1204d20baa28f0813d21d6ff7bd53773f709e5ea4bb7716d57be3af0812c58ef

Analysis

max time kernel
169s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1204d20baa28f0813d21d6ff7bd53773f709e5ea4bb7716d57be3af0812c58ef.exe
Size

58.9MB
MD5

514b5161b838c3e649b24a30f4a4a54b
SHA1

363ca05422654c0b9299457ca71ee9ed326c2e42
SHA256

1204d20baa28f0813d21d6ff7bd53773f709e5ea4bb7716d57be3af0812c58ef
SHA512

005fa98534bca6c57fe032371c3376fc859823cf54cfe843715f34ae35e5ad132c2319c234bd6527b61eb8f375027898a00dfafa138f975aaf80aaeec8d75b15
SSDEEP

1572864:L/w2yGimawbkJkKAJUmRu3p/zKxuc2Lqu39WVBcN:TfJimawaAejpLXoK9WDs

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1992	ISBEW64.exe

Loads dropped DLL 5 IoCs

pid	Process
812	MsiExec.exe
812	MsiExec.exe
812	MsiExec.exe
812	MsiExec.exe
812	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\CALIBRIZ.TTF	MSIEXEC.EXE
File opened for modification	C:\Windows\Fonts\MTEXTRA.TTF	MSIEXEC.EXE
File opened for modification	C:\Windows\Fonts\symbol.ttf	MSIEXEC.EXE
File opened for modification	C:\Windows\Fonts\CALIBRI.TTF	MSIEXEC.EXE
File opened for modification	C:\Windows\Fonts\CALIBRIB.TTF	MSIEXEC.EXE
File opened for modification	C:\Windows\Fonts\CALIBRII.TTF	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3600	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3600	MSIEXEC.EXE
Token: SeSecurityPrivilege	60	msiexec.exe
Token: SeCreateTokenPrivilege	3600	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3600	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3600	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3600	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3600	MSIEXEC.EXE
Token: SeTcbPrivilege	3600	MSIEXEC.EXE
Token: SeSecurityPrivilege	3600	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3600	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3600	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3600	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3600	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3600	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3600	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3600	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3600	MSIEXEC.EXE
Token: SeBackupPrivilege	3600	MSIEXEC.EXE
Token: SeRestorePrivilege	3600	MSIEXEC.EXE
Token: SeShutdownPrivilege	3600	MSIEXEC.EXE
Token: SeDebugPrivilege	3600	MSIEXEC.EXE
Token: SeAuditPrivilege	3600	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3600	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3600	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3600	MSIEXEC.EXE
Token: SeUndockPrivilege	3600	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3600	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3600	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3600	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3600	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3600	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	3600	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3600	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3600	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3600	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3600	MSIEXEC.EXE
Token: SeTcbPrivilege	3600	MSIEXEC.EXE
Token: SeSecurityPrivilege	3600	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3600	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3600	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3600	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3600	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3600	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3600	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3600	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3600	MSIEXEC.EXE
Token: SeBackupPrivilege	3600	MSIEXEC.EXE
Token: SeRestorePrivilege	3600	MSIEXEC.EXE
Token: SeShutdownPrivilege	3600	MSIEXEC.EXE
Token: SeDebugPrivilege	3600	MSIEXEC.EXE
Token: SeAuditPrivilege	3600	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3600	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3600	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3600	MSIEXEC.EXE
Token: SeUndockPrivilege	3600	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3600	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3600	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3600	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3600	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3600	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	3600	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3600	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3600	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3600	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 3600	4208	1204d20baa28f0813d21d6ff7bd53773f709e5ea4bb7716d57be3af0812c58ef.exe	82
PID 4208 wrote to memory of 3600	4208	1204d20baa28f0813d21d6ff7bd53773f709e5ea4bb7716d57be3af0812c58ef.exe	82
PID 4208 wrote to memory of 3600	4208	1204d20baa28f0813d21d6ff7bd53773f709e5ea4bb7716d57be3af0812c58ef.exe	82
PID 60 wrote to memory of 812	60	msiexec.exe	85
PID 60 wrote to memory of 812	60	msiexec.exe	85
PID 60 wrote to memory of 812	60	msiexec.exe	85
PID 812 wrote to memory of 1992	812	MsiExec.exe	86
PID 812 wrote to memory of 1992	812	MsiExec.exe	86

C:\Users\Admin\AppData\Local\Temp\1204d20baa28f0813d21d6ff7bd53773f709e5ea4bb7716d57be3af0812c58ef.exe
"C:\Users\Admin\AppData\Local\Temp\1204d20baa28f0813d21d6ff7bd53773f709e5ea4bb7716d57be3af0812c58ef.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{973B5E95-2AD5-4CC4-B648-75686DC010A3}\Vizpower.msi" TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\{973B5E95-2AD5-4CC4-B648-75686DC010A3}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="1204d20baa28f0813d21d6ff7bd53773f709e5ea4bb7716d57be3af0812c58ef.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3600

