Analysis
-
max time kernel
47s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 15:31
Static task
static1
Behavioral task
behavioral1
Sample
3c2a5970a483c50e58bf5fb669c6415a48d3782a5b2b996982ed9a823672ccec.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3c2a5970a483c50e58bf5fb669c6415a48d3782a5b2b996982ed9a823672ccec.msi
Resource
win10v2004-20221111-en
General
-
Target
3c2a5970a483c50e58bf5fb669c6415a48d3782a5b2b996982ed9a823672ccec.msi
-
Size
2.4MB
-
MD5
31c4df7e1828b1ddd9e4844974932c50
-
SHA1
a853817ebd51d9a6a7ac6550c7ce4ef6dffa60cd
-
SHA256
3c2a5970a483c50e58bf5fb669c6415a48d3782a5b2b996982ed9a823672ccec
-
SHA512
8d38fb73d65b706a8503722332f7ec414e326bd64faadcef0005d2683f7f182f2c355087871ca1b92dd97f0602f029dd20e1fa059690fff068134fa42941a724
-
SSDEEP
49152:2eAJFzCDuiCIVUH+N6hfyRjXSkUwF3PswkemIC638eDGlS6DtQ:mpCDu/nHBhxwF5keJJcS0Q
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 1072 MsiExec.exe 1072 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1768 msiexec.exe Token: SeIncreaseQuotaPrivilege 1768 msiexec.exe Token: SeRestorePrivilege 2032 msiexec.exe Token: SeTakeOwnershipPrivilege 2032 msiexec.exe Token: SeSecurityPrivilege 2032 msiexec.exe Token: SeCreateTokenPrivilege 1768 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1768 msiexec.exe Token: SeLockMemoryPrivilege 1768 msiexec.exe Token: SeIncreaseQuotaPrivilege 1768 msiexec.exe Token: SeMachineAccountPrivilege 1768 msiexec.exe Token: SeTcbPrivilege 1768 msiexec.exe Token: SeSecurityPrivilege 1768 msiexec.exe Token: SeTakeOwnershipPrivilege 1768 msiexec.exe Token: SeLoadDriverPrivilege 1768 msiexec.exe Token: SeSystemProfilePrivilege 1768 msiexec.exe Token: SeSystemtimePrivilege 1768 msiexec.exe Token: SeProfSingleProcessPrivilege 1768 msiexec.exe Token: SeIncBasePriorityPrivilege 1768 msiexec.exe Token: SeCreatePagefilePrivilege 1768 msiexec.exe Token: SeCreatePermanentPrivilege 1768 msiexec.exe Token: SeBackupPrivilege 1768 msiexec.exe Token: SeRestorePrivilege 1768 msiexec.exe Token: SeShutdownPrivilege 1768 msiexec.exe Token: SeDebugPrivilege 1768 msiexec.exe Token: SeAuditPrivilege 1768 msiexec.exe Token: SeSystemEnvironmentPrivilege 1768 msiexec.exe Token: SeChangeNotifyPrivilege 1768 msiexec.exe Token: SeRemoteShutdownPrivilege 1768 msiexec.exe Token: SeUndockPrivilege 1768 msiexec.exe Token: SeSyncAgentPrivilege 1768 msiexec.exe Token: SeEnableDelegationPrivilege 1768 msiexec.exe Token: SeManageVolumePrivilege 1768 msiexec.exe Token: SeImpersonatePrivilege 1768 msiexec.exe Token: SeCreateGlobalPrivilege 1768 msiexec.exe Token: SeCreateTokenPrivilege 1768 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1768 msiexec.exe Token: SeLockMemoryPrivilege 1768 msiexec.exe Token: SeIncreaseQuotaPrivilege 1768 msiexec.exe Token: SeMachineAccountPrivilege 1768 msiexec.exe Token: SeTcbPrivilege 1768 msiexec.exe Token: SeSecurityPrivilege 1768 msiexec.exe Token: SeTakeOwnershipPrivilege 1768 msiexec.exe Token: SeLoadDriverPrivilege 1768 msiexec.exe Token: SeSystemProfilePrivilege 1768 msiexec.exe Token: SeSystemtimePrivilege 1768 msiexec.exe Token: SeProfSingleProcessPrivilege 1768 msiexec.exe Token: SeIncBasePriorityPrivilege 1768 