ed43b673c00debf663f71272e10611254f99043bd3be0ce4f7448f312d4eb6b0

Analysis

max time kernel
49s
max time network
121s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22/11/2022, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

first_penetration_hymen_after_school_torn_vagina_photo.msi
Size

493.7MB
MD5

f30e0a07ab31aa82a9014d8626aa69a4
SHA1

01da449c5ad5ff2ee9809a6ca45ef768805df7c0
SHA256

72b098b0759c48d9a26366813435366cc4cb1d3017fe5952c3c5443d7372ec00
SHA512

bc8d013135d65a79160a99c28fadce46279f216520ec2662afafd3d686d50e99d6e4ac5d95cbd33e438e11cb18116379dc8c2931f08abae67b7b6c2917acf5d4
SSDEEP

24576:ckqW3m8d0IWpxnKrxLWg3sz88e7fh498+txBxotbD7+eoYBsQ0kaJFub7e:lvm89pHrh49ZtaJPzB29FQ7e

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1384	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
664	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c9609.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c9609.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA91E.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
952	msiexec.exe
952	msiexec.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1384	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1384	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe
Token: SeSecurityPrivilege	952	msiexec.exe
Token: SeCreateTokenPrivilege	1384	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1384	msiexec.exe
Token: SeLockMemoryPrivilege	1384	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1384	msiexec.exe
Token: SeMachineAccountPrivilege	1384	msiexec.exe
Token: SeTcbPrivilege	1384	msiexec.exe
Token: SeSecurityPrivilege	1384	msiexec.exe
Token: SeTakeOwnershipPrivilege	1384	msiexec.exe
Token: SeLoadDriverPrivilege	1384	msiexec.exe
Token: SeSystemProfilePrivilege	1384	msiexec.exe
Token: SeSystemtimePrivilege	1384	msiexec.exe
Token: SeProfSingleProcessPrivilege	1384	msiexec.exe
Token: SeIncBasePriorityPrivilege	1384	msiexec.exe
Token: SeCreatePagefilePrivilege	1384	msiexec.exe
Token: SeCreatePermanentPrivilege	1384	msiexec.exe
Token: SeBackupPrivilege	1384	msiexec.exe
Token: SeRestorePrivilege	1384	msiexec.exe
Token: SeShutdownPrivilege	1384	msiexec.exe
Token: SeDebugPrivilege	1384	msiexec.exe
Token: SeAuditPrivilege	1384	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1384	msiexec.exe
Token: SeChangeNotifyPrivilege	1384	msiexec.exe
Token: SeRemoteShutdownPrivilege	1384	msiexec.exe
Token: SeUndockPrivilege	1384	msiexec.exe
Token: SeSyncAgentPrivilege	1384	msiexec.exe
Token: SeEnableDelegationPrivilege	1384	msiexec.exe
Token: SeManageVolumePrivilege	1384	msiexec.exe
Token: SeImpersonatePrivilege	1384	msiexec.exe
Token: SeCreateGlobalPrivilege	1384	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1384	msiexec.exe
1384	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 664	952	msiexec.exe	28
PID 952 wrote to memory of 664	952	msiexec.exe	28
PID 952 wrote to memory of 664	952	msiexec.exe	28
PID 952 wrote to memory of 664	952	msiexec.exe	28
PID 952 wrote to memory of 664	952	msiexec.exe	28
PID 952 wrote to memory of 664	952	msiexec.exe	28
PID 952 wrote to memory of 664	952	msiexec.exe	28

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\first_penetration_hymen_after_school_torn_vagina_photo.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1384

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FC5E3338CE63B2F5D0DCB6EFE82E8AA0
  2⤵
  - Loads dropped DLL
  PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
c7c4a68a3def2eda1ee9aa48befeb70a

SHA1
36cb1c17307a605aabb2888bfb55f79c4347b465

SHA256
d7e1102849309b7d9c1a0ea0166d4a1dc7c1b89c35552c029cae3ad30b586c7b

SHA512
79195177250c27980e4b0e46306d23db4e57fb5ef70330b0c39a1bd31aeb0a88d900a3bd22b1522f926609c3fad1c60750a99e127eead1ea355f97f5dcad3447

