Analysis
-
max time kernel
49s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22/11/2022, 02:22
Static task
static1
Behavioral task
behavioral1
Sample
first_penetration_hymen_after_school_torn_vagina_photo.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
first_penetration_hymen_after_school_torn_vagina_photo.msi
Resource
win10v2004-20221111-en
General
-
Target
first_penetration_hymen_after_school_torn_vagina_photo.msi
-
Size
493.7MB
-
MD5
f30e0a07ab31aa82a9014d8626aa69a4
-
SHA1
01da449c5ad5ff2ee9809a6ca45ef768805df7c0
-
SHA256
72b098b0759c48d9a26366813435366cc4cb1d3017fe5952c3c5443d7372ec00
-
SHA512
bc8d013135d65a79160a99c28fadce46279f216520ec2662afafd3d686d50e99d6e4ac5d95cbd33e438e11cb18116379dc8c2931f08abae67b7b6c2917acf5d4
-
SSDEEP
24576:ckqW3m8d0IWpxnKrxLWg3sz88e7fh498+txBxotbD7+eoYBsQ0kaJFub7e:lvm89pHrh49ZtaJPzB29FQ7e
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 1384 msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 664 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Installer\6c9609.msi msiexec.exe File opened for modification C:\Windows\Installer\6c9609.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA91E.tmp msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 952 msiexec.exe 952 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeShutdownPrivilege 1384 msiexec.exe Token: SeIncreaseQuotaPrivilege 1384 msiexec.exe Token: SeRestorePrivilege 952 msiexec.exe Token: SeTakeOwnershipPrivilege 952 msiexec.exe Token: SeSecurityPrivilege 952 msiexec.exe Token: SeCreateTokenPrivilege 1384 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1384 msiexec.exe Token: SeLockMemoryPrivilege 1384 msiexec.exe Token: SeIncreaseQuotaPrivilege 1384 msiexec.exe Token: SeMachineAccountPrivilege 1384 msiexec.exe Token: SeTcbPrivilege 1384 msiexec.exe Token: SeSecurityPrivilege 1384 msiexec.exe Token: SeTakeOwnershipPrivilege 1384 msiexec.exe Token: SeLoadDriverPrivilege 1384 msiexec.exe Token: SeSystemProfilePrivilege 1384 msiexec.exe Token: SeSystemtimePrivilege 1384 msiexec.exe Token: SeProfSingleProcessPrivilege 1384 msiexec.exe Token: SeIncBasePriorityPrivilege 1384 msiexec.exe Token: SeCreatePagefilePrivilege 1384 msiexec.exe Token: SeCreatePermanentPrivilege 1384 msiexec.exe Token: SeBackupPrivilege 1384 msiexec.exe Token: SeRestorePrivilege 1384 msiexec.exe Token: SeShutdownPrivilege 1384 msiexec.exe Token: SeDebugPrivilege 1384 msiexec.exe Token: SeAuditPrivilege 1384 msiexec.exe Token: SeSystemEnvironmentPrivilege 1384 msiexec.exe Token: SeChangeNotifyPrivilege 1384 msiexec.exe Token: SeRemoteShutdownPrivilege 1384 msiexec.exe Token: SeUndockPrivilege 1384 msiexec.exe Token: SeSyncAgentPrivilege 1384 msiexec.exe Token: SeEnableDelegationPrivilege 1384 msiexec.exe Token: SeManageVolumePrivilege 1384 msiexec.exe Token: SeImpersonatePrivilege 1384 msiexec.exe Token: SeCreateGlobalPrivilege 1384 msiexec.exe Token: SeRestorePrivilege 952 msiexec.exe Token: SeTakeOwnershipPrivilege 952 msiexec.exe Token: SeRestorePrivilege 952 msiexec.exe Token: SeTakeOwnershipPrivilege 952 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1384 msiexec.exe 1384 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 952 wrote to memory of 664 952 msiexec.exe 28 PID 952 wrote to memory of 664 952 msiexec.exe 28 PID 952 wrote to memory of 664 952 msiexec.exe 28 PID 952 wrote to memory of 664 952 msiexec.exe 28 PID 952 wrote to memory of 664 952 msiexec.exe 28 PID 952 wrote to memory of 664 952 msiexec.exe 28 PID 952 wrote to memory of 664 952 msiexec.exe 28
