5814136b744c545bfd3ea8666fcba3c7330eca2c755291ffc4a229149b4b7e05

Analysis

max time kernel
91s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2022 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

4.9MB
MD5

7386b305da7fb9970e93389890035f26
SHA1

4418307a938e77fba1368fa8b1c49af9d7aedfeb
SHA256

5814136b744c545bfd3ea8666fcba3c7330eca2c755291ffc4a229149b4b7e05
SHA512

b0ebcfa809848430af5f1a0b2439a63bf553101cc99f88d94dc889493bca82330cf31fd6d862a307e5dc8d8e320ba56f840fcbedcd4e8156d1b9aeacebabbd00
SSDEEP

98304:aM05CN1zgKkrRPjTQrHhz2Y5AUZW35D3R4x8xqCGomypGO:aMrw0a3MgtvYO

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 11 IoCs

pid	Process
4960	MsiExec.exe
4960	MsiExec.exe
4960	MsiExec.exe
4960	MsiExec.exe
4960	MsiExec.exe
4960	MsiExec.exe
4960	MsiExec.exe
4960	MsiExec.exe
4960	MsiExec.exe
4960	MsiExec.exe
4960	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	tmp.exe
File opened (read-only)	\??\W:	tmp.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	tmp.exe
File opened (read-only)	\??\S:	tmp.exe
File opened (read-only)	\??\Z:	tmp.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	tmp.exe
File opened (read-only)	\??\H:	tmp.exe
File opened (read-only)	\??\P:	tmp.exe
File opened (read-only)	\??\Q:	tmp.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	tmp.exe
File opened (read-only)	\??\U:	tmp.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	tmp.exe
File opened (read-only)	\??\I:	tmp.exe
File opened (read-only)	\??\V:	tmp.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	tmp.exe
File opened (read-only)	\??\E:	tmp.exe
File opened (read-only)	\??\M:	tmp.exe
File opened (read-only)	\??\O:	tmp.exe
File opened (read-only)	\??\T:	tmp.exe
File opened (read-only)	\??\Y:	tmp.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	tmp.exe
File opened (read-only)	\??\K:	tmp.exe
File opened (read-only)	\??\N:	tmp.exe
File opened (read-only)	\??\X:	tmp.exe
File opened (read-only)	\??\A:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3088	msiexec.exe
Token: SeCreateTokenPrivilege	4728	tmp.exe
Token: SeAssignPrimaryTokenPrivilege	4728	tmp.exe
Token: SeLockMemoryPrivilege	4728	tmp.exe
Token: SeIncreaseQuotaPrivilege	4728	tmp.exe
Token: SeMachineAccountPrivilege	4728	tmp.exe
Token: SeTcbPrivilege	4728	tmp.exe
Token: SeSecurityPrivilege	4728	tmp.exe
Token: SeTakeOwnershipPrivilege	4728	tmp.exe
Token: SeLoadDriverPrivilege	4728	tmp.exe
Token: SeSystemProfilePrivilege	4728	tmp.exe
Token: SeSystemtimePrivilege	4728	tmp.exe
Token: SeProfSingleProcessPrivilege	4728	tmp.exe
Token: SeIncBasePriorityPrivilege	4728	tmp.exe
Token: SeCreatePagefilePrivilege	4728	tmp.exe
Token: SeCreatePermanentPrivilege	4728	tmp.exe
Token: SeBackupPrivilege	4728	tmp.exe
Token: SeRestorePrivilege	4728	tmp.exe
Token: SeShutdownPrivilege	4728	tmp.exe
Token: SeDebugPrivilege	4728	tmp.exe
Token: SeAuditPrivilege	4728	tmp.exe
Token: SeSystemEnvironmentPrivilege	4728	tmp.exe
Token: SeChangeNotifyPrivilege	4728	tmp.exe
Token: SeRemoteShutdownPrivilege	4728	tmp.exe
Token: SeUndockPrivilege	4728	tmp.exe
Token: SeSyncAgentPrivilege	4728	tmp.exe
Token: SeEnableDelegationPrivilege	4728	tmp.exe
Token: SeManageVolumePrivilege	4728	tmp.exe
Token: SeImpersonatePrivilege	4728	tmp.exe
Token: SeCreateGlobalPrivilege	4728	tmp.exe
Token: SeCreateTokenPrivilege	4728	tmp.exe
Token: SeAssignPrimaryTokenPrivilege	4728	tmp.exe
Token: SeLockMemoryPrivilege	4728	tmp.exe
Token: SeIncreaseQuotaPrivilege	4728	tmp.exe
Token: SeMachineAccountPrivilege	4728	tmp.exe
Token: SeTcbPrivilege	4728	tmp.exe
Token: SeSecurityPrivilege	4728	tmp.exe
Token: SeTakeOwnershipPrivilege	4728	tmp.exe
Token: SeLoadDriverPrivilege	4728	tmp.exe
Token: SeSystemProfilePrivilege	4728	tmp.exe
Token: SeSystemtimePrivilege	4728	tmp.exe
Token: SeProfSingleProcessPrivilege	4728	tmp.exe
Token: SeIncBasePriorityPrivilege	4728	tmp.exe
Token: SeCreatePagefilePrivilege	4728	tmp.exe
Token: SeCreatePermanentPrivilege	4728	tmp.exe
Token: SeBackupPrivilege	4728	tmp.exe
Token: SeRestorePrivilege	4728	tmp.exe
Token: SeShutdownPrivilege	4728	tmp.exe
Token: SeDebugPrivilege	4728	tmp.exe
Token: SeAuditPrivilege	4728	tmp.exe
Token: SeSystemEnvironmentPrivilege	4728	tmp.exe
Token: SeChangeNotifyPrivilege	4728	tmp.exe
Token: SeRemoteShutdownPrivilege	4728	tmp.exe
Token: SeUndockPrivilege	4728	tmp.exe
Token: SeSyncAgentPrivilege	4728	tmp.exe
Token: SeEnableDelegationPrivilege	4728	tmp.exe
Token: SeManageVolumePrivilege	4728	tmp.exe
Token: SeImpersonatePrivilege	4728	tmp.exe
Token: SeCreateGlobalPrivilege	4728	tmp.exe
Token: SeCreateTokenPrivilege	4728	tmp.exe
Token: SeAssignPrimaryTokenPrivilege	4728	tmp.exe
Token: SeLockMemoryPrivilege	4728	tmp.exe
Token: SeIncreaseQuotaPrivilege	4728	tmp.exe
Token: SeMachineAccountPrivilege	4728	tmp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4728	tmp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 4960	3088	msiexec.exe	81
PID 3088 wrote to memory of 4960	3088	msiexec.exe	81
PID 3088 wrote to memory of 4960	3088	msiexec.exe	81