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 437ED3DED9C90C4D8D840DBBED5A10C3 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Users\Admin\AppData\Local\Temp\{4DF49500-375D-485D-B85A-BCD56553770D}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{4DF49500-375D-485D-B85A-BCD56553770D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{40FCB4FC-3ACB-4A91-B19C-A9C70294C26F}
    3⤵
    - Executes dropped EXE
    PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI54D7.tmp

Filesize
1.4MB

MD5
923d33b92d84edbd10f1d6924e7b6429

SHA1
ce50ea6e2205d8f0fc443a9b3d3427ca5e93bd19

SHA256
c6653d3286604fc95a8f8c4611d76451da046a55fa5e66896868b5c779c2545b

SHA512
723ccebe69ff87627238e8cf8bc66621c1d111e00d44e3ca1a39706c10937cb65e3fa1c9bb75fbda4d5019e8505cee02f738a7c55a197c8e7cd14eb3f90f1034

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI54D7.tmp

Filesize
1.4MB

MD5
923d33b92d84edbd10f1d6924e7b6429

SHA1
ce50ea6e2205d8f0fc443a9b3d3427ca5e93bd19

SHA256
c6653d3286604fc95a8f8c4611d76451da046a55fa5e66896868b5c779c2545b

SHA512
723ccebe69ff87627238e8cf8bc66621c1d111e00d44e3ca1a39706c10937cb65e3fa1c9bb75fbda4d5019e8505cee02f738a7c55a197c8e7cd14eb3f90f1034

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4DF49500-375D-485D-B85A-BCD56553770D}\ISBEW64.exe

Filesize
104KB

MD5
41cb698f967b4d9f2580ea2a21a5a710

SHA1
1e2db1ac09d0cfbd6601b95c2a1d78a80f78e236

SHA256
10205dd8642824f9c81f32e73d8402e892a839b71a13b3816f548f3805fded8b

SHA512
7e2f439d2ca8369c771819f8d137ec96822ea63ede9b34b10946343ea14b0b1cb3b828d43c17fb3c6c6ac8e2bd7aec4ee77dd6cce861706d476af1150d85a158

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4DF49500-375D-485D-B85A-BCD56553770D}\ISBEW64.exe

Filesize
104KB

MD5
41cb698f967b4d9f2580ea2a21a5a710

SHA1
1e2db1ac09d0cfbd6601b95c2a1d78a80f78e236

SHA256
10205dd8642824f9c81f32e73d8402e892a839b71a13b3816f548f3805fded8b

SHA512
7e2f439d2ca8369c771819f8d137ec96822ea63ede9b34b10946343ea14b0b1cb3b828d43c17fb3c6c6ac8e2bd7aec4ee77dd6cce861706d476af1150d85a158

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4DF49500-375D-485D-B85A-BCD56553770D}\ISRT.dll

Filesize
255KB

MD5
0ec6b3d99d56f9fb9078b24d3b5ec4eb

SHA1
f56262260561f5c342661a4956ee96eb1c84946a

SHA256
eccd250aed9710a4b58f09bc2eea62bc5f9e181efd85dcbe2aa11d61f7a9c520

SHA512
3267e8648b599cedf84a8b2fff8405e6c0662264fed9707e0c89791d4c9e33845576bd96cb3d17621d5e4cde5cac07526e11791bd0ef8017fcc4b441ba304465

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4DF49500-375D-485D-B85A-BCD56553770D}\ISRT.dll

Filesize
255KB

MD5
0ec6b3d99d56f9fb9078b24d3b5ec4eb

SHA1
f56262260561f5c342661a4956ee96eb1c84946a

SHA256
eccd250aed9710a4b58f09bc2eea62bc5f9e181efd85dcbe2aa11d61f7a9c520

SHA512
3267e8648b599cedf84a8b2fff8405e6c0662264fed9707e0c89791d4c9e33845576bd96cb3d17621d5e4cde5cac07526e11791bd0ef8017fcc4b441ba304465

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4DF49500-375D-485D-B85A-BCD56553770D}\ISRT.dll

Filesize
255KB

MD5
0ec6b3d99d56f9fb9078b24d3b5ec4eb

SHA1
f56262260561f5c342661a4956ee96eb1c84946a

SHA256
eccd250aed9710a4b58f09bc2eea62bc5f9e181efd85dcbe2aa11d61f7a9c520

SHA512
3267e8648b599cedf84a8b2fff8405e6c0662264fed9707e0c89791d4c9e33845576bd96cb3d17621d5e4cde5cac07526e11791bd0ef8017fcc4b441ba304465

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4DF49500-375D-485D-B85A-BCD56553770D}\IsConfig.ini

Filesize
517B

MD5
5e887f179d15e3876fea084d6078793f

SHA1
be44d93f9bba3d4c8f4a6fea53280f3904765dae

SHA256
a0d673392a9f031a46f4d596bb0ed129ec0e2fc0a58e412c4c2ea9e7d3e6e2b0

SHA512
21f623c94fbf3ba0c59c19cd7a218108172fb2dc1a47236ca3b9da6ee50793bc2b500dd56965105389e0ac7e2c3d978022c32adad64d88e121d3facf6cfd8c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4DF49500-375D-485D-B85A-BCD56553770D}\String1033.txt

