Resubmissions
11-10-2022 01:09
221011-bhsl9sgee5 10Analysis
-
max time kernel
45s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11-10-2022 01:09
Behavioral task
behavioral1
Sample
i(5).php.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
i(5).php.msi
Resource
win10v2004-20220812-en
General
-
Target
i(5).php.msi
-
Size
996KB
-
MD5
cdafa15de279b15558d134bc0c9aee01
-
SHA1
cf97dcf2756fa93ef24035e327c0021672e90ce6
-
SHA256
08537cb3114c47c65d190d12f922af4be1f7f29c9c2f2af364ac8c1d813df86c
-
SHA512
12bd54c6f58fe0631cfc33d46ccdc22c70d021d9395cb62268dfcddb9704a5acab10f7876467274098526f63915e4773d97194b8bd52888f3688341489edb34a
-
SSDEEP
24576:djaBqnGIQ5M6DLrVVdWG859GCHrSoUzLyaVtFUl:dj8lrXVVdWX59GUrSLzeaVtFU
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exepid process 2040 MsiExec.exe 2040 MsiExec.exe 2040 MsiExec.exe 2040 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\6c1b8d.msi msiexec.exe File opened for modification C:\Windows\Installer\6c1b8d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1DB0.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI2B59.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1C0A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2159.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI21F6.tmp msiexec.exe File created C:\Windows\Installer\6c1b8f.ipi msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 268 msiexec.exe 268 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1324 msiexec.exe Token: SeIncreaseQuotaPrivilege 1324 msiexec.exe Token: SeRestorePrivilege 268 msiexec.exe Token: SeTakeOwnershipPrivilege 268 msiexec.exe Token: SeSecurityPrivilege 268 msiexec.exe Token: SeCreateTokenPrivilege 1324 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1324 msiexec.exe Token: SeLockMemoryPrivilege 1324 msiexec.exe Token: SeIncreaseQuotaPrivilege 1324 msiexec.exe Token: SeMachineAccountPrivilege 1324 msiexec.exe Token: SeTcbPrivilege 1324 msiexec.exe Token: SeSecurityPrivilege 1324 msiexec.exe Token: SeTakeOwnershipPrivilege 1324 msiexec.exe Token: SeLoadDriverPrivilege 1324 msiexec.exe Token: SeSystemProfilePrivilege 1324 msiexec.exe Token: SeSystemtimePrivilege 1324 msiexec.exe Token: SeProfSingleProcessPrivilege 1324 msiexec.exe Token: SeIncBasePriorityPrivilege 1324 msiexec.exe Token: SeCreatePagefilePrivilege 1324 msiexec.exe Token: SeCreatePermanentPrivilege 1324 msiexec.exe Token: SeBackupPrivilege 1324 msiexec.exe Token: SeRestorePrivilege 1324 msiexec.exe Token: SeShutdownPrivilege 1324 msiexec.exe Token: SeDebugPrivilege 1324 msiexec.exe Token: SeAuditPrivilege 1324 msiexec.exe Token: SeSystemEnvironmentPrivilege 1324 msiexec.exe Token: SeChangeNotifyPrivilege 1324 msiexec.exe Token: SeRemoteShutdownPrivilege 1324 msiexec.exe Token: SeUndockPrivilege 1324 msiexec.exe Token: SeSyncAgentPrivilege 1324 msiexec.exe Token: SeEnableDelegationPrivilege 1324 msiexec.exe Token: SeManageVolumePrivilege 1324 msiexec.exe Token: SeImpersonatePrivilege 1324 msiexec.exe Token: SeCreateGlobalPrivilege 1324 msiexec.exe Token: SeRestorePrivilege 268 msiexec.exe Token: SeTakeOwnershipPrivilege 268 msiexec.exe Token: SeRestorePrivilege 268 msiexec.exe Token: SeTakeOwnershipPrivilege 268 msiexec.exe Token: SeRestorePrivilege 268 msiexec.exe Token: SeTakeOwnershipPrivilege 268 msiexec.exe Token: SeRestorePrivilege 268 msiexec.exe Token: SeTakeOwnershipPrivilege 268 msiexec.exe Token: SeRestorePrivilege 268 msiexec.exe Token: SeTakeOwnershipPrivilege 268 msiexec.exe Token: SeRestorePrivilege 268 msiexec.exe Token: SeTakeOwnershipPrivilege 268 msiexec.exe Token: SeRestorePrivilege 268 msiexec.exe Token: SeTakeOwnershipPrivilege 268 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1324 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
msiexec.exedescription pid process target process PID 268 wrote to memory of 2040 268 msiexec.exe MsiExec.exe PID 268 wrote to memory of 2040 268 msiexec.exe MsiExec.exe PID 268 wrote to memory of 2040 268 msiexec.exe MsiExec.exe PID 268 wrote to memory of 2040 268 msiexec.exe MsiExec.exe PID 268 wrote to memory of 2040 268 msiexec.exe MsiExec.exe PID 268 wrote to memory of 2040 268 msiexec.exe MsiExec.exe PID 268 wrote to memory of 2040 268 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\i(5).php.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F1C05176ADFC229951B7B620DDADDBE92⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI1C0A.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI1DB0.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI2159.tmpFilesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
C:\Windows\Installer\MSI21F6.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSI1C0A.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSI1DB0.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSI2159.tmpFilesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
\Windows\Installer\MSI21F6.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
memory/1324-54-0x000007FEFC001000-0x000007FEFC003000-memory.dmpFilesize
8KB
-
memory/2040-56-0x0000000000000000-mapping.dmp
-
memory/2040-57-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB