Analysis
-
max time kernel
46s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
18-09-2022 00:42
Static task
static1
Behavioral task
behavioral1
Sample
22-17_n_e-br.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
22-17_n_e-br.msi
Resource
win10v2004-20220812-en
General
-
Target
22-17_n_e-br.msi
-
Size
17.8MB
-
MD5
1aa67a77a0b6f0e2cc2b4d160550c5e4
-
SHA1
7a320ecde07e9ab6143ddceaf2d54bfa03c80e7c
-
SHA256
e80ef5b5812455a19dbf740d65ef948b38c300b6bc6d026f135a8cfb42ba7750
-
SHA512
a44f41929445250b87f839bee6e35a7a15b83af24ab7e749b374488fda96f8ce0628b42cad9ae2a666d7bd53c24b0b4b5af709e4a71f191f99b226d7c32c315d
-
SSDEEP
98304:8YNYeAwFNHIsq1M0eCpsRBcZhRZZPIEc0f/dYjocYe4Fc9bsKgpDhsit7GKRalZ7:9juMsTRZVacn0b6DdRyI
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exepid process 468 MsiExec.exe 468 MsiExec.exe 468 MsiExec.exe 468 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Drops file in Windows directory 11 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\6c11e0.msi msiexec.exe File opened for modification C:\Windows\Installer\6c11de.ipi msiexec.exe File created C:\Windows\Installer\6c11dc.msi msiexec.exe File opened for modification C:\Windows\Installer\6c11dc.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1298.tmp msiexec.exe File created C:\Windows\Installer\6c11de.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI1EEB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1518.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI18E1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1E6D.tmp msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1332 msiexec.exe 1332 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1600 msiexec.exe Token: SeIncreaseQuotaPrivilege 1600 msiexec.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe Token: SeSecurityPrivilege 1332 msiexec.exe Token: SeCreateTokenPrivilege 1600 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1600 msiexec.exe Token: SeLockMemoryPrivilege 1600 msiexec.exe Token: SeIncreaseQuotaPrivilege 1600 msiexec.exe Token: SeMachineAccountPrivilege 1600 msiexec.exe Token: SeTcbPrivilege 1600 msiexec.exe Token: SeSecurityPrivilege 1600 msiexec.exe Token: SeTakeOwnershipPrivilege 1600 msiexec.exe Token: SeLoadDriverPrivilege 1600 msiexec.exe Token: SeSystemProfilePrivilege 1600 msiexec.exe Token: SeSystemtimePrivilege 1600 msiexec.exe Token: SeProfSingleProcessPrivilege 1600 msiexec.exe Token: SeIncBasePriorityPrivilege 1600 msiexec.exe Token: SeCreatePagefilePrivilege 1600 msiexec.exe Token: SeCreatePermanentPrivilege 1600 msiexec.exe Token: SeBackupPrivilege 1600 msiexec.exe Token: SeRestorePrivilege 1600 msiexec.exe Token: SeShutdownPrivilege 1600 msiexec.exe Token: SeDebugPrivilege 1600 msiexec.exe Token: SeAuditPrivilege 1600 msiexec.exe Token: SeSystemEnvironmentPrivilege 1600 msiexec.exe Token: SeChangeNotifyPrivilege 1600 msiexec.exe Token: SeRemoteShutdownPrivilege 1600 msiexec.exe Token: SeUndockPrivilege 1600 msiexec.exe Token: SeSyncAgentPrivilege 1600 msiexec.exe Token: SeEnableDelegationPrivilege 1600 msiexec.exe Token: SeManageVolumePrivilege 1600 msiexec.exe Token: SeImpersonatePrivilege 1600 msiexec.exe Token: SeCreateGlobalPrivilege 1600 msiexec.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1600 msiexec.exe 1600 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