msiexec.exe Token: SeCreatePagefilePrivilege 1768 msiexec.exe Token: SeCreatePermanentPrivilege 1768 msiexec.exe Token: SeBackupPrivilege 1768 msiexec.exe Token: SeRestorePrivilege 1768 msiexec.exe Token: SeShutdownPrivilege 1768 msiexec.exe Token: SeDebugPrivilege 1768 msiexec.exe Token: SeAuditPrivilege 1768 msiexec.exe Token: SeSystemEnvironmentPrivilege 1768 msiexec.exe Token: SeChangeNotifyPrivilege 1768 msiexec.exe Token: SeRemoteShutdownPrivilege 1768 msiexec.exe Token: SeUndockPrivilege 1768 msiexec.exe Token: SeSyncAgentPrivilege 1768 msiexec.exe Token: SeEnableDelegationPrivilege 1768 msiexec.exe Token: SeManageVolumePrivilege 1768 msiexec.exe Token: SeImpersonatePrivilege 1768 msiexec.exe Token: SeCreateGlobalPrivilege 1768 msiexec.exe Token: SeCreateTokenPrivilege 1768 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1768 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
msiexec.exedescription pid process target process PID 2032 wrote to memory of 1072 2032 msiexec.exe MsiExec.exe PID 2032 wrote to memory of 1072 2032 msiexec.exe MsiExec.exe PID 2032 wrote to memory of 1072 2032 msiexec.exe MsiExec.exe PID 2032 wrote to memory of 1072 2032 msiexec.exe MsiExec.exe PID 2032 wrote to memory of 1072 2032 msiexec.exe MsiExec.exe PID 2032 wrote to memory of 1072 2032 msiexec.exe MsiExec.exe PID 2032 wrote to memory of 1072 2032 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3c2a5970a483c50e58bf5fb669c6415a48d3782a5b2b996982ed9a823672ccec.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DC8EC2A5CF541580ADBEDCDF007D49D9 C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSIF48D.tmpFilesize
231KB
MD5def1669123bc5bd8e9a3a93e7f68b58c
SHA1101e1f6e9795672319543b9e69f9cb62a3d55055
SHA25682bba027d920fac29385c1a6752f2337a3ae4b1944a29a72d2864017abeaa8d9
SHA512b4ff0e4dc094575ceb1be891a767ab5e5dc0a3f137f9e6863324942277ff35acc75f92f7105779f33f3e68d3e56a1bb5d82f2f87a03c0aaae600478602f15d8c
-
C:\Users\Admin\AppData\Local\Temp\MSIF6B0.tmpFilesize
231KB
MD5def1669123bc5bd8e9a3a93e7f68b58c
SHA1101e1f6e9795672319543b9e69f9cb62a3d55055
SHA25682bba027d920fac29385c1a6752f2337a3ae4b1944a29a72d2864017abeaa8d9
SHA512b4ff0e4dc094575ceb1be891a767ab5e5dc0a3f137f9e6863324942277ff35acc75f92f7105779f33f3e68d3e56a1bb5d82f2f87a03c0aaae600478602f15d8c
-
\Users\Admin\AppData\Local\Temp\MSIF48D.tmpFilesize
231KB
MD5def1669123bc5bd8e9a3a93e7f68b58c
SHA1101e1f6e9795672319543b9e69f9cb62a3d55055
SHA25682bba027d920fac29385c1a6752f2337a3ae4b1944a29a72d2864017abeaa8d9
SHA512b4ff0e4dc094575ceb1be891a767ab5e5dc0a3f137f9e6863324942277ff35acc75f92f7105779f33f3e68d3e56a1bb5d82f2f87a03c0aaae600478602f15d8c
-
\Users\Admin\AppData\Local\Temp\MSIF6B0.tmpFilesize
231KB
MD5def1669123bc5bd8e9a3a93e7f68b58c
SHA1101e1f6e9795672319543b9e69f9cb62a3d55055
SHA25682bba027d920fac29385c1a6752f2337a3ae4b1944a29a72d2864017abeaa8d9
SHA512b4ff0e4dc094575ceb1be891a767ab5e5dc0a3f137f9e6863324942277ff35acc75f92f7105779f33f3e68d3e56a1bb5d82f2f87a03c0aaae600478602f15d8c
-
memory/1072-56-0x0000000000000000-mapping.dmp
-
memory/1072-57-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB
-
memory/1768-54-0x000007FEFC591000-0x000007FEFC593000-memory.dmpFilesize
8KB