ed43b673c00debf663f71272e10611254f99043bd3be0ce4f7448f312d4eb6b0

Analysis

max time kernel
143s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2022, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

first_penetration_hymen_after_school_torn_vagina_photo.msi
Size

493.7MB
MD5

f30e0a07ab31aa82a9014d8626aa69a4
SHA1

01da449c5ad5ff2ee9809a6ca45ef768805df7c0
SHA256

72b098b0759c48d9a26366813435366cc4cb1d3017fe5952c3c5443d7372ec00
SHA512

bc8d013135d65a79160a99c28fadce46279f216520ec2662afafd3d686d50e99d6e4ac5d95cbd33e438e11cb18116379dc8c2931f08abae67b7b6c2917acf5d4
SSDEEP

24576:ckqW3m8d0IWpxnKrxLWg3sz88e7fh498+txBxotbD7+eoYBsQ0kaJFub7e:lvm89pHrh49ZtaJPzB29FQ7e

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
43	1084	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
4536	MsiExec.exe
4536	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57058e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57058e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C8A.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2088	msiexec.exe
2088	msiexec.exe
2088	msiexec.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1084	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1084	msiexec.exe
Token: SeSecurityPrivilege	2088	msiexec.exe
Token: SeCreateTokenPrivilege	1084	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1084	msiexec.exe
Token: SeLockMemoryPrivilege	1084	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1084	msiexec.exe
Token: SeMachineAccountPrivilege	1084	msiexec.exe
Token: SeTcbPrivilege	1084	msiexec.exe
Token: SeSecurityPrivilege	1084	msiexec.exe
Token: SeTakeOwnershipPrivilege	1084	msiexec.exe
Token: SeLoadDriverPrivilege	1084	msiexec.exe
Token: SeSystemProfilePrivilege	1084	msiexec.exe
Token: SeSystemtimePrivilege	1084	msiexec.exe
Token: SeProfSingleProcessPrivilege	1084	msiexec.exe
Token: SeIncBasePriorityPrivilege	1084	msiexec.exe
Token: SeCreatePagefilePrivilege	1084	msiexec.exe
Token: SeCreatePermanentPrivilege	1084	msiexec.exe
Token: SeBackupPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe
Token: SeShutdownPrivilege	1084	msiexec.exe
Token: SeDebugPrivilege	1084	msiexec.exe
Token: SeAuditPrivilege	1084	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1084	msiexec.exe
Token: SeChangeNotifyPrivilege	1084	msiexec.exe
Token: SeRemoteShutdownPrivilege	1084	msiexec.exe
Token: SeUndockPrivilege	1084	msiexec.exe
Token: SeSyncAgentPrivilege	1084	msiexec.exe
Token: SeEnableDelegationPrivilege	1084	msiexec.exe
Token: SeManageVolumePrivilege	1084	msiexec.exe
Token: SeImpersonatePrivilege	1084	msiexec.exe
Token: SeCreateGlobalPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1084	msiexec.exe
1084	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 4536	2088	msiexec.exe	87
PID 2088 wrote to memory of 4536	2088	msiexec.exe	87
PID 2088 wrote to memory of 4536	2088	msiexec.exe	87

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\first_penetration_hymen_after_school_torn_vagina_photo.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1084

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 99349762F7E9FACAF5F105430BE05411
  2⤵
  - Loads dropped DLL
  PID:4536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
c7c4a68a3def2eda1ee9aa48befeb70a

SHA1
36cb1c17307a605aabb2888bfb55f79c4347b465

SHA256
d7e1102849309b7d9c1a0ea0166d4a1dc7c1b89c35552c029cae3ad30b586c7b

SHA512
79195177250c27980e4b0e46306d23db4e57fb5ef70330b0c39a1bd31aeb0a88d900a3bd22b1522f926609c3fad1c60750a99e127eead1ea355f97f5dcad3447