msiexec.exedescription pid process target process PID 1332 wrote to memory of 468 1332 msiexec.exe MsiExec.exe PID 1332 wrote to memory of 468 1332 msiexec.exe MsiExec.exe PID 1332 wrote to memory of 468 1332 msiexec.exe MsiExec.exe PID 1332 wrote to memory of 468 1332 msiexec.exe MsiExec.exe PID 1332 wrote to memory of 468 1332 msiexec.exe MsiExec.exe PID 1332 wrote to memory of 468 1332 msiexec.exe MsiExec.exe PID 1332 wrote to memory of 468 1332 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\22-17_n_e-br.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1600
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 323CCF0338AD17F1C0E98EC9DF47F8292⤵
- Loads dropped DLL
PID:468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
373KB
MD5f21b7303582dc0bf18fc734df1245043
SHA1306de4746ec0fa5fd6f67127060640abb26f2a9e
SHA25658e954de5dbec06179e7c749f321555520c8fcfbd9d3b05cc2b0110573a507d4
SHA5120170f83e53e28ad09dcf00649aa7e4c3d9e8cead49b54971df594c60062f8f4ed5b3c18588942fc038337a1f2478fb039e213fbadb55fe5091fdaaf28d9911b4
-
Filesize
373KB
MD5f21b7303582dc0bf18fc734df1245043
SHA1306de4746ec0fa5fd6f67127060640abb26f2a9e
SHA25658e954de5dbec06179e7c749f321555520c8fcfbd9d3b05cc2b0110573a507d4
SHA5120170f83e53e28ad09dcf00649aa7e4c3d9e8cead49b54971df594c60062f8f4ed5b3c18588942fc038337a1f2478fb039e213fbadb55fe5091fdaaf28d9911b4
-
Filesize
373KB
MD5f21b7303582dc0bf18fc734df1245043
SHA1306de4746ec0fa5fd6f67127060640abb26f2a9e
SHA25658e954de5dbec06179e7c749f321555520c8fcfbd9d3b05cc2b0110573a507d4
SHA5120170f83e53e28ad09dcf00649aa7e4c3d9e8cead49b54971df594c60062f8f4ed5b3c18588942fc038337a1f2478fb039e213fbadb55fe5091fdaaf28d9911b4
-
Filesize
17.1MB
MD5ba545c2bc73df9a0d2cc90cd10ebbb1a
SHA1ea44aca614884e4ffe54012473949ec39ad15fa4
SHA25624f5dcef269d7cbc3bf9e58bf60e598d457cbd1d19f1d91e9407e8b4315f0056
SHA512588fad562db13896adca8a91b73e5773bb480b0c631f74f492bbc5653310b53a0642cb5d1cc11a72131596fb7643b31207349d0f9f161d3134a0e096e2001acf
-
Filesize
373KB
MD5f21b7303582dc0bf18fc734df1245043
SHA1306de4746ec0fa5fd6f67127060640abb26f2a9e
SHA25658e954de5dbec06179e7c749f321555520c8fcfbd9d3b05cc2b0110573a507d4
SHA5120170f83e53e28ad09dcf00649aa7e4c3d9e8cead49b54971df594c60062f8f4ed5b3c18588942fc038337a1f2478fb039e213fbadb55fe5091fdaaf28d9911b4
-
Filesize
373KB
MD5f21b7303582dc0bf18fc734df1245043
SHA1306de4746ec0fa5fd6f67127060640abb26f2a9e
SHA25658e954de5dbec06179e7c749f321555520c8fcfbd9d3b05cc2b0110573a507d4
SHA5120170f83e53e28ad09dcf00649aa7e4c3d9e8cead49b54971df594c60062f8f4ed5b3c18588942fc038337a1f2478fb039e213fbadb55fe5091fdaaf28d9911b4
-
Filesize
373KB
MD5f21b7303582dc0bf18fc734df1245043
SHA1306de4746ec0fa5fd6f67127060640abb26f2a9e
SHA25658e954de5dbec06179e7c749f321555520c8fcfbd9d3b05cc2b0110573a507d4
SHA5120170f83e53e28ad09dcf00649aa7e4c3d9e8cead49b54971df594c60062f8f4ed5b3c18588942fc038337a1f2478fb039e213fbadb55fe5091fdaaf28d9911b4
-
Filesize
17.1MB
MD5ba545c2bc73df9a0d2cc90cd10ebbb1a
SHA1ea44aca614884e4ffe54012473949ec39ad15fa4
SHA25624f5dcef269d7cbc3bf9e58bf60e598d457cbd1d19f1d91e9407e8b4315f0056
SHA512588fad562db13896adca8a91b73e5773bb480b0c631f74f492bbc5653310b53a0642cb5d1cc11a72131596fb7643b31207349d0f9f161d3134a0e096e2001acf