9aecd6e556767f2d85f9983225956f561a4bb273d4309149fc99cfe07b486def

Analysis

max time kernel
89s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2022 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

File-Chapter-1.msi
Size

485.4MB
MD5

df5afa29654a755609c4319cd406c39f
SHA1

16571ad89dbfb84a17f2298d0299e8b10875f5f4
SHA256

dc428cfb63d2a54caa2d5976aeab317caa1a6d820bf9b85dd5ce7b66f3c4fbb5
SHA512

cd00de279b52d98f874cb79726ce6f7ed38dfc0c766f26aabb611fb425bce5d6cfb9182d4494540604310a0abcef79fe5919f344ac120e23cb6c41937f3807ee
SSDEEP

49152:MU+VZw1Iwo7ctQNpYxfT22baKljRUPzB29FQN:gZcogtmYxfT2287BaFQN

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1540	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e56d0f1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56d0f1.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID611.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5016	msiexec.exe
5016	msiexec.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4636	msiexec.exe
Token: SeSecurityPrivilege	5016	msiexec.exe
Token: SeCreateTokenPrivilege	4636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4636	msiexec.exe
Token: SeLockMemoryPrivilege	4636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4636	msiexec.exe
Token: SeMachineAccountPrivilege	4636	msiexec.exe
Token: SeTcbPrivilege	4636	msiexec.exe
Token: SeSecurityPrivilege	4636	msiexec.exe
Token: SeTakeOwnershipPrivilege	4636	msiexec.exe
Token: SeLoadDriverPrivilege	4636	msiexec.exe
Token: SeSystemProfilePrivilege	4636	msiexec.exe
Token: SeSystemtimePrivilege	4636	msiexec.exe
Token: SeProfSingleProcessPrivilege	4636	msiexec.exe
Token: SeIncBasePriorityPrivilege	4636	msiexec.exe
Token: SeCreatePagefilePrivilege	4636	msiexec.exe
Token: SeCreatePermanentPrivilege	4636	msiexec.exe
Token: SeBackupPrivilege	4636	msiexec.exe
Token: SeRestorePrivilege	4636	msiexec.exe
Token: SeShutdownPrivilege	4636	msiexec.exe
Token: SeDebugPrivilege	4636	msiexec.exe
Token: SeAuditPrivilege	4636	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4636	msiexec.exe
Token: SeChangeNotifyPrivilege	4636	msiexec.exe
Token: SeRemoteShutdownPrivilege	4636	msiexec.exe
Token: SeUndockPrivilege	4636	msiexec.exe
Token: SeSyncAgentPrivilege	4636	msiexec.exe
Token: SeEnableDelegationPrivilege	4636	msiexec.exe
Token: SeManageVolumePrivilege	4636	msiexec.exe
Token: SeImpersonatePrivilege	4636	msiexec.exe
Token: SeCreateGlobalPrivilege	4636	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4636	msiexec.exe
4636	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 1540	5016	msiexec.exe	81
PID 5016 wrote to memory of 1540	5016	msiexec.exe	81
PID 5016 wrote to memory of 1540	5016	msiexec.exe	81

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\File-Chapter-1.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4636

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 02C05E837D0D71B113DF2E219ED0B906
  2⤵
  - Loads dropped DLL
  PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSID611.tmp

Filesize
484.9MB

MD5
b593ea17e08a0221cbdfb3008e39fdfd

SHA1
9df73a46059609f51cdf3c508ed5612affa8600c

SHA256
8755affc928eec2a06647929e4a4d1dbbbb6f199f5c31b08549936d030205ea5

SHA512
919001ce4fddb845d6a63b4297144408d0d578b4a54b617a1dba0ababbe6f8d510d1e9cd183cd88d2893d305964ae5664a0c834349de71abefc1635143416f90

Download Submit
C:\Windows\Installer\MSID611.tmp

Filesize
484.9MB

MD5
b593ea17e08a0221cbdfb3008e39fdfd

SHA1
9df73a46059609f51cdf3c508ed5612affa8600c

SHA256
8755affc928eec2a06647929e4a4d1dbbbb6f199f5c31b08549936d030205ea5

SHA512
919001ce4fddb845d6a63b4297144408d0d578b4a54b617a1dba0ababbe6f8d510d1e9cd183cd88d2893d305964ae5664a0c834349de71abefc1635143416f90

Download Submit
memory/1540-132-0x0000000000000000-mapping.dmp

Download
memory/1540-135-0x0000000002EA0000-0x0000000002FDA000-memory.dmp

Filesize
1.2MB

Download
memory/1540-136-0x0000000056F00000-0x0000000057F00000-memory.dmp

Filesize
16.0MB

Download
memory/1540-137-0x0000000002EA0000-0x0000000002FDA000-memory.dmp

Filesize
1.2MB

Download
memory/1540-138-0x0000000056F00000-0x0000000057F00000-memory.dmp

Filesize
16.0MB

Download
memory/1540-139-0x0000000002EA0000-0x0000000002F6B000-memory.dmp

Filesize
812KB

Download
memory/1540-140-0x0000000002F70000-0x0000000003028000-memory.dmp

Filesize
736KB

Download
memory/1540-143-0x0000000056F00000-0x0000000057020000-memory.dmp

Filesize
1.1MB

Download