c7bd7fc920e917cd89dc2b2e0cc0fd60698d98be98aca59eff88e11047a6ef66

Analysis

max time kernel
35s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
16-01-2023 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup/Installer.msi
Size

495.2MB
MD5

f74a9c8f571b6d32a6cb781135fbc796
SHA1

7f3abd0ed7ca0c34beeaf6b96e6619e5725d9284
SHA256

285303f92c7d61cbabafcd9c39bbfd1ca38521f4f9accb141c7025f59c21e069
SHA512

fcf05863dbc3960e57998d83ed63b1b39fd003be8f0dc8f49f6613b7dba2478a4c6edecea93f2e79b9f1e79e73cd90a20016c447b85246531337c3abb3ec6f87
SSDEEP

49152:Bttql9KqPxDGSkYTikwpNLH3dPzB29FQR:uNZD91MpNjd7BaFQR

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
2	912	msiexec.exe
4	912	msiexec.exe
6	912	msiexec.exe
8	912	msiexec.exe
9	912	msiexec.exe
10	912	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c86fc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c86fc.msi	msiexec.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	912	msiexec.exe
Token: SeIncreaseQuotaPrivilege	912	msiexec.exe
Token: SeRestorePrivilege	1764	msiexec.exe
Token: SeTakeOwnershipPrivilege	1764	msiexec.exe
Token: SeSecurityPrivilege	1764	msiexec.exe
Token: SeCreateTokenPrivilege	912	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	912	msiexec.exe
Token: SeLockMemoryPrivilege	912	msiexec.exe
Token: SeIncreaseQuotaPrivilege	912	msiexec.exe
Token: SeMachineAccountPrivilege	912	msiexec.exe
Token: SeTcbPrivilege	912	msiexec.exe
Token: SeSecurityPrivilege	912	msiexec.exe
Token: SeTakeOwnershipPrivilege	912	msiexec.exe
Token: SeLoadDriverPrivilege	912	msiexec.exe
Token: SeSystemProfilePrivilege	912	msiexec.exe
Token: SeSystemtimePrivilege	912	msiexec.exe
Token: SeProfSingleProcessPrivilege	912	msiexec.exe
Token: SeIncBasePriorityPrivilege	912	msiexec.exe
Token: SeCreatePagefilePrivilege	912	msiexec.exe
Token: SeCreatePermanentPrivilege	912	msiexec.exe
Token: SeBackupPrivilege	912	msiexec.exe
Token: SeRestorePrivilege	912	msiexec.exe
Token: SeShutdownPrivilege	912	msiexec.exe
Token: SeDebugPrivilege	912	msiexec.exe
Token: SeAuditPrivilege	912	msiexec.exe
Token: SeSystemEnvironmentPrivilege	912	msiexec.exe
Token: SeChangeNotifyPrivilege	912	msiexec.exe
Token: SeRemoteShutdownPrivilege	912	msiexec.exe
Token: SeUndockPrivilege	912	msiexec.exe
Token: SeSyncAgentPrivilege	912	msiexec.exe
Token: SeEnableDelegationPrivilege	912	msiexec.exe
Token: SeManageVolumePrivilege	912	msiexec.exe
Token: SeImpersonatePrivilege	912	msiexec.exe
Token: SeCreateGlobalPrivilege	912	msiexec.exe
Token: SeRestorePrivilege	1764	msiexec.exe
Token: SeTakeOwnershipPrivilege	1764	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
912	msiexec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup\Installer.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:912

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1764
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8685E9D9DCDDBB3112D0A1DF0E914942
  2⤵
  PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\17B8570797F8F0965A8D2F21BCB58771

Filesize
1KB

MD5
8182a24a266ee3e38f49954e41b2db68

SHA1
18970207a76ba462143f73e013522a92acafb35a

SHA256
5f7562edcc7eb869ed22d8dc1faa90b9e3d5a1e87dd6094e3815683491ecb522

SHA512
4ff3a1554f08e388108c9af6f058f2c9e67d3e5bea63b46640a42f3ca64c7d0549f8579adadedbd856b4e16aecb4a334d6c5ce5fcbf2d17342d5e4a04eb34199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D