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\first_penetration_hymen_after_school_torn_vagina_photo.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1384
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FC5E3338CE63B2F5D0DCB6EFE82E8AA02⤵
- Loads dropped DLL
PID:664
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize471B
MD5c7c4a68a3def2eda1ee9aa48befeb70a
SHA136cb1c17307a605aabb2888bfb55f79c4347b465
SHA256d7e1102849309b7d9c1a0ea0166d4a1dc7c1b89c35552c029cae3ad30b586c7b
SHA51279195177250c27980e4b0e46306d23db4e57fb5ef70330b0c39a1bd31aeb0a88d900a3bd22b1522f926609c3fad1c60750a99e127eead1ea355f97f5dcad3447
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937
Filesize471B
MD57698d17f076d12b2708d519093eb4022
SHA159d7998e4ee036ce314f4025c7cabeee3dbe61b3
SHA256029c6431c993f07f0183ea5b0acef6c5f6e0fc0eaa8ba913d1e30b762e80ad71
SHA5124ab92144d75870d4cd1f2442999d3dd7e7b31a1ce0159c10de92d994e0f1d6a0c4119034c79076ba3b8740d3e4735a3b25ad5f5ee7ab8e4b47d64b046284e83e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize434B
MD5936bc9105fc684c673d64e821c22e99b
SHA1b65f7ba299e8e6972d104a6bbcdbbce79d145895
SHA256b961441be256533eebc024291ed70ad7249c6e9e464e86229b39fb9e58f92c81
SHA512a9e022c9030b8fde72df14b4d8f2e2d5a4426388d8184c358ae75d8daa3eb3266ea8f564859a8523dac09a9047e89cf05b60b331e504d57323dac7515775cebf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937
Filesize434B
MD55f496d969dc5db7092abd5ca0cbc8368
SHA18fd34e1f4ceb19c972057ddc95a0f4ff67be1969
SHA256365e8c8fd0e6ab90d7152cb8dbf910b85894109aa1ce132cfdd223e15303fcf8
SHA5128f943673c9e9f2226c4a05f7d79c332a38cd546af9aab3d007f0e2c1b56b79fd68a2f3d5980cb35476f82d5491d91c767b8c74a54babc93705ffbd9e32bcd19c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize340B
MD506629519b56c114d30950ab818f71f91
SHA173f0f22b97d783984ad9d7212829b076d327739f
SHA256110cad2e494593d6f2940dd3490e7e63b85412c5eaeb8282620f247beac65f13
SHA5128b4edd59c08689d0e51f64dd44504652e4befa6e0bd44f489241852da406f8fad655ec3e3ae02dbc7b524133f8116dc4542a73a68ad9b58e87c4cf5e1ed3bf55
-
Filesize
493.2MB
MD51d10eb16b41654fe606528cd6e6f9c39
SHA180ac2eb7c27b8517f71b6843e51574aaa6e04ad9
SHA256310384a81efdf5b7a3267caa6c20ec1e473a24eab85ff541c1574c10ce11fd0c
SHA512fa7470fb364096217372059c75df5308a96381d6aa5ec71f96e7b2effc9b55d2f42e13514db17eed1577da5bcb09cb3c3d4c0f4368760ebd21a06a92ed159423
-
Filesize
493.2MB
MD51d10eb16b41654fe606528cd6e6f9c39
SHA180ac2eb7c27b8517f71b6843e51574aaa6e04ad9
SHA256310384a81efdf5b7a3267caa6c20ec1e473a24eab85ff541c1574c10ce11fd0c
SHA512fa7470fb364096217372059c75df5308a96381d6aa5ec71f96e7b2effc9b55d2f42e13514db17eed1577da5bcb09cb3c3d4c0f4368760ebd21a06a92ed159423