Analysis
-
max time kernel
262s -
max time network
242s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:31
Static task
static1
Behavioral task
behavioral1
Sample
3c2a5970a483c50e58bf5fb669c6415a48d3782a5b2b996982ed9a823672ccec.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3c2a5970a483c50e58bf5fb669c6415a48d3782a5b2b996982ed9a823672ccec.msi
Resource
win10v2004-20221111-en
General
-
Target
3c2a5970a483c50e58bf5fb669c6415a48d3782a5b2b996982ed9a823672ccec.msi
-
Size
2.4MB
-
MD5
31c4df7e1828b1ddd9e4844974932c50
-
SHA1
a853817ebd51d9a6a7ac6550c7ce4ef6dffa60cd
-
SHA256
3c2a5970a483c50e58bf5fb669c6415a48d3782a5b2b996982ed9a823672ccec
-
SHA512
8d38fb73d65b706a8503722332f7ec414e326bd64faadcef0005d2683f7f182f2c355087871ca1b92dd97f0602f029dd20e1fa059690fff068134fa42941a724
-
SSDEEP
49152:2eAJFzCDuiCIVUH+N6hfyRjXSkUwF3PswkemIC638eDGlS6DtQ:mpCDu/nHBhxwF5keJJcS0Q
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 908 MsiExec.exe 908 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 3168 msiexec.exe Token: SeIncreaseQuotaPrivilege 3168 msiexec.exe Token: SeSecurityPrivilege 4652 msiexec.exe Token: SeCreateTokenPrivilege 3168 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3168 msiexec.exe Token: SeLockMemoryPrivilege 3168 msiexec.exe Token: SeIncreaseQuotaPrivilege 3168 msiexec.exe Token: SeMachineAccountPrivilege 3168 msiexec.exe Token: SeTcbPrivilege 3168 msiexec.exe Token: SeSecurityPrivilege 3168 msiexec.exe Token: SeTakeOwnershipPrivilege 3168 msiexec.exe Token: SeLoadDriverPrivilege 3168 msiexec.exe Token: SeSystemProfilePrivilege 3168 msiexec.exe Token: SeSystemtimePrivilege 3168 msiexec.exe Token: SeProfSingleProcessPrivilege 3168 msiexec.exe Token: SeIncBasePriorityPrivilege 3168 msiexec.exe Token: SeCreatePagefilePrivilege 3168 msiexec.exe Token: SeCreatePermanentPrivilege 3168 msiexec.exe Token: SeBackupPrivilege 3168 msiexec.exe Token: SeRestorePrivilege 3168 msiexec.exe Token: SeShutdownPrivilege 3168 msiexec.exe Token: SeDebugPrivilege 3168 msiexec.exe Token: SeAuditPrivilege 3168 msiexec.exe Token: SeSystemEnvironmentPrivilege 3168 msiexec.exe Token: SeChangeNotifyPrivilege 3168 msiexec.exe Token: SeRemoteShutdownPrivilege 3168 msiexec.exe Token: SeUndockPrivilege 3168 msiexec.exe Token: SeSyncAgentPrivilege 3168 msiexec.exe Token: SeEnableDelegationPrivilege 3168 msiexec.exe Token: SeManageVolumePrivilege 3168 msiexec.exe Token: SeImpersonatePrivilege 3168 msiexec.exe Token: SeCreateGlobalPrivilege 3168 msiexec.exe Token: SeCreateTokenPrivilege 3168 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3168 msiexec.exe Token: SeLockMemoryPrivilege 3168 msiexec.exe Token: SeIncreaseQuotaPrivilege 3168 msiexec.exe Token: SeMachineAccountPrivilege 3168 msiexec.exe Token: SeTcbPrivilege 3168 msiexec.exe Token: SeSecurityPrivilege 3168 msiexec.exe Token: SeTakeOwnershipPrivilege 3168 msiexec.exe Token: SeLoadDriverPrivilege 3168 msiexec.exe Token: