Analysis
-
max time kernel
134s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2022 00:42
Static task
static1
Behavioral task
behavioral1
Sample
22-17_n_e-br.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
22-17_n_e-br.msi
Resource
win10v2004-20220812-en
General
-
Target
22-17_n_e-br.msi
-
Size
17.8MB
-
MD5
1aa67a77a0b6f0e2cc2b4d160550c5e4
-
SHA1
7a320ecde07e9ab6143ddceaf2d54bfa03c80e7c
-
SHA256
e80ef5b5812455a19dbf740d65ef948b38c300b6bc6d026f135a8cfb42ba7750
-
SHA512
a44f41929445250b87f839bee6e35a7a15b83af24ab7e749b374488fda96f8ce0628b42cad9ae2a666d7bd53c24b0b4b5af709e4a71f191f99b226d7c32c315d
-
SSDEEP
98304:8YNYeAwFNHIsq1M0eCpsRBcZhRZZPIEc0f/dYjocYe4Fc9bsKgpDhsit7GKRalZ7:9juMsTRZVacn0b6DdRyI
Malware Config
Signatures
-
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exepid process 2208 MsiExec.exe 2208 MsiExec.exe 2208 MsiExec.exe 2208 MsiExec.exe 2208 MsiExec.exe 2208 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\e568c85.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI906E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9245.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{69F8F57B-6F35-4433-9E93-5608D8E7A3A1} msiexec.exe File opened for modification C:\Windows\Installer\MSI945A.tmp msiexec.exe File created C:\Windows\Installer\e568c85.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8DED.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI910C.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI943A.tmp msiexec.exe File created C:\Windows\Installer\e568c88.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 4580 msiexec.exe 4580 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2228 msiexec.exe Token: SeIncreaseQuotaPrivilege 2228 msiexec.exe Token: SeSecurityPrivilege 4580 msiexec.exe Token: SeCreateTokenPrivilege 2228 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2228 msiexec.exe Token: SeLockMemoryPrivilege 2228 msiexec.exe Token: SeIncreaseQuotaPrivilege 2228 msiexec.exe Token: SeMachineAccountPrivilege 2228 msiexec.exe Token: SeTcbPrivilege 2228 msiexec.exe Token: SeSecurityPrivilege 2228 msiexec.exe Token: SeTakeOwnershipPrivilege 2228 msiexec.exe Token: SeLoadDriverPrivilege 2228 msiexec.exe Token: SeSystemProfilePrivilege 2228 msiexec.exe Token: SeSystemtimePrivilege 2228 msiexec.exe Token: SeProfSingleProcessPrivilege 2228 msiexec.exe Token: SeIncBasePriorityPrivilege 2228 msiexec.exe Token: SeCreatePagefilePrivilege 2228 msiexec.exe Token: SeCreatePermanentPrivilege 2228 msiexec.exe Token: SeBackupPrivilege 2228 msiexec.exe Token: SeRestorePrivilege 2228 msiexec.exe Token: SeShutdownPrivilege 2228 msiexec.exe Token: SeDebugPrivilege 2228 msiexec.exe Token: SeAuditPrivilege 2228 msiexec.exe Token: SeSystemEnvironmentPrivilege 2228 msiexec.exe Token: SeChangeNotifyPrivilege 2228 msiexec.exe Token: SeRemoteShutdownPrivilege 2228 msiexec.exe