Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2022, 11:43
Static task
static1
Behavioral task
behavioral1
Sample
File_Part.1.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
File_Part.1.msi
Resource
win10v2004-20220812-en
General
-
Target
File_Part.1.msi
-
Size
484.3MB
-
MD5
c970f7ea3af14415cc2a47eba0d86f9c
-
SHA1
eaf1b4bdbbc5adfd7b9959ba898305f2277b57c1
-
SHA256
fdf27fedc4ee0afda54f5ad05b490570d9bf025636b18b74fcda5a604aabee6f
-
SHA512
8b96d0780bbb476937ecc1a148e34666bb821aaf576f18276fafe746c329fefa3d10728a44863caa3191db7d5ae9c5f07650893923a277a178c9b65e3110d79e
-
SSDEEP
49152:PCbnqiTqLNEfjQpamz+IgtxSPuPzB29FQN:Uqdqfuamz+IgtB7BaFQN
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 4792 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Installer\e56e9c8.msi msiexec.exe File opened for modification C:\Windows\Installer\e56e9c8.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIEFB4.tmp msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3948 msiexec.exe 3948 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeShutdownPrivilege 2460 msiexec.exe Token: SeIncreaseQuotaPrivilege 2460 msiexec.exe Token: SeSecurityPrivilege 3948 msiexec.exe Token: SeCreateTokenPrivilege 2460 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2460 msiexec.exe Token: SeLockMemoryPrivilege 2460 msiexec.exe Token: SeIncreaseQuotaPrivilege 2460 msiexec.exe Token: SeMachineAccountPrivilege 2460 msiexec.exe Token: SeTcbPrivilege 2460 msiexec.exe Token: SeSecurityPrivilege 2460 msiexec.exe Token: SeTakeOwnershipPrivilege 2460 msiexec.exe Token: SeLoadDriverPrivilege 2460 msiexec.exe Token: SeSystemProfilePrivilege 2460 msiexec.exe Token: SeSystemtimePrivilege 2460 msiexec.exe Token: SeProfSingleProcessPrivilege 2460 msiexec.exe Token: SeIncBasePriorityPrivilege 2460 msiexec.exe Token: SeCreatePagefilePrivilege 2460 msiexec.exe Token: SeCreatePermanentPrivilege 2460 msiexec.exe Token: SeBackupPrivilege 2460 msiexec.exe Token: SeRestorePrivilege 2460 msiexec.exe Token: SeShutdownPrivilege 2460 msiexec.exe Token: SeDebugPrivilege 2460 msiexec.exe Token: SeAuditPrivilege 2460 msiexec.exe Token: SeSystemEnvironmentPrivilege 2460 msiexec.exe Token: SeChangeNotifyPrivilege 2460 msiexec.exe Token: SeRemoteShutdownPrivilege 2460 msiexec.exe Token: SeUndockPrivilege 2460 msiexec.exe Token: SeSyncAgentPrivilege 2460 msiexec.exe Token: SeEnableDelegationPrivilege 2460 msiexec.exe Token: SeManageVolumePrivilege 2460 msiexec.exe Token: SeImpersonatePrivilege 2460 msiexec.exe Token: SeCreateGlobalPrivilege 2460 msiexec.exe Token: SeRestorePrivilege 3948 msiexec.exe Token: SeTakeOwnershipPrivilege 3948 msiexec.exe Token: SeRestorePrivilege 3948 msiexec.exe Token: SeTakeOwnershipPrivilege 3948 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2460 msiexec.exe 2460 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3948 wrote to memory of 4792 3948 msiexec.exe 80 PID 3948 wrote to memory of 4792 3948 msiexec.exe 80 PID 3948 wrote to memory of 4792 3948 msiexec.exe 80
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\File_Part.1.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2460
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0FB318747A2D0B61BD8BFC449E2FE9EE2⤵
- Loads dropped DLL
PID:4792
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
483.8MB
MD599f2f92fc126e2a1d74f29973bbc48f9
SHA1988ab2fa002cc60e9c286dbdb3774043a72a1c46
SHA256b8bf60526783aff6a053a1a9aa8c5b781b7af7b55bbfe44fbb7d63c8f08094f5
SHA5125b0f07be7bd6c6c13291b4bbf8a8661ff97590df30f10998362cd1f6453b194c483a0273366e8183547509087231cb544e776eb0e69d9ccc8e1ccf2bb31d74dc
-
Filesize
483.8MB
MD599f2f92fc126e2a1d74f29973bbc48f9
SHA1988ab2fa002cc60e9c286dbdb3774043a72a1c46
SHA256b8bf60526783aff6a053a1a9aa8c5b781b7af7b55bbfe44fbb7d63c8f08094f5
SHA5125b0f07be7bd6c6c13291b4bbf8a8661ff97590df30f10998362cd1f6453b194c483a0273366e8183547509087231cb544e776eb0e69d9ccc8e1ccf2bb31d74dc