Analysis
-
max time kernel
37s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/11/2022, 11:43
Static task
static1
Behavioral task
behavioral1
Sample
File_Part.1.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
File_Part.1.msi
Resource
win10v2004-20220812-en
General
-
Target
File_Part.1.msi
-
Size
484.3MB
-
MD5
c970f7ea3af14415cc2a47eba0d86f9c
-
SHA1
eaf1b4bdbbc5adfd7b9959ba898305f2277b57c1
-
SHA256
fdf27fedc4ee0afda54f5ad05b490570d9bf025636b18b74fcda5a604aabee6f
-
SHA512
8b96d0780bbb476937ecc1a148e34666bb821aaf576f18276fafe746c329fefa3d10728a44863caa3191db7d5ae9c5f07650893923a277a178c9b65e3110d79e
-
SSDEEP
49152:PCbnqiTqLNEfjQpamz+IgtxSPuPzB29FQN:Uqdqfuamz+IgtB7BaFQN
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1332 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Installer\6c6394.msi msiexec.exe File opened for modification C:\Windows\Installer\6c6394.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6A67.tmp msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 520 msiexec.exe 520 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeShutdownPrivilege 1480 msiexec.exe Token: SeIncreaseQuotaPrivilege 1480 msiexec.exe Token: SeRestorePrivilege 520 msiexec.exe Token: SeTakeOwnershipPrivilege 520 msiexec.exe Token: SeSecurityPrivilege 520 msiexec.exe Token: SeCreateTokenPrivilege 1480 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1480 msiexec.exe Token: SeLockMemoryPrivilege 1480 msiexec.exe Token: SeIncreaseQuotaPrivilege 1480 msiexec.exe Token: SeMachineAccountPrivilege 1480 msiexec.exe Token: SeTcbPrivilege 1480 msiexec.exe Token: SeSecurityPrivilege 1480 msiexec.exe Token: SeTakeOwnershipPrivilege 1480 msiexec.exe Token: SeLoadDriverPrivilege 1480 msiexec.exe Token: SeSystemProfilePrivilege 1480 msiexec.exe Token: SeSystemtimePrivilege 1480 msiexec.exe Token: SeProfSingleProcessPrivilege 1480 msiexec.exe Token: SeIncBasePriorityPrivilege 1480 msiexec.exe Token: SeCreatePagefilePrivilege 1480 msiexec.exe Token: SeCreatePermanentPrivilege 1480 msiexec.exe Token: SeBackupPrivilege 1480 msiexec.exe Token: SeRestorePrivilege 1480 msiexec.exe Token: SeShutdownPrivilege 1480 msiexec.exe Token: SeDebugPrivilege 1480 msiexec.exe Token: SeAuditPrivilege 1480 msiexec.exe Token: SeSystemEnvironmentPrivilege 1480 msiexec.exe Token: SeChangeNotifyPrivilege 1480 msiexec.exe Token: SeRemoteShutdownPrivilege 1480 msiexec.exe Token: SeUndockPrivilege 1480 msiexec.exe Token: SeSyncAgentPrivilege 1480 msiexec.exe Token: SeEnableDelegationPrivilege 1480 msiexec.exe Token: SeManageVolumePrivilege 1480 msiexec.exe Token: SeImpersonatePrivilege 1480 msiexec.exe Token: SeCreateGlobalPrivilege 1480 msiexec.exe Token: SeRestorePrivilege 520 msiexec.exe Token: SeTakeOwnershipPrivilege 520 msiexec.exe Token: SeRestorePrivilege 520 msiexec.exe Token: SeTakeOwnershipPrivilege 520 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1480 msiexec.exe 1480 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 520 wrote to memory of 1332 520 msiexec.exe 29 PID 520 wrote to memory of 1332 520 msiexec.exe 29 PID 520 wrote to memory of 1332 520 msiexec.exe 29 PID 520 wrote to memory of 1332 520 msiexec.exe 29 PID 520 wrote to memory of 1332 520 msiexec.exe 29 PID 520 wrote to memory of 1332 520 msiexec.exe 29 PID 520 wrote to memory of 1332 520 msiexec.exe 29
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\File_Part.1.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1480
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8C85DF53125131742033B1D0B7B2C1FC2⤵
- Loads dropped DLL
PID:1332
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
483.8MB
MD599f2f92fc126e2a1d74f29973bbc48f9
SHA1988ab2fa002cc60e9c286dbdb3774043a72a1c46
SHA256b8bf60526783aff6a053a1a9aa8c5b781b7af7b55bbfe44fbb7d63c8f08094f5
SHA5125b0f07be7bd6c6c13291b4bbf8a8661ff97590df30f10998362cd1f6453b194c483a0273366e8183547509087231cb544e776eb0e69d9ccc8e1ccf2bb31d74dc
-
Filesize
483.8MB
MD599f2f92fc126e2a1d74f29973bbc48f9
SHA1988ab2fa002cc60e9c286dbdb3774043a72a1c46
SHA256b8bf60526783aff6a053a1a9aa8c5b781b7af7b55bbfe44fbb7d63c8f08094f5
SHA5125b0f07be7bd6c6c13291b4bbf8a8661ff97590df30f10998362cd1f6453b194c483a0273366e8183547509087231cb544e776eb0e69d9ccc8e1ccf2bb31d74dc