f0e8ccd2f98ef6f6a4cf2282853e6418a8f3a8873d4eb7d25c5ff20b284d7414

Analysis

max time kernel
417s
max time network
422s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.bat
Size

121B
MD5

f2dfe2d042da18133306eed955367273
SHA1

430ea7ed2c8fdfcd86d908c349e69e135b08cff8
SHA256

c7509974ecff20140e027d4212c996dc32ecbec7f13c03ff85f82286df6a01e7
SHA512

4df232226b4f5498ab17a1b9761ebba375975bc9cabe41636e99e1ec738379e64524197c90ba167ef3473ed42890e302e2a2e3dabfc6be595a814d2c64bb1426

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	828	msiexec.exe
4	828	msiexec.exe
6	828	msiexec.exe
8	828	msiexec.exe
10	828	msiexec.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c1f35.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c1f35.msi	msiexec.exe
File created	C:\Windows\Installer\6c1f37.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F07.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c1f37.ipi	msiexec.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1392	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
828	msiexec.exe
828	msiexec.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1392	msiexec.exe
Token: SeRestorePrivilege	828	msiexec.exe
Token: SeTakeOwnershipPrivilege	828	msiexec.exe
Token: SeSecurityPrivilege	828	msiexec.exe
Token: SeCreateTokenPrivilege	1392	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1392	msiexec.exe
Token: SeLockMemoryPrivilege	1392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1392	msiexec.exe
Token: SeMachineAccountPrivilege	1392	msiexec.exe
Token: SeTcbPrivilege	1392	msiexec.exe
Token: SeSecurityPrivilege	1392	msiexec.exe
Token: SeTakeOwnershipPrivilege	1392	msiexec.exe
Token: SeLoadDriverPrivilege	1392	msiexec.exe
Token: SeSystemProfilePrivilege	1392	msiexec.exe
Token: SeSystemtimePrivilege	1392	msiexec.exe
Token: SeProfSingleProcessPrivilege	1392	msiexec.exe
Token: SeIncBasePriorityPrivilege	1392	msiexec.exe
Token: SeCreatePagefilePrivilege	1392	msiexec.exe
Token: SeCreatePermanentPrivilege	1392	msiexec.exe
Token: SeBackupPrivilege	1392	msiexec.exe
Token: SeRestorePrivilege	1392	msiexec.exe
Token: SeShutdownPrivilege	1392	msiexec.exe
Token: SeDebugPrivilege	1392	msiexec.exe
Token: SeAuditPrivilege	1392	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1392	msiexec.exe
Token: SeChangeNotifyPrivilege	1392	msiexec.exe
Token: SeRemoteShutdownPrivilege	1392	msiexec.exe
Token: SeUndockPrivilege	1392	msiexec.exe
Token: SeSyncAgentPrivilege	1392	msiexec.exe
Token: SeEnableDelegationPrivilege	1392	msiexec.exe
Token: SeManageVolumePrivilege	1392	msiexec.exe
Token: SeImpersonatePrivilege	1392	msiexec.exe
Token: SeCreateGlobalPrivilege	1392	msiexec.exe
Token: SeRestorePrivilege	828	msiexec.exe
Token: SeTakeOwnershipPrivilege	828	msiexec.exe
Token: SeRestorePrivilege	828	msiexec.exe
Token: SeTakeOwnershipPrivilege	828	msiexec.exe
Token: SeRestorePrivilege	828	msiexec.exe
Token: SeTakeOwnershipPrivilege	828	msiexec.exe
Token: SeRestorePrivilege	828	msiexec.exe
Token: SeTakeOwnershipPrivilege	828	msiexec.exe
Token: SeRestorePrivilege	828	msiexec.exe
Token: SeTakeOwnershipPrivilege	828	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1148	1460	cmd.exe	28
PID 1460 wrote to memory of 1148	1460	cmd.exe	28
PID 1460 wrote to memory of 1148	1460	cmd.exe	28
PID 1148 wrote to memory of 1304	1148	forfiles.exe	29
PID 1148 wrote to memory of 1304	1148	forfiles.exe	29
PID 1148 wrote to memory of 1304	1148	forfiles.exe	29
PID 1304 wrote to memory of 1392	1304	cmd.exe	30
PID 1304 wrote to memory of 1392	1304	cmd.exe	30
PID 1304 wrote to memory of 1392	1304	cmd.exe	30
PID 1304 wrote to memory of 1392	1304	cmd.exe	30
PID 1304 wrote to memory of 1392	1304	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\system32\forfiles.exe
  forfiles /S /M *.msi /C "cmd rundll32 shell32.dll,ShellExec_RunDLL cmd.exe /c msiexec /quiet /a @path"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\system32\cmd.exe
    rundll32 shell32.dll,ShellExec_RunDLL cmd.exe /c msiexec /quiet /a "C:\Users\Admin\AppData\Local\Temp\uu.msi"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\system32\msiexec.exe
      msiexec /quiet /a "C:\Users\Admin\AppData\Local\Temp\uu.msi"
      4⤵
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:1392

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1392-57-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Filesize
8KB

Download