Filesize
172KB

MD5
07479c331ac1864e9884afa7aef898dc

SHA1
227e2aceec3647e6d148aa5224ead987136a52c6

SHA256
39e89cdc285fcb505f2da60cabbbc92cfaf2e85006ce3d23f01d866d805518c1

SHA512
14030fb2006c4e14c2df781a8b9a578f6a4ad4fa11ab2aabed5111d7d26a11736eec5f6de25ab687f0433e6bbbf73d2ab6082730963fef2cb02f5bfa5626b110

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4DF49500-375D-485D-B85A-BCD56553770D}\_isres_0x0409.dll

Filesize
540KB

MD5
8938d3d18b09e92eeb9c403593365eb0

SHA1
7ce126881e50f3d62b24e86fcb213510db33b9e4

SHA256
1df36449f88bcfe640ad648a75b0830a82eafa38cd43f069dd6ddaee8144f975

SHA512
ad1b5e8cc1583e036ee2a6b2b640349f23d60e45f61edbf38885db8473488dbc55b3c82ea33a711b8701fca6f457b44d86cf337631f44e67476bfd99b072a3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4DF49500-375D-485D-B85A-BCD56553770D}\_isres_0x0409.dll

Filesize
540KB

MD5
8938d3d18b09e92eeb9c403593365eb0

SHA1
7ce126881e50f3d62b24e86fcb213510db33b9e4

SHA256
1df36449f88bcfe640ad648a75b0830a82eafa38cd43f069dd6ddaee8144f975

SHA512
ad1b5e8cc1583e036ee2a6b2b640349f23d60e45f61edbf38885db8473488dbc55b3c82ea33a711b8701fca6f457b44d86cf337631f44e67476bfd99b072a3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4DF49500-375D-485D-B85A-BCD56553770D}\_isres_0x0409.dll

Filesize
540KB

MD5
8938d3d18b09e92eeb9c403593365eb0

SHA1
7ce126881e50f3d62b24e86fcb213510db33b9e4

SHA256
1df36449f88bcfe640ad648a75b0830a82eafa38cd43f069dd6ddaee8144f975

SHA512
ad1b5e8cc1583e036ee2a6b2b640349f23d60e45f61edbf38885db8473488dbc55b3c82ea33a711b8701fca6f457b44d86cf337631f44e67476bfd99b072a3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4DF49500-375D-485D-B85A-BCD56553770D}\setup.inx

Filesize
265KB

MD5
707d1a29e1b4f98c0aa17488563cd65d

SHA1
b5cdc2ef88985ddac047be1ae5e84ef90fe12e1c

SHA256
480c596dc5ae32a4e5cbe4cc679abc00edbc524ace50290e5a2eb0bcf1a328d5

SHA512
bd7463109cf615d6172e4330b4a8c91f1d496269f7a9ea9fbd20e897aaed7cbb34c2be7152bc9931f2db1019824729279d074039cbd93b2e6a326cff74554e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\{973B5E95-2AD5-4CC4-B648-75686DC010A3}\1033.MST

Filesize
92KB

MD5
e32c9c70df5cff1a84e77e3532a8cfdc

SHA1
fa14285584cafa86e8bc82d2c3a12ac3e3e5687f

SHA256
c6ccd29b4dc9927502e08d801ee83dab8143d80fc335caf282b6cd695ca8d13e

SHA512
f8e9532fbc3e9857bcfd09c4b161917137fbc6e7498e26dabc6df6fedd275e19c371d1907aa9a4fae1bcdda1e0daa80517141e02b629464ba6c5c9295cad7643

Download Submit
C:\Users\Admin\AppData\Local\Temp\{973B5E95-2AD5-4CC4-B648-75686DC010A3}\Vizpower.msi

Filesize
59.0MB

MD5
3ff890158251869cbf4637ffbc93a0dc

SHA1
b6cf322c31ce5e944f72a4f002c182547ff527b8

SHA256
77aba6c730f12e871733210ecee2ff7d1549cdb68d5d486b54b73b03a492ee6a

SHA512
7b2aa3783a4feeb1bd005b8404bb0c47f9ca0b8501e483ce6a490b9d24ec256fce2c35eb90385e15178ed84e48fd77a26b768e99a55d0b2f072dc50ff805d6c0

Download Submit
memory/812-149-0x0000000003250000-0x00000000032D9000-memory.dmp

Filesize
548KB

Download
memory/812-138-0x0000000010000000-0x00000000101B4000-memory.dmp

Filesize
1.7MB

Download
memory/812-152-0x00000000030F0000-0x0000000003191000-memory.dmp

Filesize
644KB

Download
memory/812-153-0x0000000010000000-0x00000000101B4000-memory.dmp

Filesize
1.7MB

Download