73e88dfce5caf29dc4f746ea73327225926f6c006cab1a242ff8cace60f30d87

Analysis

max time kernel
318s
max time network
506s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2022, 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VengefulLeather.msi
Size

267.0MB
MD5

e487592d43f5ca2045a3ac4e635cd5e1
SHA1

06523feddb2be5089e154bdfe570e1cef2ad00d3
SHA256

a43fe5ebc7bb94b76b3031efb7f4e6cb3932066683ea55a214e6ae3e00b2822e
SHA512

5c08d9063c79cbf7efcdb83642a19b8dc4a8d905ca5279d19e8a1065d75e725789fc53fbd26480ea583eb374779d5256e2ca644419463b81d7fa3b3af7617405
SSDEEP

196608:OZCjrKC82BT3tT4j9mcMMkxbgWw6Zi5sS:OkjT82Bztkj4cMMWgi

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
4476	MsiExec.exe
4476	MsiExec.exe
4476	MsiExec.exe
4476	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e5682c1.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI935C.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F7227026-634A-41FF-A42B-E7297A5AD438}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9AC0.tmp	msiexec.exe
File created	C:\Windows\Installer\e5682c1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9010.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B5D.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4608	msiexec.exe
4608	msiexec.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1708	msiexec.exe
Token: SeSecurityPrivilege	4608	msiexec.exe
Token: SeCreateTokenPrivilege	1708	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1708	msiexec.exe
Token: SeLockMemoryPrivilege	1708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1708	msiexec.exe
Token: SeMachineAccountPrivilege	1708	msiexec.exe
Token: SeTcbPrivilege	1708	msiexec.exe
Token: SeSecurityPrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeLoadDriverPrivilege	1708	msiexec.exe
Token: SeSystemProfilePrivilege	1708	msiexec.exe
Token: SeSystemtimePrivilege	1708	msiexec.exe
Token: SeProfSingleProcessPrivilege	1708	msiexec.exe
Token: SeIncBasePriorityPrivilege	1708	msiexec.exe
Token: SeCreatePagefilePrivilege	1708	msiexec.exe
Token: SeCreatePermanentPrivilege	1708	msiexec.exe
Token: SeBackupPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeShutdownPrivilege	1708	msiexec.exe
Token: SeDebugPrivilege	1708	msiexec.exe
Token: SeAuditPrivilege	1708	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1708	msiexec.exe
Token: SeChangeNotifyPrivilege	1708	msiexec.exe
Token: SeRemoteShutdownPrivilege	1708	msiexec.exe
Token: SeUndockPrivilege	1708	msiexec.exe
Token: SeSyncAgentPrivilege	1708	msiexec.exe
Token: SeEnableDelegationPrivilege	1708	msiexec.exe
Token: SeManageVolumePrivilege	1708	msiexec.exe
Token: SeImpersonatePrivilege	1708	msiexec.exe
Token: SeCreateGlobalPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	4608	msiexec.exe
Token: SeTakeOwnershipPrivilege	4608	msiexec.exe
Token: SeRestorePrivilege	4608	msiexec.exe
Token: SeTakeOwnershipPrivilege	4608	msiexec.exe
Token: SeRestorePrivilege	4608	msiexec.exe
Token: SeTakeOwnershipPrivilege	4608	msiexec.exe
Token: SeRestorePrivilege	4608	msiexec.exe
Token: SeTakeOwnershipPrivilege	4608	msiexec.exe
Token: SeRestorePrivilege	4608	msiexec.exe
Token: SeTakeOwnershipPrivilege	4608	msiexec.exe
Token: SeRestorePrivilege	4608	msiexec.exe
Token: SeTakeOwnershipPrivilege	4608	msiexec.exe
Token: SeRestorePrivilege	4608	msiexec.exe
Token: SeTakeOwnershipPrivilege	4608	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1708	msiexec.exe
1708	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4476	MsiExec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 4476	4608	msiexec.exe	81
PID 4608 wrote to memory of 4476	4608	msiexec.exe	81
PID 4608 wrote to memory of 4476	4608	msiexec.exe	81

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\VengefulLeather.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1708

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E730B0A308EF63AE506671D8299C15AE
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI9010.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSI9010.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSI935C.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSI935C.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSI9B5D.tmp

Filesize
264.6MB

MD5
afddffa061874d57c30657ca8bfecba5

SHA1
c6f6b3a00a704ed1ddeaf1cc3277f92872b308cc

SHA256
72276ed4421e592116f1720b01464e43306fbc3a9d97b7a43fe201237258234b

SHA512
40417d574d44a3cfd59b20e07ff3b86ba0eb0e57d54355202cd5e86dda7217e9d8113e2648701ec6d15d41dcaff030748d0cfa4e9442bea96d63a6168ffdc203

Download Submit
C:\Windows\Installer\MSI9B5D.tmp

Filesize
264.6MB

MD5
afddffa061874d57c30657ca8bfecba5

SHA1
c6f6b3a00a704ed1ddeaf1cc3277f92872b308cc

SHA256
72276ed4421e592116f1720b01464e43306fbc3a9d97b7a43fe201237258234b

SHA512
40417d574d44a3cfd59b20e07ff3b86ba0eb0e57d54355202cd5e86dda7217e9d8113e2648701ec6d15d41dcaff030748d0cfa4e9442bea96d63a6168ffdc203

Download Submit
C:\Windows\Installer\MSI9B5D.tmp

Filesize
264.6MB

MD5
afddffa061874d57c30657ca8bfecba5

SHA1
c6f6b3a00a704ed1ddeaf1cc3277f92872b308cc

SHA256
72276ed4421e592116f1720b01464e43306fbc3a9d97b7a43fe201237258234b

SHA512
40417d574d44a3cfd59b20e07ff3b86ba0eb0e57d54355202cd5e86dda7217e9d8113e2648701ec6d15d41dcaff030748d0cfa4e9442bea96d63a6168ffdc203

Download Submit
memory/4476-140-0x0000000002C30000-0x0000000003C30000-memory.dmp

Filesize
16.0MB

Download