Analysis
-
max time kernel
196s -
max time network
353s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 13:16
Static task
static1
Behavioral task
behavioral1
Sample
first_time_teacher_city_metro_cut_clitoris_hidden_camera.msi
Resource
win7-20221111-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
first_time_teacher_city_metro_cut_clitoris_hidden_camera.msi
Resource
win10v2004-20221111-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
first_time_teacher_city_metro_cut_clitoris_hidden_camera.msi
-
Size
490.4MB
-
MD5
17fdcaae63a66dc1a6a6371acb7c3bea
-
SHA1
bc60293770e882474ac780a0724b99b5d7681971
-
SHA256
80dfed9ad4d2b26807081fa8fc0a1260255bdb818cf03fa6144f3c3c3b2608df
-
SHA512
6a97b56ce023461781eb081a465474f85f342e9b6e95bbcc34e5fde52c9ccbfe7b7ba2b46b832ac269692f11e98083ea7f090b7093576ce9befb8004abc52514
-
SSDEEP
24576:zxgmrlIejaY+f995uHtvSOtseOaooW7TWA+7GWmzoInjcpKI7dNbD7+eoYBsQ0ks:1TrlIyksjOaotTWA+DufGTPzB29FQY
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 88 4152 msiexec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Installer\e5a4354.msi msiexec.exe File opened for modification C:\Windows\Installer\e5a4354.msi msiexec.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeShutdownPrivilege 4152 msiexec.exe Token: SeIncreaseQuotaPrivilege 4152 msiexec.exe Token: SeSecurityPrivilege 4188 msiexec.exe Token: SeCreateTokenPrivilege 4152 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4152 msiexec.exe Token: SeLockMemoryPrivilege 4152 msiexec.exe Token: SeIncreaseQuotaPrivilege 4152 msiexec.exe Token: SeMachineAccountPrivilege 4152 msiexec.exe Token: SeTcbPrivilege 4152 msiexec.exe Token: SeSecurityPrivilege 4152 msiexec.exe Token: SeTakeOwnershipPrivilege 4152 msiexec.exe Token: SeLoadDriverPrivilege 4152 msiexec.exe Token: SeSystemProfilePrivilege 4152 msiexec.exe Token: SeSystemtimePrivilege 4152 msiexec.exe Token: SeProfSingleProcessPrivilege 4152 msiexec.exe Token: SeIncBasePriorityPrivilege 4152 msiexec.exe Token: SeCreatePagefilePrivilege 4152 msiexec.exe Token: SeCreatePermanentPrivilege 4152 msiexec.exe Token: SeBackupPrivilege 4152 msiexec.exe Token: SeRestorePrivilege 4152 msiexec.exe Token: SeShutdownPrivilege 4152 msiexec.exe Token: SeDebugPrivilege 4152 msiexec.exe Token: SeAuditPrivilege 4152 msiexec.exe Token: SeSystemEnvironmentPrivilege 4152 msiexec.exe Token: SeChangeNotifyPrivilege 4152 msiexec.exe Token: SeRemoteShutdownPrivilege 4152 msiexec.exe Token: SeUndockPrivilege 4152 msiexec.exe Token: SeSyncAgentPrivilege 4152 msiexec.exe Token: SeEnableDelegationPrivilege 4152 msiexec.exe Token: SeManageVolumePrivilege 4152 msiexec.exe Token: SeImpersonatePrivilege 4152 msiexec.exe Token: SeCreateGlobalPrivilege 4152 msiexec.exe Token: SeRestorePrivilege 4188 msiexec.exe Token: SeTakeOwnershipPrivilege 4188 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4152 msiexec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\first_time_teacher_city_metro_cut_clitoris_hidden_camera.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4152
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4188