Token: SeUndockPrivilege 2228 msiexec.exe Token: SeSyncAgentPrivilege 2228 msiexec.exe Token: SeEnableDelegationPrivilege 2228 msiexec.exe Token: SeManageVolumePrivilege 2228 msiexec.exe Token: SeImpersonatePrivilege 2228 msiexec.exe Token: SeCreateGlobalPrivilege 2228 msiexec.exe Token: SeRestorePrivilege 4580 msiexec.exe Token: SeTakeOwnershipPrivilege 4580 msiexec.exe Token: SeRestorePrivilege 4580 msiexec.exe Token: SeTakeOwnershipPrivilege 4580 msiexec.exe Token: SeRestorePrivilege 4580 msiexec.exe Token: SeTakeOwnershipPrivilege 4580 msiexec.exe Token: SeRestorePrivilege 4580 msiexec.exe Token: SeTakeOwnershipPrivilege 4580 msiexec.exe Token: SeRestorePrivilege 4580 msiexec.exe Token: SeTakeOwnershipPrivilege 4580 msiexec.exe Token: SeRestorePrivilege 4580 msiexec.exe Token: SeTakeOwnershipPrivilege 4580 msiexec.exe Token: SeRestorePrivilege 4580 msiexec.exe Token: SeTakeOwnershipPrivilege 4580 msiexec.exe Token: SeRestorePrivilege 4580 msiexec.exe Token: SeTakeOwnershipPrivilege 4580 msiexec.exe Token: SeRestorePrivilege 4580 msiexec.exe Token: SeTakeOwnershipPrivilege 4580 msiexec.exe Token: SeRestorePrivilege 4580 msiexec.exe Token: SeTakeOwnershipPrivilege 4580 msiexec.exe Token: SeRestorePrivilege 4580 msiexec.exe Token: SeTakeOwnershipPrivilege 4580 msiexec.exe Token: SeRestorePrivilege 4580 msiexec.exe Token: SeTakeOwnershipPrivilege 4580 msiexec.exe Token: SeRestorePrivilege 4580 msiexec.exe Token: SeTakeOwnershipPrivilege 4580 msiexec.exe Token: SeRestorePrivilege 4580 msiexec.exe Token: SeTakeOwnershipPrivilege 4580 msiexec.exe Token: SeRestorePrivilege 4580 msiexec.exe Token: SeTakeOwnershipPrivilege 4580 msiexec.exe Token: SeRestorePrivilege 4580 msiexec.exe Token: SeTakeOwnershipPrivilege 4580 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2228 msiexec.exe 2228 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
msiexec.exedescription pid process target process PID 4580 wrote to memory of 2208 4580 msiexec.exe MsiExec.exe PID 4580 wrote to memory of 2208 4580 msiexec.exe MsiExec.exe PID 4580 wrote to memory of 2208 4580 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\22-17_n_e-br.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2228
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F885979CE533C637A9271E73F3F9C2AB2⤵
- Loads dropped DLL
PID:2208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
373KB
MD5f21b7303582dc0bf18fc734df1245043
SHA1306de4746ec0fa5fd6f67127060640abb26f2a9e
SHA25658e954de5dbec06179e7c749f321555520c8fcfbd9d3b05cc2b0110573a507d4
SHA5120170f83e53e28ad09dcf00649aa7e4c3d9e8cead49b54971df594c60062f8f4ed5b3c18588942fc038337a1f2478fb039e213fbadb55fe5091fdaaf28d9911b4
-
Filesize
373KB
MD5f21b7303582dc0bf18fc734df1245043
SHA1306de4746ec0fa5fd6f67127060640abb26f2a9e
SHA25658e954de5dbec06179e7c749f321555520c8fcfbd9d3b05cc2b0110573a507d4
