592ee7b0ddb4df10594e89695a274612073ea1001cdc5f4bc35392e6797f71a8

Analysis

max time kernel
26s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

592ee7b0ddb4df10594e89695a274612073ea1001cdc5f4bc35392e6797f71a8.exe
Size

850KB
MD5

ef23ad78508950e75894b846d1327c2b
SHA1

b5e3e1f9a3c157361621ecb3a0bfcd48234a9f7f
SHA256

592ee7b0ddb4df10594e89695a274612073ea1001cdc5f4bc35392e6797f71a8
SHA512

0e8c600555defff949bde69c7e3129e06b2e8efe56cbef6da767b778107b5bddb899379d8705ae79b86c5cc899c2cc8e904a1f993ba111e38864d0e73bc51455
SSDEEP

12288:Dr6JiSK2mXyP85SqM5mZ67l03Tq/wiIzy4PdCmvpeqz8/9tRatjSmphL2VPifd:n6UzdyP267C3T4eZ5kqQ9jatnhL20d

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
600	MsiExec.exe
600	MsiExec.exe
600	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1056	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1056	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeSecurityPrivilege	1928	msiexec.exe
Token: SeCreateTokenPrivilege	1056	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1056	msiexec.exe
Token: SeLockMemoryPrivilege	1056	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1056	msiexec.exe
Token: SeMachineAccountPrivilege	1056	msiexec.exe
Token: SeTcbPrivilege	1056	msiexec.exe
Token: SeSecurityPrivilege	1056	msiexec.exe
Token: SeTakeOwnershipPrivilege	1056	msiexec.exe
Token: SeLoadDriverPrivilege	1056	msiexec.exe
Token: SeSystemProfilePrivilege	1056	msiexec.exe
Token: SeSystemtimePrivilege	1056	msiexec.exe
Token: SeProfSingleProcessPrivilege	1056	msiexec.exe
Token: SeIncBasePriorityPrivilege	1056	msiexec.exe
Token: SeCreatePagefilePrivilege	1056	msiexec.exe
Token: SeCreatePermanentPrivilege	1056	msiexec.exe
Token: SeBackupPrivilege	1056	msiexec.exe
Token: SeRestorePrivilege	1056	msiexec.exe
Token: SeShutdownPrivilege	1056	msiexec.exe
Token: SeDebugPrivilege	1056	msiexec.exe
Token: SeAuditPrivilege	1056	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1056	msiexec.exe
Token: SeChangeNotifyPrivilege	1056	msiexec.exe
Token: SeRemoteShutdownPrivilege	1056	msiexec.exe
Token: SeUndockPrivilege	1056	msiexec.exe
Token: SeSyncAgentPrivilege	1056	msiexec.exe
Token: SeEnableDelegationPrivilege	1056	msiexec.exe
Token: SeManageVolumePrivilege	1056	msiexec.exe
Token: SeImpersonatePrivilege	1056	msiexec.exe
Token: SeCreateGlobalPrivilege	1056	msiexec.exe
Token: SeCreateTokenPrivilege	1056	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1056	msiexec.exe
Token: SeLockMemoryPrivilege	1056	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1056	msiexec.exe
Token: SeMachineAccountPrivilege	1056	msiexec.exe
Token: SeTcbPrivilege	1056	msiexec.exe
Token: SeSecurityPrivilege	1056	msiexec.exe
Token: SeTakeOwnershipPrivilege	1056	msiexec.exe
Token: SeLoadDriverPrivilege	1056	msiexec.exe
Token: SeSystemProfilePrivilege	1056	msiexec.exe
Token: SeSystemtimePrivilege	1056	msiexec.exe
Token: SeProfSingleProcessPrivilege	1056	msiexec.exe
Token: SeIncBasePriorityPrivilege	1056	msiexec.exe
Token: SeCreatePagefilePrivilege	1056	msiexec.exe
Token: SeCreatePermanentPrivilege	1056	msiexec.exe
Token: SeBackupPrivilege	1056	msiexec.exe
Token: SeRestorePrivilege	1056	msiexec.exe
Token: SeShutdownPrivilege	1056	msiexec.exe
Token: SeDebugPrivilege	1056	msiexec.exe
Token: SeAuditPrivilege	1056	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1056	msiexec.exe
Token: SeChangeNotifyPrivilege	1056	msiexec.exe
Token: SeRemoteShutdownPrivilege	1056	msiexec.exe
Token: SeUndockPrivilege	1056	msiexec.exe
Token: SeSyncAgentPrivilege	1056	msiexec.exe
Token: SeEnableDelegationPrivilege	1056	msiexec.exe
Token: SeManageVolumePrivilege	1056	msiexec.exe
Token: SeImpersonatePrivilege	1056	msiexec.exe
Token: SeCreateGlobalPrivilege	1056	msiexec.exe
Token: SeCreateTokenPrivilege	1056	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1056	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 1056	1020	592ee7b0ddb4df10594e89695a274612073ea1001cdc5f4bc35392e6797f71a8.exe	27
PID 1020 wrote to memory of 1056	1020	592ee7b0ddb4df10594e89695a274612073ea1001cdc5f4bc35392e6797f71a8.exe	27
PID 1020 wrote to memory of 1056	1020	592ee7b0ddb4df10594e89695a274612073ea1001cdc5f4bc35392e6797f71a8.exe	27
PID 1020 wrote to memory of 1056	1020	592ee7b0ddb4df10594e89695a274612073ea1001cdc5f4bc35392e6797f71a8.exe	27
PID 1020 wrote to memory of 1056	1020	592ee7b0ddb4df10594e89695a274612073ea1001cdc5f4bc35392e6797f71a8.exe	27
PID 1020 wrote to memory of 1056	1020	592ee7b0ddb4df10594e89695a274612073ea1001cdc5f4bc35392e6797f71a8.exe	27
PID 1020 wrote to memory of 1056	1020	592ee7b0ddb4df10594e89695a274612073ea1001cdc5f4bc35392e6797f71a8.exe	27
PID 1928 wrote to memory of 600	1928	msiexec.exe	29
PID 1928 wrote to memory of 600	1928	msiexec.exe	29
PID 1928 wrote to memory of 600	1928	msiexec.exe	29
PID 1928 wrote to memory of 600	1928	msiexec.exe	29
PID 1928 wrote to memory of 600	1928	msiexec.exe	29
PID 1928 wrote to memory of 600	1928	msiexec.exe	29
PID 1928 wrote to memory of 600	1928	msiexec.exe	29

