4421e592116f1720b01464e43306fbc3a9d97b7a43fe201237258234b

SHA512
40417d574d44a3cfd59b20e07ff3b86ba0eb0e57d54355202cd5e86dda7217e9d8113e2648701ec6d15d41dcaff030748d0cfa4e9442bea96d63a6168ffdc203

Download Submit
\Windows\Installer\MSI2B07.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSI2D88.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSI3B7F.tmp

Filesize
264.6MB

MD5
afddffa061874d57c30657ca8bfecba5

SHA1
c6f6b3a00a704ed1ddeaf1cc3277f92872b308cc

SHA256
72276ed4421e592116f1720b01464e43306fbc3a9d97b7a43fe201237258234b

SHA512
40417d574d44a3cfd59b20e07ff3b86ba0eb0e57d54355202cd5e86dda7217e9d8113e2648701ec6d15d41dcaff030748d0cfa4e9442bea96d63a6168ffdc203

Download Submit
memory/668-57-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/668-65-0x0000000002510000-0x000000000315A000-memory.dmp

Filesize
12.3MB

Download
memory/668-64-0x00000000024C0000-0x00000000034C0000-memory.dmp

Filesize
16.0MB

Download
memory/1300-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download