bfdd77d54f9b6a3262e6de478cc836982fd4f035f3b5e78a85a72abc578eee55

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2022 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Macrobond.x64.msi
Size

17.1MB
MD5

5fca46ed2be6a15b773727478f3dac75
SHA1

207b1b751181a681efe8983a89113e59cfdf7ede
SHA256

bfdd77d54f9b6a3262e6de478cc836982fd4f035f3b5e78a85a72abc578eee55
SHA512

2dfe3bafd55e3c3632fccfeed1d5406a32ef6f9650184227951221e82156906b05e9084803e5e46c08f66f5b5a5f56ce721c37cf3ec91d7521951f4d0f459532
SSDEEP

393216:cTIomVkuMRC3scJhMbDLqZeB+UlA8lQ/mlIHY:8mfMEXU+oQUGqlI4

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

Processes:

msiexec.exe

flow pid process

23 2740 msiexec.exe
26 2740 msiexec.exe
33 2740 msiexec.exe
35 2740 msiexec.exe
37 2740 msiexec.exe
39 2740 msiexec.exe
40 2740 msiexec.exe

flow	pid	process
23	2740	msiexec.exe
26	2740	msiexec.exe
33	2740	msiexec.exe
35	2740	msiexec.exe
37	2740	msiexec.exe
39	2740	msiexec.exe
40	2740	msiexec.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2740	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2740	msiexec.exe
Token: SeSecurityPrivilege	3256	msiexec.exe
Token: SeCreateTokenPrivilege	2740	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2740	msiexec.exe
Token: SeLockMemoryPrivilege	2740	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2740	msiexec.exe
Token: SeMachineAccountPrivilege	2740	msiexec.exe
Token: SeTcbPrivilege	2740	msiexec.exe
Token: SeSecurityPrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeLoadDriverPrivilege	2740	msiexec.exe
Token: SeSystemProfilePrivilege	2740	msiexec.exe
Token: SeSystemtimePrivilege	2740	msiexec.exe
Token: SeProfSingleProcessPrivilege	2740	msiexec.exe
Token: SeIncBasePriorityPrivilege	2740	msiexec.exe
Token: SeCreatePagefilePrivilege	2740	msiexec.exe
Token: SeCreatePermanentPrivilege	2740	msiexec.exe
Token: SeBackupPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeShutdownPrivilege	2740	msiexec.exe
Token: SeDebugPrivilege	2740	msiexec.exe
Token: SeAuditPrivilege	2740	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2740	msiexec.exe
Token: SeChangeNotifyPrivilege	2740	msiexec.exe
Token: SeRemoteShutdownPrivilege	2740	msiexec.exe
Token: SeUndockPrivilege	2740	msiexec.exe
Token: SeSyncAgentPrivilege	2740	msiexec.exe
Token: SeEnableDelegationPrivilege	2740	msiexec.exe
Token: SeManageVolumePrivilege	2740	msiexec.exe
Token: SeImpersonatePrivilege	2740	msiexec.exe
Token: SeCreateGlobalPrivilege	2740	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2740 msiexec.exe

pid	process
2740	msiexec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Macrobond.x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads