Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2022 10:59
Behavioral task
behavioral1
Sample
i.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
i.msi
Resource
win10v2004-20220812-en
General
-
Target
i.msi
-
Size
996KB
-
MD5
b0b7cb36503c46755882751191c9a711
-
SHA1
c0d058bacb81f36dfd1b1d99a386ff0a7bb0ec7a
-
SHA256
77ed1502e9c8bfd2e91f04e3dce2d5649f68201061fb24c4ab4fa5e9b7fdec50
-
SHA512
4f00e5743fa56f553ce64d1ebc35a71cd5cb5200d7434f94a46a30fe6efbcbd64d105d440bd1ce45c2b66f9e91b622e6cfc8a7de08bf08727fc75df1cec32b4d
-
SSDEEP
24576:G+aBqnGIQ5M6DLrVVdWG859GCHrSoUzLyaVtFUl:G+8lrXVVdWX59GUrSLzeaVtFU
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
Processes:
MsiExec.exepid process 4344 MsiExec.exe 4344 MsiExec.exe 4344 MsiExec.exe 4344 MsiExec.exe 4344 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Windows directory 12 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI672B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI692F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI699E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI69DD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6AB9.tmp msiexec.exe File created C:\Windows\Installer\e5666ae.msi msiexec.exe File opened for modification C:\Windows\Installer\e5666ae.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6C21.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{80395032-1630-4C4B-A997-0A7CCB72C75B} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 3664 msiexec.exe 3664 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 4840 msiexec.exe Token: SeIncreaseQuotaPrivilege 4840 msiexec.exe Token: SeSecurityPrivilege 3664 msiexec.exe Token: SeCreateTokenPrivilege 4840 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4840 msiexec.exe Token: SeLockMemoryPrivilege 4840 msiexec.exe Token: SeIncreaseQuotaPrivilege 4840 msiexec.exe Token: SeMachineAccountPrivilege 4840 msiexec.exe Token: SeTcbPrivilege 4840 msiexec.exe Token: SeSecurityPrivilege 4840 msiexec.exe Token: SeTakeOwnershipPrivilege 4840 msiexec.exe Token: SeLoadDriverPrivilege 4840 msiexec.exe Token: SeSystemProfilePrivilege 4840 msiexec.exe Token: SeSystemtimePrivilege 4840 msiexec.exe Token: SeProfSingleProcessPrivilege 4840 msiexec.exe Token: SeIncBasePriorityPrivilege 4840 msiexec.exe Token: SeCreatePagefilePrivilege 4840 msiexec.exe Token: SeCreatePermanentPrivilege 4840 msiexec.exe Token: SeBackupPrivilege 4840 msiexec.exe Token: SeRestorePrivilege 4840 msiexec.exe Token: SeShutdownPrivilege 4840 msiexec.exe Token: SeDebugPrivilege 4840 msiexec.exe Token: SeAuditPrivilege 4840 msiexec.exe Token: SeSystemEnvironmentPrivilege 4840 msiexec.exe Token: SeChangeNotifyPrivilege 4840 msiexec.exe Token: SeRemoteShutdownPrivilege 4840 msiexec.exe Token: SeUndockPrivilege 4840 msiexec.exe Token: SeSyncAgentPrivilege 4840 msiexec.exe Token: SeEnableDelegationPrivilege 4840 msiexec.exe Token: SeManageVolumePrivilege 4840 msiexec.exe Token: SeImpersonatePrivilege 4840 msiexec.exe Token: SeCreateGlobalPrivilege 4840 msiexec.exe Token: SeRestorePrivilege 3664 msiexec.exe Token: SeTakeOwnershipPrivilege 3664 msiexec.exe Token: SeRestorePrivilege 3664 msiexec.exe Token: SeTakeOwnershipPrivilege 3664 msiexec.exe Token: SeRestorePrivilege 3664 msiexec.exe Token: SeTakeOwnershipPrivilege 3664 msiexec.exe Token: SeRestorePrivilege 3664 msiexec.exe Token: SeTakeOwnershipPrivilege 3664 msiexec.exe Token: SeRestorePrivilege 3664 msiexec.exe Token: SeTakeOwnershipPrivilege 3664 msiexec.exe Token: SeRestorePrivilege 3664 msiexec.exe Token: SeTakeOwnershipPrivilege 3664 msiexec.exe Token: SeRestorePrivilege 3664 msiexec.exe Token: SeTakeOwnershipPrivilege 3664 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 4840 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
msiexec.exedescription pid process target process PID 3664 wrote to memory of 4344 3664 msiexec.exe MsiExec.exe PID 3664 wrote to memory of 4344 3664 msiexec.exe MsiExec.exe PID 3664 wrote to memory of 4344 3664 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\i.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F6000F0171F9EF2A1C1A2FBF0608BDE62⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI672B.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI672B.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI692F.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI692F.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI699E.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI699E.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI69DD.tmpFilesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
C:\Windows\Installer\MSI69DD.tmpFilesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
C:\Windows\Installer\MSI6AB9.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSI6AB9.tmpFilesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
memory/4344-132-0x0000000000000000-mapping.dmp