9aecd6e556767f2d85f9983225956f561a4bb273d4309149fc99cfe07b486def

Analysis

max time kernel
57s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/11/2022, 09:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

File-Chapter-1.msi
Size

485.4MB
MD5

df5afa29654a755609c4319cd406c39f
SHA1

16571ad89dbfb84a17f2298d0299e8b10875f5f4
SHA256

dc428cfb63d2a54caa2d5976aeab317caa1a6d820bf9b85dd5ce7b66f3c4fbb5
SHA512

cd00de279b52d98f874cb79726ce6f7ed38dfc0c766f26aabb611fb425bce5d6cfb9182d4494540604310a0abcef79fe5919f344ac120e23cb6c41937f3807ee
SSDEEP

49152:MU+VZw1Iwo7ctQNpYxfT22baKljRUPzB29FQN:gZcogtmYxfT2287BaFQN

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1096	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c45a9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c45a9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BD0.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1180	msiexec.exe
1180	msiexec.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1640	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1640	msiexec.exe
Token: SeRestorePrivilege	1180	msiexec.exe
Token: SeTakeOwnershipPrivilege	1180	msiexec.exe
Token: SeSecurityPrivilege	1180	msiexec.exe
Token: SeCreateTokenPrivilege	1640	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1640	msiexec.exe
Token: SeLockMemoryPrivilege	1640	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1640	msiexec.exe
Token: SeMachineAccountPrivilege	1640	msiexec.exe
Token: SeTcbPrivilege	1640	msiexec.exe
Token: SeSecurityPrivilege	1640	msiexec.exe
Token: SeTakeOwnershipPrivilege	1640	msiexec.exe
Token: SeLoadDriverPrivilege	1640	msiexec.exe
Token: SeSystemProfilePrivilege	1640	msiexec.exe
Token: SeSystemtimePrivilege	1640	msiexec.exe
Token: SeProfSingleProcessPrivilege	1640	msiexec.exe
Token: SeIncBasePriorityPrivilege	1640	msiexec.exe
Token: SeCreatePagefilePrivilege	1640	msiexec.exe
Token: SeCreatePermanentPrivilege	1640	msiexec.exe
Token: SeBackupPrivilege	1640	msiexec.exe
Token: SeRestorePrivilege	1640	msiexec.exe
Token: SeShutdownPrivilege	1640	msiexec.exe
Token: SeDebugPrivilege	1640	msiexec.exe
Token: SeAuditPrivilege	1640	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1640	msiexec.exe
Token: SeChangeNotifyPrivilege	1640	msiexec.exe
Token: SeRemoteShutdownPrivilege	1640	msiexec.exe
Token: SeUndockPrivilege	1640	msiexec.exe
Token: SeSyncAgentPrivilege	1640	msiexec.exe
Token: SeEnableDelegationPrivilege	1640	msiexec.exe
Token: SeManageVolumePrivilege	1640	msiexec.exe
Token: SeImpersonatePrivilege	1640	msiexec.exe
Token: SeCreateGlobalPrivilege	1640	msiexec.exe
Token: SeRestorePrivilege	1180	msiexec.exe
Token: SeTakeOwnershipPrivilege	1180	msiexec.exe
Token: SeRestorePrivilege	1180	msiexec.exe
Token: SeTakeOwnershipPrivilege	1180	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1640	msiexec.exe
1640	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 1096	1180	msiexec.exe	28
PID 1180 wrote to memory of 1096	1180	msiexec.exe	28
PID 1180 wrote to memory of 1096	1180	msiexec.exe	28
PID 1180 wrote to memory of 1096	1180	msiexec.exe	28
PID 1180 wrote to memory of 1096	1180	msiexec.exe	28
PID 1180 wrote to memory of 1096	1180	msiexec.exe	28
PID 1180 wrote to memory of 1096	1180	msiexec.exe	28

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\File-Chapter-1.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1640

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 34AD71C40FF80E4D0385E11CDCDBE9A5
  2⤵
  - Loads dropped DLL
  PID:1096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI4BD0.tmp

Filesize
484.9MB

MD5
b593ea17e08a0221cbdfb3008e39fdfd

SHA1
9df73a46059609f51cdf3c508ed5612affa8600c

SHA256
8755affc928eec2a06647929e4a4d1dbbbb6f199f5c31b08549936d030205ea5

SHA512
919001ce4fddb845d6a63b4297144408d0d578b4a54b617a1dba0ababbe6f8d510d1e9cd183cd88d2893d305964ae5664a0c834349de71abefc1635143416f90

Download Submit
\Windows\Installer\MSI4BD0.tmp

Filesize
484.9MB

MD5
b593ea17e08a0221cbdfb3008e39fdfd

SHA1
9df73a46059609f51cdf3c508ed5612affa8600c

SHA256
8755affc928eec2a06647929e4a4d1dbbbb6f199f5c31b08549936d030205ea5

SHA512
919001ce4fddb845d6a63b4297144408d0d578b4a54b617a1dba0ababbe6f8d510d1e9cd183cd88d2893d305964ae5664a0c834349de71abefc1635143416f90

Download Submit
memory/1096-57-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1096-60-0x0000000020980000-0x0000000020ABA000-memory.dmp

Filesize
1.2MB

Download
memory/1096-61-0x00000000024A0000-0x00000000034A0000-memory.dmp

Filesize
16.0MB

Download
memory/1096-62-0x00000000024A0000-0x00000000034A0000-memory.dmp

Filesize
16.0MB

Download
memory/1640-54-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download