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937

Filesize
471B

MD5
7698d17f076d12b2708d519093eb4022

SHA1
59d7998e4ee036ce314f4025c7cabeee3dbe61b3

SHA256
029c6431c993f07f0183ea5b0acef6c5f6e0fc0eaa8ba913d1e30b762e80ad71

SHA512
4ab92144d75870d4cd1f2442999d3dd7e7b31a1ce0159c10de92d994e0f1d6a0c4119034c79076ba3b8740d3e4735a3b25ad5f5ee7ab8e4b47d64b046284e83e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
434B

MD5
936bc9105fc684c673d64e821c22e99b

SHA1
b65f7ba299e8e6972d104a6bbcdbbce79d145895

SHA256
b961441be256533eebc024291ed70ad7249c6e9e464e86229b39fb9e58f92c81

SHA512
a9e022c9030b8fde72df14b4d8f2e2d5a4426388d8184c358ae75d8daa3eb3266ea8f564859a8523dac09a9047e89cf05b60b331e504d57323dac7515775cebf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937

Filesize
434B

MD5
5f496d969dc5db7092abd5ca0cbc8368

SHA1
8fd34e1f4ceb19c972057ddc95a0f4ff67be1969

SHA256
365e8c8fd0e6ab90d7152cb8dbf910b85894109aa1ce132cfdd223e15303fcf8

SHA512
8f943673c9e9f2226c4a05f7d79c332a38cd546af9aab3d007f0e2c1b56b79fd68a2f3d5980cb35476f82d5491d91c767b8c74a54babc93705ffbd9e32bcd19c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
06629519b56c114d30950ab818f71f91

SHA1
73f0f22b97d783984ad9d7212829b076d327739f

SHA256
110cad2e494593d6f2940dd3490e7e63b85412c5eaeb8282620f247beac65f13

SHA512
8b4edd59c08689d0e51f64dd44504652e4befa6e0bd44f489241852da406f8fad655ec3e3ae02dbc7b524133f8116dc4542a73a68ad9b58e87c4cf5e1ed3bf55

Download Submit
C:\Windows\Installer\MSIA91E.tmp

Filesize
493.2MB

MD5
1d10eb16b41654fe606528cd6e6f9c39

SHA1
80ac2eb7c27b8517f71b6843e51574aaa6e04ad9

SHA256
310384a81efdf5b7a3267caa6c20ec1e473a24eab85ff541c1574c10ce11fd0c

SHA512
fa7470fb364096217372059c75df5308a96381d6aa5ec71f96e7b2effc9b55d2f42e13514db17eed1577da5bcb09cb3c3d4c0f4368760ebd21a06a92ed159423

Download Submit
\Windows\Installer\MSIA91E.tmp

Filesize
493.2MB

MD5
1d10eb16b41654fe606528cd6e6f9c39

SHA1
80ac2eb7c27b8517f71b6843e51574aaa6e04ad9

SHA256
310384a81efdf5b7a3267caa6c20ec1e473a24eab85ff541c1574c10ce11fd0c

SHA512
fa7470fb364096217372059c75df5308a96381d6aa5ec71f96e7b2effc9b55d2f42e13514db17eed1577da5bcb09cb3c3d4c0f4368760ebd21a06a92ed159423

Download Submit
memory/664-62-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download
memory/664-65-0x00000000211E0000-0x00000000212E2000-memory.dmp

Filesize
1.0MB

Download
memory/664-66-0x00000000024B0000-0x00000000034B0000-memory.dmp

Filesize
16.0MB

Download
memory/664-68-0x0000000000C10000-0x0000000000CC6000-memory.dmp

Filesize
728KB

Download
memory/664-71-0x00000000211E0000-0x00000000212E2000-memory.dmp

Filesize
1.0MB

Download
memory/664-72-0x00000000024B0000-0x00000000034B0000-memory.dmp

Filesize
16.0MB

Download
memory/664-73-0x00000000024B0000-0x000000000259D000-memory.dmp

Filesize
948KB

Download
memory/1384-54-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download