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4728

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BC44B45068C41D92790198846A3D8B8A C
  2⤵
  - Loads dropped DLL
  PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI85EF.tmp

Filesize
355KB

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI85EF.tmp

Filesize
355KB

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI86EA.tmp

Filesize
576KB

MD5
5de968e782d7d565aea71a4a1a7975da

SHA1
4be70fc83fd078e90ce7d663c847c2ee7832d577

SHA256
0fa7a8430586ab6aadd71bb4f7c74f52c9d414d506a5ae50c3b1d133b40157aa

SHA512
6d5cbd6690d33f96cd415e495fa7e65b0a708a739d07dccfe9b541a913c0a83016d376f5b106effb694703cddf7eedaa8839ed7e9effd7397d8b9796032d2d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI86EA.tmp

Filesize
576KB

MD5
5de968e782d7d565aea71a4a1a7975da

SHA1
4be70fc83fd078e90ce7d663c847c2ee7832d577

SHA256
0fa7a8430586ab6aadd71bb4f7c74f52c9d414d506a5ae50c3b1d133b40157aa

SHA512
6d5cbd6690d33f96cd415e495fa7e65b0a708a739d07dccfe9b541a913c0a83016d376f5b106effb694703cddf7eedaa8839ed7e9effd7397d8b9796032d2d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI87F4.tmp

Filesize
355KB

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI87F4.tmp

Filesize
355KB

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8824.tmp

Filesize
355KB

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8824.tmp

Filesize
355KB

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8873.tmp

Filesize
355KB

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8873.tmp

Filesize
355KB

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8884.tmp

Filesize
355KB

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8884.tmp

Filesize
355KB

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI88F2.tmp

Filesize
576KB

MD5
5de968e782d7d565aea71a4a1a7975da

SHA1
4be70fc83fd078e90ce7d663c847c2ee7832d577

SHA256
0fa7a8430586ab6aadd71bb4f7c74f52c9d414d506a5ae50c3b1d133b40157aa

SHA512
6d5cbd6690d33f96cd415e495fa7e65b0a708a739d07dccfe9b541a913c0a83016d376f5b106effb694703cddf7eedaa8839ed7e9effd7397d8b9796032d2d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI88F2.tmp

Filesize
576KB

MD5
5de968e782d7d565aea71a4a1a7975da

SHA1
4be70fc83fd078e90ce7d663c847c2ee7832d577

SHA256
0fa7a8430586ab6aadd71bb4f7c74f52c9d414d506a5ae50c3b1d133b40157aa

SHA512
6d5cbd6690d33f96cd415e495fa7e65b0a708a739d07dccfe9b541a913c0a83016d376f5b106effb694703cddf7eedaa8839ed7e9effd7397d8b9796032d2d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8C5E.tmp

Filesize
565KB

MD5
f1960f3722297ac60a40b553447d1015

SHA1
86ce1a0ad18a866dd76f32f25fd52e215e82cf8a

SHA256
fb21f9283cbd2f2f6ba8921bfc93ca685140b82adee47273dd5b195ec2efca1f

SHA512
dab42ce121976f44dd432827b8c8554a7752374353621f76695d96b10bc8a7e5ae4a46038255c6926765cd8584caa181502c49fed7dbcfbffa0c1374794c9928

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8C5E.tmp

Filesize
565KB

MD5
f1960f3722297ac60a40b553447d1015

SHA1
86ce1a0ad18a866dd76f32f25fd52e215e82cf8a

SHA256
fb21f9283cbd2f2f6ba8921bfc93ca685140b82adee47273dd5b195ec2efca1f

SHA512
dab42ce121976f44dd432827b8c8554a7752374353621f76695d96b10bc8a7e5ae4a46038255c6926765cd8584caa181502c49fed7dbcfbffa0c1374794c9928

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8D2B.tmp

Filesize
355KB

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8D2B.tmp

Filesize
355KB

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8D4B.tmp

Filesize
355KB

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8D4B.tmp

Filesize
355KB

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8D5B.tmp

Filesize
355KB

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8D5B.tmp

Filesize
355KB

MD5
318dea4099b577bc51ae5e21eb8c566d

SHA1
e3a4d3245bc40ca956c3a5081dcfd74e98fb1510

SHA256
f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f

SHA512
65d4886bc19c9b9f36d68c07b83f687cdb75f95cde5f5ef02289502518c58f77c99ef2548d25f69bff6f0bfefe7fc7bb18fd010c4341c15114675f80f3d85844

Download Submit
memory/4960-132-0x0000000000000000-mapping.dmp

Download