SHA5120170f83e53e28ad09dcf00649aa7e4c3d9e8cead49b54971df594c60062f8f4ed5b3c18588942fc038337a1f2478fb039e213fbadb55fe5091fdaaf28d9911b4
-
Filesize
373KB
MD5f21b7303582dc0bf18fc734df1245043
SHA1306de4746ec0fa5fd6f67127060640abb26f2a9e
SHA25658e954de5dbec06179e7c749f321555520c8fcfbd9d3b05cc2b0110573a507d4
SHA5120170f83e53e28ad09dcf00649aa7e4c3d9e8cead49b54971df594c60062f8f4ed5b3c18588942fc038337a1f2478fb039e213fbadb55fe5091fdaaf28d9911b4
-
Filesize
373KB
MD5f21b7303582dc0bf18fc734df1245043
SHA1306de4746ec0fa5fd6f67127060640abb26f2a9e
SHA25658e954de5dbec06179e7c749f321555520c8fcfbd9d3b05cc2b0110573a507d4
SHA5120170f83e53e28ad09dcf00649aa7e4c3d9e8cead49b54971df594c60062f8f4ed5b3c18588942fc038337a1f2478fb039e213fbadb55fe5091fdaaf28d9911b4
-
Filesize
373KB
MD5f21b7303582dc0bf18fc734df1245043
SHA1306de4746ec0fa5fd6f67127060640abb26f2a9e
SHA25658e954de5dbec06179e7c749f321555520c8fcfbd9d3b05cc2b0110573a507d4
SHA5120170f83e53e28ad09dcf00649aa7e4c3d9e8cead49b54971df594c60062f8f4ed5b3c18588942fc038337a1f2478fb039e213fbadb55fe5091fdaaf28d9911b4
-
Filesize
373KB
MD5f21b7303582dc0bf18fc734df1245043
SHA1306de4746ec0fa5fd6f67127060640abb26f2a9e
SHA25658e954de5dbec06179e7c749f321555520c8fcfbd9d3b05cc2b0110573a507d4
SHA5120170f83e53e28ad09dcf00649aa7e4c3d9e8cead49b54971df594c60062f8f4ed5b3c18588942fc038337a1f2478fb039e213fbadb55fe5091fdaaf28d9911b4
-
Filesize
373KB
MD5f21b7303582dc0bf18fc734df1245043
SHA1306de4746ec0fa5fd6f67127060640abb26f2a9e
SHA25658e954de5dbec06179e7c749f321555520c8fcfbd9d3b05cc2b0110573a507d4
SHA5120170f83e53e28ad09dcf00649aa7e4c3d9e8cead49b54971df594c60062f8f4ed5b3c18588942fc038337a1f2478fb039e213fbadb55fe5091fdaaf28d9911b4
-
Filesize
373KB
MD5f21b7303582dc0bf18fc734df1245043
SHA1306de4746ec0fa5fd6f67127060640abb26f2a9e
SHA25658e954de5dbec06179e7c749f321555520c8fcfbd9d3b05cc2b0110573a507d4
SHA5120170f83e53e28ad09dcf00649aa7e4c3d9e8cead49b54971df594c60062f8f4ed5b3c18588942fc038337a1f2478fb039e213fbadb55fe5091fdaaf28d9911b4
-
Filesize
17.1MB
MD5ba545c2bc73df9a0d2cc90cd10ebbb1a
SHA1ea44aca614884e4ffe54012473949ec39ad15fa4
SHA25624f5dcef269d7cbc3bf9e58bf60e598d457cbd1d19f1d91e9407e8b4315f0056
SHA512588fad562db13896adca8a91b73e5773bb480b0c631f74f492bbc5653310b53a0642cb5d1cc11a72131596fb7643b31207349d0f9f161d3134a0e096e2001acf
-
Filesize
17.1MB
MD5ba545c2bc73df9a0d2cc90cd10ebbb1a
SHA1ea44aca614884e4ffe54012473949ec39ad15fa4
SHA25624f5dcef269d7cbc3bf9e58bf60e598d457cbd1d19f1d91e9407e8b4315f0056
SHA512588fad562db13896adca8a91b73e5773bb480b0c631f74f492bbc5653310b53a0642cb5d1cc11a72131596fb7643b31207349d0f9f161d3134a0e096e2001acf
-
Filesize
17.1MB
MD5ba545c2bc73df9a0d2cc90cd10ebbb1a
SHA1ea44aca614884e4ffe54012473949ec39ad15fa4
SHA25624f5dcef269d7cbc3bf9e58bf60e598d457cbd1d19f1d91e9407e8b4315f0056
SHA512588fad562db13896adca8a91b73e5773bb480b0c631f74f492bbc5653310b53a0642cb5d1cc11a72131596fb7643b31207349d0f9f161d3134a0e096e2001acf