c7bd7fc920e917cd89dc2b2e0cc0fd60698d98be98aca59eff88e11047a6ef66

Analysis

max time kernel
225s
max time network
400s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16/01/2023, 07:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Setup/Installer.msi
Size

495.2MB
MD5

f74a9c8f571b6d32a6cb781135fbc796
SHA1

7f3abd0ed7ca0c34beeaf6b96e6619e5725d9284
SHA256

285303f92c7d61cbabafcd9c39bbfd1ca38521f4f9accb141c7025f59c21e069
SHA512

fcf05863dbc3960e57998d83ed63b1b39fd003be8f0dc8f49f6613b7dba2478a4c6edecea93f2e79b9f1e79e73cd90a20016c447b85246531337c3abb3ec6f87
SSDEEP

49152:Bttql9KqPxDGSkYTikwpNLH3dPzB29FQR:uNZD91MpNjd7BaFQR

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
3	1304	msiexec.exe
5	1304	msiexec.exe
7	1304	msiexec.exe
9	1304	msiexec.exe
10	1304	msiexec.exe
11	1256	msiexec.exe
12	1304	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Installer\707fea.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\707fea.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9244.tmp	msiexec.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1304	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1304	msiexec.exe
Token: SeRestorePrivilege	1256	msiexec.exe
Token: SeTakeOwnershipPrivilege	1256	msiexec.exe
Token: SeSecurityPrivilege	1256	msiexec.exe
Token: SeCreateTokenPrivilege	1304	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1304	msiexec.exe
Token: SeLockMemoryPrivilege	1304	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1304	msiexec.exe
Token: SeMachineAccountPrivilege	1304	msiexec.exe
Token: SeTcbPrivilege	1304	msiexec.exe
Token: SeSecurityPrivilege	1304	msiexec.exe
Token: SeTakeOwnershipPrivilege	1304	msiexec.exe
Token: SeLoadDriverPrivilege	1304	msiexec.exe
Token: SeSystemProfilePrivilege	1304	msiexec.exe
Token: SeSystemtimePrivilege	1304	msiexec.exe
Token: SeProfSingleProcessPrivilege	1304	msiexec.exe
Token: SeIncBasePriorityPrivilege	1304	msiexec.exe
Token: SeCreatePagefilePrivilege	1304	msiexec.exe
Token: SeCreatePermanentPrivilege	1304	msiexec.exe
Token: SeBackupPrivilege	1304	msiexec.exe
Token: SeRestorePrivilege	1304	msiexec.exe
Token: SeShutdownPrivilege	1304	msiexec.exe
Token: SeDebugPrivilege	1304	msiexec.exe
Token: SeAuditPrivilege	1304	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1304	msiexec.exe
Token: SeChangeNotifyPrivilege	1304	msiexec.exe
Token: SeRemoteShutdownPrivilege	1304	msiexec.exe
Token: SeUndockPrivilege	1304	msiexec.exe
Token: SeSyncAgentPrivilege	1304	msiexec.exe
Token: SeEnableDelegationPrivilege	1304	msiexec.exe
Token: SeManageVolumePrivilege	1304	msiexec.exe
Token: SeImpersonatePrivilege	1304	msiexec.exe
Token: SeCreateGlobalPrivilege	1304	msiexec.exe
Token: SeRestorePrivilege	1256	msiexec.exe
Token: SeTakeOwnershipPrivilege	1256	msiexec.exe
Token: SeRestorePrivilege	1256	msiexec.exe
Token: SeTakeOwnershipPrivilege	1256	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1304	msiexec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup\Installer.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1304

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1649B3188CAFEAFDE9966FA75F1A9EAF

Filesize
482B

MD5
067d9ae74c3e214083b8afc57d8ca7ed

SHA1
f154bbfef88eff1ffa02d6e522579106060b3f2f

SHA256
07b8b28de0b49de27dab44f3055b9009671f9fbc1b64151a243c537c8704d3e9

SHA512
21fc3d208a9aa57535ee271ba8b7186b2f1da3d6c9e075dfd3d623432e28468747bce0746012d2e0ed8f69130832e52fdfc3603c0879b9f978b41eaa141255b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\17B8570797F8F0965A8D2F21BCB58771

Filesize
1KB

MD5
8182a24a266ee3e38f49954e41b2db68

SHA1
18970207a76ba462143f73e013522a92acafb35a

SHA256
5f7562edcc7eb869ed22d8dc1faa90b9e3d5a1e87dd6094e3815683491ecb522

SHA512
4ff3a1554f08e388108c9af6f058f2c9e67d3e5bea63b46640a42f3ca64c7d0549f8579adadedbd856b4e16aecb4a334d6c5ce5fcbf2d17342d5e4a04eb34199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1649B3188CAFEAFDE9966FA75F1A9EAF

Filesize
362B

MD5
9b480ba9c2ac4e12e1ad2e78279bfe80

SHA1
cdf5d76c033180cd6b05bd0007a866f5be57586c

SHA256
658e152ee55c27d562ba37239f93a02cf566ef7e0b9e6f9bd1c48b0ba474ee0c

SHA512
736d0dc57657def37c9d256c62f8ee2c1c945089adf44d78943993d8d5a09cf5eceded765257ba86147c92c830aaf0cc8c052feaf416e3f05b8fae95bbbc32d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\17B8570797F8F0965A8D2F21BCB58771

Filesize
362B

MD5
328ca4a7049563f2f2571725c4822e54

SHA1
331e7f884bb2753db8d2f5dfed3f036b6c77d1c6

SHA256
8baaaeda889d66621ec8cfcaa9b7383cbc74084f3a090d6e46662a3f7513dd38

SHA512
eb42ee1618b766b85f8c8e314634d0fcc623621dcfa885e69cfb53def2f3e30fdfff6b471ba48cbd54a5f53a1fea613e6f09ccb138eb0b8b75469631652c2431

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f533095150c8d0d43903e3529eb90b88

SHA1
40306b394a43ea5844db9b3ccc1145de06afc67a

SHA256
9d5fb66456ac8dd6d9c167c16c81835fab7671107e1f3ea358f243222bc52ef5

SHA512
d80d10fad8a7bca2b54d70745f40dd3e73e9f6d21a0031e9ce9cae04fb2d03d699ccef1e54d084d9363b268b0a72db63596fcca3e2952acecf366cce684d4e9e

Download Submit
memory/1304-54-0x000007FEFC291000-0x000007FEFC293000-memory.dmp

Filesize
8KB

Download