SeSystemProfilePrivilege 3168 msiexec.exe Token: SeSystemtimePrivilege 3168 msiexec.exe Token: SeProfSingleProcessPrivilege 3168 msiexec.exe Token: SeIncBasePriorityPrivilege 3168 msiexec.exe Token: SeCreatePagefilePrivilege 3168 msiexec.exe Token: SeCreatePermanentPrivilege 3168 msiexec.exe Token: SeBackupPrivilege 3168 msiexec.exe Token: SeRestorePrivilege 3168 msiexec.exe Token: SeShutdownPrivilege 3168 msiexec.exe Token: SeDebugPrivilege 3168 msiexec.exe Token: SeAuditPrivilege 3168 msiexec.exe Token: SeSystemEnvironmentPrivilege 3168 msiexec.exe Token: SeChangeNotifyPrivilege 3168 msiexec.exe Token: SeRemoteShutdownPrivilege 3168 msiexec.exe Token: SeUndockPrivilege 3168 msiexec.exe Token: SeSyncAgentPrivilege 3168 msiexec.exe Token: SeEnableDelegationPrivilege 3168 msiexec.exe Token: SeManageVolumePrivilege 3168 msiexec.exe Token: SeImpersonatePrivilege 3168 msiexec.exe Token: SeCreateGlobalPrivilege 3168 msiexec.exe Token: SeCreateTokenPrivilege 3168 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3168 msiexec.exe Token: SeLockMemoryPrivilege 3168 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 3168 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
msiexec.exedescription pid process target process PID 4652 wrote to memory of 908 4652 msiexec.exe MsiExec.exe PID 4652 wrote to memory of 908 4652 msiexec.exe MsiExec.exe PID 4652 wrote to memory of 908 4652 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3c2a5970a483c50e58bf5fb669c6415a48d3782a5b2b996982ed9a823672ccec.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3168
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8FB3217211C4EBA40916A71EB7355D99 C2⤵
- Loads dropped DLL
PID:908
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD5def1669123bc5bd8e9a3a93e7f68b58c
SHA1101e1f6e9795672319543b9e69f9cb62a3d55055
SHA25682bba027d920fac29385c1a6752f2337a3ae4b1944a29a72d2864017abeaa8d9
SHA512b4ff0e4dc094575ceb1be891a767ab5e5dc0a3f137f9e6863324942277ff35acc75f92f7105779f33f3e68d3e56a1bb5d82f2f87a03c0aaae600478602f15d8c
-
Filesize
231KB
MD5def1669123bc5bd8e9a3a93e7f68b58c
SHA1101e1f6e9795672319543b9e69f9cb62a3d55055
SHA25682bba027d920fac29385c1a6752f2337a3ae4b1944a29a72d2864017abeaa8d9
SHA512b4ff0e4dc094575ceb1be891a767ab5e5dc0a3f137f9e6863324942277ff35acc75f92f7105779f33f3e68d3e56a1bb5d82f2f87a03c0aaae600478602f15d8c
-
Filesize
231KB
MD5def1669123bc5bd8e9a3a93e7f68b58c
SHA1101e1f6e9795672319543b9e69f9cb62a3d55055
SHA25682bba027d920fac29385c1a6752f2337a3ae4b1944a29a72d2864017abeaa8d9
SHA512b4ff0e4dc094575ceb1be891a767ab5e5dc0a3f137f9e6863324942277ff35acc75f92f7105779f33f3e68d3e56a1bb5d82f2f87a03c0aaae600478602f15d8c
-
Filesize
231KB
MD5def1669123bc5bd8e9a3a93e7f68b58c
SHA1101e1f6e9795672319543b9e69f9cb62a3d55055
SHA25682bba027d920fac29385c1a6752f2337a3ae4b1944a29a72d2864017abeaa8d9
SHA512b4ff0e4dc094575ceb1be891a767ab5e5dc0a3f137f9e6863324942277ff35acc75f92f7105779f33f3e68d3e56a1bb5d82f2f87a03c0aaae600478602f15d8c