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937

Filesize
471B

MD5
7698d17f076d12b2708d519093eb4022

SHA1
59d7998e4ee036ce314f4025c7cabeee3dbe61b3

SHA256
029c6431c993f07f0183ea5b0acef6c5f6e0fc0eaa8ba913d1e30b762e80ad71

SHA512
4ab92144d75870d4cd1f2442999d3dd7e7b31a1ce0159c10de92d994e0f1d6a0c4119034c79076ba3b8740d3e4735a3b25ad5f5ee7ab8e4b47d64b046284e83e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
434B

MD5
397ef3ae54d87f69028ebbc23be9ad53

SHA1
cfd28dbdd7adf6c4398e2698f19c1051c2750cda

SHA256
630df38cba944e798af7bb3e6c91bc812b71a5d0466287812661927fa98a27da

SHA512
20ebf978e716b6b44eb5dc9b1c5ecc62e1ef230064e3a26b647424e3ab9d88bf6ccb87df30f471466fe6dd4dc473fcc38e1eb4d8920c7898e324d09a9cf5d680

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_2A1F4CCD74E7AC1EAF9433BC50ADF937

Filesize
434B

MD5
2ddd1520210152cb7002ea5720bbc61e

SHA1
5a3d1671e2f4cf60008eb4fccd8549db4e944cc8

SHA256
f06bca35375abf10669ea3213b0f5272d9b6c4eac5f34e70e10d17de471d074c

SHA512
6a9fea8a7317d8e2f40db3bc956ff90d060d1459f51408f4842d05b94db04995fba1520c164c3d7b2fcc4077fbfe37992d6f66d3c1b4c3007cd7d3222856bac8

Download Submit
C:\Windows\Installer\MSI4C8A.tmp

Filesize
464.8MB

MD5
72d04ad0ed94e0fb383b9e624c0a56f7

SHA1
1d5ec32e37da628a994698df147ce91b574cd21e

SHA256
e73d4e3381875518faf237528e5ee17aede897959e6f083b115c8ae810d23277

SHA512
29ecfcd1bb165b8acb66efd80ca35b6d96d944c21e9c9dc359d51526342b479ec6c48db692167e807ef1f56c16beab97a0e982d88b68fc7f7bdda52b82a911ff

Download Submit
C:\Windows\Installer\MSI4C8A.tmp

Filesize
469.1MB

MD5
60184db98c6b0d281b9893f04fa9759c

SHA1
203ffb671a11585a89e37cde82a20fb0b52a6bad

SHA256
3c6466d591375796ba88f762c73b455dad99fdb7a319f61ccb95209ba2f40723

SHA512
25e8e4a2f0ff2f32b6a6479ba48b1fc57f070608b0fd2031b6e264da63c3d4934e930fefff37345f6c4d47266e5446826d2ba14516e824f2296eaf7f0237681d

Download Submit
C:\Windows\Installer\MSI4C8A.tmp

Filesize
493.2MB

MD5
1d10eb16b41654fe606528cd6e6f9c39

SHA1
80ac2eb7c27b8517f71b6843e51574aaa6e04ad9

SHA256
310384a81efdf5b7a3267caa6c20ec1e473a24eab85ff541c1574c10ce11fd0c

SHA512
fa7470fb364096217372059c75df5308a96381d6aa5ec71f96e7b2effc9b55d2f42e13514db17eed1577da5bcb09cb3c3d4c0f4368760ebd21a06a92ed159423

Download Submit
memory/4536-140-0x00000000215A0000-0x00000000216A2000-memory.dmp

Filesize
1.0MB

Download
memory/4536-141-0x0000000002870000-0x0000000003870000-memory.dmp

Filesize
16.0MB

Download
memory/4536-142-0x00000000215A0000-0x00000000216A2000-memory.dmp

Filesize
1.0MB

Download
memory/4536-143-0x0000000002870000-0x0000000003870000-memory.dmp

Filesize
16.0MB

Download
memory/4536-145-0x0000000002A30000-0x0000000002AE6000-memory.dmp

Filesize
728KB

Download
memory/4536-148-0x0000000002870000-0x000000000295D000-memory.dmp

Filesize
948KB

Download