Filesize
282B

MD5
ef9b47aa5b3849e83b623bbd350cc9ac

SHA1
886852eeedff78032df962075e6622691e2c05bf

SHA256
9a2e4b3874bb7eb58aaf3c245fe6ecf5dd1d74d236956ddfcd95d543c1969aeb

SHA512
991d8cb5ac42bdc4e1837b44f69d271a53830dd3b771364946e69383ee171822ff1a79583822da6729fe36544385439c2c867b194c31aff3d12880ecb816f954

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\17B8570797F8F0965A8D2F21BCB58771

Filesize
362B

MD5
3790af3093a81c495dd1e1b83129a706

SHA1
f172768ba4845942be80ad8c6ab969ef48f4a589

SHA256
31c96f1856d3e16bb5b9dd645efbeb4b09bed56312020a5af5786270fb4daaf7

SHA512
f53d881d5dfd97b39b35fedf828575eaa66cc3b4939f74053cfe7d8e4f812b8f5a9be888f91ffec4193dfaa26dcfa52e6c61b481167a55bd89bb8159da259ffb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D

Filesize
200B

MD5
9443783640c1ce01b4037a7c031b1bc3

SHA1
6189e390a3a49f1a317dc55b00dbfe8a1970a41b

SHA256
49174d8ebbb4418eefe1e7fd325d6cfb6a2b2a0e2550052ab5dbe87069cb76b9

SHA512
14f315a9bfc292a8e52296d22cec649387185bc762733051e3f7e7a62792400ba31b2c2b4d5d2bff59134d1321ea6a3eacf3a91540995cccfecdaa59e888a9bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4558965d6d7e62769fc8f363fc2ddba

SHA1
9f5e488fca5f4367dc1d3e122c0c2c12e0ecc8b4

SHA256
4f22335dc9299192d58bbdb82f001e6d5d2bfd2dff3faeb3601965a93398493a

SHA512
4293bf45b096173e6c7375fb3d2a88e9799f2ae62e772dc2679994a631c6747c894cf1e8919f3dc7a387c4873f3a7ddeb2bf2ec96d766af77a5c10ac127c0f83

Download Submit
C:\Windows\Installer\MSI95EC.tmp

Filesize
7.9MB

MD5
8c3ce4c7c5df4d2268b21091c0b9df5a

SHA1
a7df6421bdcbf00146cad5ca36103fbabdc941bd

SHA256
23325081a18de61df7ddc13cc3dcbd676e982aedb8091351a094ed3e58fa8268

SHA512
85dd841c55ddd97303b60969a87c3ec7784393e119c18d8d24e69be049c8f60611e25f9e33051c64b5d7156787acb53052c3bfd19edcacc831eaaff3536afd1f

Download Submit
\Windows\Installer\MSI95EC.tmp

Filesize
4.4MB

MD5
2ebb7f4049a4cd7cffdb01d661668ec9

SHA1
ad0095c87239de85f1fe30b322ce1ae9ac63600d

SHA256
3543f2222055b0a5930ab6b707ed67e3bca0e09afd45b981cb30927f0edd28a8

SHA512
1068c4b11f63b8971e423f67092264c608cf74d265cf80dcc3d1bf621c8e3e582d2ffa85c9919133bc58f2e64927545a3c9fd06d4ef53932b0982c9f21e64f47

Download Submit
memory/912-54-0x000007FEFC591000-0x000007FEFC593000-memory.dmp

Filesize
8KB

Download
memory/1536-62-0x0000000000000000-mapping.dmp

Download
memory/1536-63-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1536-66-0x00000000212C0000-0x00000000213D1000-memory.dmp

Filesize
1.1MB

Download
memory/1536-67-0x0000000002410000-0x0000000003410000-memory.dmp

Filesize
16.0MB

Download