Resubmissions
11-10-2022 01:09
221011-bhsl9sgee5 10Analysis
-
max time kernel
128s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2022 01:09
Behavioral task
behavioral1
Sample
i(5).php.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
i(5).php.msi
Resource
win10v2004-20220812-en
General
-
Target
i(5).php.msi
-
Size
996KB
-
MD5
cdafa15de279b15558d134bc0c9aee01
-
SHA1
cf97dcf2756fa93ef24035e327c0021672e90ce6
-
SHA256
08537cb3114c47c65d190d12f922af4be1f7f29c9c2f2af364ac8c1d813df86c
-
SHA512
12bd54c6f58fe0631cfc33d46ccdc22c70d021d9395cb62268dfcddb9704a5acab10f7876467274098526f63915e4773d97194b8bd52888f3688341489edb34a
-
SSDEEP
24576:djaBqnGIQ5M6DLrVVdWG859GCHrSoUzLyaVtFUl:dj8lrXVVdWX59GUrSLzeaVtFU
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
Processes:
MsiExec.exepid process 5008 MsiExec.exe 5008 MsiExec.exe 5008 MsiExec.exe 5008 MsiExec.exe 5008 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Windows directory 12 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e56a647.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA760.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAADD.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{80395032-1630-4C4B-A997-0A7CCB72C75B} msiexec.exe File opened for modification C:\Windows\Installer\MSIACF3.tmp msiexec.exe File opened for modification C:\Windows\Installer\e56a647.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIAA01.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAB0D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAB9A.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 3992 msiexec.exe 3992 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1304 msiexec.exe Token: SeIncreaseQuotaPrivilege 1304 msiexec.exe Token: SeSecurityPrivilege 3992 msiexec.exe Token: SeCreateTokenPrivilege 1304 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1304 msiexec.exe Token: SeLockMemoryPrivilege 1304 msiexec.exe Token: SeIncreaseQuotaPrivilege 1304 msiexec.exe Token: SeMachineAccountPrivilege 1304 msiexec.exe Token: SeTcbPrivilege 1304 msiexec.exe Token: SeSecurityPrivilege 1304 msiexec.exe Token: SeTakeOwnershipPrivilege 1304 msiexec.exe Token: SeLoadDriverPrivilege 1304 msiexec.exe Token: SeSystemProfilePrivilege 1304 msiexec.exe Token: SeSystemtimePrivilege 1304 msiexec.exe Token: SeProfSingleProcessPrivilege 1304 msiexec.exe Token: SeIncBasePriorityPrivilege 1304 msiexec.exe Token: SeCreatePagefilePrivilege 1304 msiexec.exe Token: SeCreatePermanentPrivilege 1304 msiexec.exe Token: SeBackupPrivilege 1304 msiexec.exe Token: SeRestorePrivilege 1304 msiexec.exe Token: SeShutdownPrivilege 1304 msiexec.exe Token: SeDebugPrivilege 1304 msiexec.exe Token: SeAuditPrivilege 1304 msiexec.exe Token: SeSystemEnvironmentPrivilege 1304 msiexec.exe Token: SeChangeNotifyPrivilege 1304 msiexec.exe Token: SeRemoteShutdownPrivilege 1304 msiexec.exe Token: SeUndockPrivilege 1304 msiexec.exe Token: SeSyncAgentPrivilege 1304 msiexec.exe Token: SeEnableDelegationPrivilege 1304 msiexec.exe Token: SeManageVolumePrivilege 1304 msiexec.exe Token: SeImpersonatePrivilege 1304 msiexec.exe Token: SeCreateGlobalPrivilege 1304 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe Token: SeRestorePrivilege 3992 msiexec.exe Token: SeTakeOwnershipPrivilege 3992 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1304 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
msiexec.exedescription pid process target process PID 3992 wrote to memory of 5008 3992 msiexec.exe MsiExec.exe PID 3992 wrote to memory of 5008 3992 msiexec.exe MsiExec.exe PID 3992 wrote to memory of 5008 3992 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\i(5).php.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B5C0E487134E86F50CE4CDE6D634FB3E2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSIA760.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSIA760.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSIAA01.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSIAA01.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSIAADD.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSIAADD.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSIAB0D.tmpFilesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
C:\Windows\Installer\MSIAB0D.tmpFilesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
C:\Windows\Installer\MSIAB9A.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSIAB9A.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
memory/5008-132-0x0000000000000000-mapping.dmp