C:\Users\Admin\AppData\Local\Temp\592ee7b0ddb4df10594e89695a274612073ea1001cdc5f4bc35392e6797f71a8.exe
"C:\Users\Admin\AppData\Local\Temp\592ee7b0ddb4df10594e89695a274612073ea1001cdc5f4bc35392e6797f71a8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\5Clicks.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1056

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 47B25242C04924A4999B32AAAD760329 C
  2⤵
  - Loads dropped DLL
  PID:600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI4FA7.tmp

Filesize
89KB

MD5
cfec418f8bfdf45320905174ac6160f4

SHA1
e5f5ca88cbbe009573fec7959faee5a3f7c352f9

SHA256
aa1b7bcd853f8b191457f3f7744bdd73dbfda33e91c14d905ae59ef813d0a7ae

SHA512
8b92aa43c7ec7b186c71a755b7f8783ab5e7693955bc77fb49477afc0b93f933ee826366e606273bb145edf2308c59a05e8ee4cd43bd6a021cf8985fcd0c426e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI53AE.tmp

Filesize
89KB

MD5
cfec418f8bfdf45320905174ac6160f4

SHA1
e5f5ca88cbbe009573fec7959faee5a3f7c352f9

SHA256
aa1b7bcd853f8b191457f3f7744bdd73dbfda33e91c14d905ae59ef813d0a7ae

SHA512
8b92aa43c7ec7b186c71a755b7f8783ab5e7693955bc77fb49477afc0b93f933ee826366e606273bb145edf2308c59a05e8ee4cd43bd6a021cf8985fcd0c426e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI542B.tmp

Filesize
89KB

MD5
cfec418f8bfdf45320905174ac6160f4

SHA1
e5f5ca88cbbe009573fec7959faee5a3f7c352f9

SHA256
aa1b7bcd853f8b191457f3f7744bdd73dbfda33e91c14d905ae59ef813d0a7ae

SHA512
8b92aa43c7ec7b186c71a755b7f8783ab5e7693955bc77fb49477afc0b93f933ee826366e606273bb145edf2308c59a05e8ee4cd43bd6a021cf8985fcd0c426e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\5Clicks.msi

Filesize
885KB

MD5
72686ffebb8293df523f35078d94f47d

SHA1
ce43b0c9b29d6cad1db242399846b1ae27ba5a8d

SHA256
957ea0b94d928ecb0b111d2c2b9c1d88d58a98d28b7d3f6f192d60d9295b8d15

SHA512
e7120247bb547f1b912130b433ba514d3ff507b3f732c01e2c657f9f6b9b4c1c22802343eff00cae8273d0551e7ced34efc2cfd8bd4eb5d0c7ca73220749782a

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4FA7.tmp

Filesize
89KB

MD5
cfec418f8bfdf45320905174ac6160f4

SHA1
e5f5ca88cbbe009573fec7959faee5a3f7c352f9

SHA256
aa1b7bcd853f8b191457f3f7744bdd73dbfda33e91c14d905ae59ef813d0a7ae

SHA512
8b92aa43c7ec7b186c71a755b7f8783ab5e7693955bc77fb49477afc0b93f933ee826366e606273bb145edf2308c59a05e8ee4cd43bd6a021cf8985fcd0c426e

Download Submit
\Users\Admin\AppData\Local\Temp\MSI53AE.tmp

Filesize
89KB

MD5
cfec418f8bfdf45320905174ac6160f4

SHA1
e5f5ca88cbbe009573fec7959faee5a3f7c352f9

SHA256
aa1b7bcd853f8b191457f3f7744bdd73dbfda33e91c14d905ae59ef813d0a7ae

SHA512
8b92aa43c7ec7b186c71a755b7f8783ab5e7693955bc77fb49477afc0b93f933ee826366e606273bb145edf2308c59a05e8ee4cd43bd6a021cf8985fcd0c426e

Download Submit
\Users\Admin\AppData\Local\Temp\MSI542B.tmp

Filesize
89KB

MD5
cfec418f8bfdf45320905174ac6160f4

SHA1
e5f5ca88cbbe009573fec7959faee5a3f7c352f9

SHA256
aa1b7bcd853f8b191457f3f7744bdd73dbfda33e91c14d905ae59ef813d0a7ae

SHA512
8b92aa43c7ec7b186c71a755b7f8783ab5e7693955bc77fb49477afc0b93f933ee826366e606273bb145edf2308c59a05e8ee4cd43bd6a021cf8985fcd0c426e

Download Submit
memory/1020-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/1928-58-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp

Filesize
8KB

Download