c7bd7fc920e917cd89dc2b2e0cc0fd60698d98be98aca59eff88e11047a6ef66

Analysis

max time kernel
209s
max time network
319s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16-01-2023 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup/Installer.msi
Size

495.2MB
MD5

f74a9c8f571b6d32a6cb781135fbc796
SHA1

7f3abd0ed7ca0c34beeaf6b96e6619e5725d9284
SHA256

285303f92c7d61cbabafcd9c39bbfd1ca38521f4f9accb141c7025f59c21e069
SHA512

fcf05863dbc3960e57998d83ed63b1b39fd003be8f0dc8f49f6613b7dba2478a4c6edecea93f2e79b9f1e79e73cd90a20016c447b85246531337c3abb3ec6f87
SSDEEP

49152:Bttql9KqPxDGSkYTikwpNLH3dPzB29FQR:uNZD91MpNjd7BaFQR

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
3	1380	msiexec.exe
5	1380	msiexec.exe
7	1380	msiexec.exe
9	1380	msiexec.exe
10	1380	msiexec.exe
11	1380	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6ff577.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6ff577.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D4.tmp	msiexec.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1380	msiexec.exe
Token: SeRestorePrivilege	1576	msiexec.exe
Token: SeTakeOwnershipPrivilege	1576	msiexec.exe
Token: SeSecurityPrivilege	1576	msiexec.exe
Token: SeCreateTokenPrivilege	1380	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1380	msiexec.exe
Token: SeLockMemoryPrivilege	1380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1380	msiexec.exe
Token: SeMachineAccountPrivilege	1380	msiexec.exe
Token: SeTcbPrivilege	1380	msiexec.exe
Token: SeSecurityPrivilege	1380	msiexec.exe
Token: SeTakeOwnershipPrivilege	1380	msiexec.exe
Token: SeLoadDriverPrivilege	1380	msiexec.exe
Token: SeSystemProfilePrivilege	1380	msiexec.exe
Token: SeSystemtimePrivilege	1380	msiexec.exe
Token: SeProfSingleProcessPrivilege	1380	msiexec.exe
Token: SeIncBasePriorityPrivilege	1380	msiexec.exe
Token: SeCreatePagefilePrivilege	1380	msiexec.exe
Token: SeCreatePermanentPrivilege	1380	msiexec.exe
Token: SeBackupPrivilege	1380	msiexec.exe
Token: SeRestorePrivilege	1380	msiexec.exe
Token: SeShutdownPrivilege	1380	msiexec.exe
Token: SeDebugPrivilege	1380	msiexec.exe
Token: SeAuditPrivilege	1380	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1380	msiexec.exe
Token: SeChangeNotifyPrivilege	1380	msiexec.exe
Token: SeRemoteShutdownPrivilege	1380	msiexec.exe
Token: SeUndockPrivilege	1380	msiexec.exe
Token: SeSyncAgentPrivilege	1380	msiexec.exe
Token: SeEnableDelegationPrivilege	1380	msiexec.exe
Token: SeManageVolumePrivilege	1380	msiexec.exe
Token: SeImpersonatePrivilege	1380	msiexec.exe
Token: SeCreateGlobalPrivilege	1380	msiexec.exe
Token: SeRestorePrivilege	1576	msiexec.exe
Token: SeTakeOwnershipPrivilege	1576	msiexec.exe
Token: SeRestorePrivilege	1576	msiexec.exe
Token: SeTakeOwnershipPrivilege	1576	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1380	msiexec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup\Installer.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1380

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\17B8570797F8F0965A8D2F21BCB58771

Filesize
1KB

MD5
8182a24a266ee3e38f49954e41b2db68

SHA1
18970207a76ba462143f73e013522a92acafb35a

SHA256
5f7562edcc7eb869ed22d8dc1faa90b9e3d5a1e87dd6094e3815683491ecb522

SHA512
4ff3a1554f08e388108c9af6f058f2c9e67d3e5bea63b46640a42f3ca64c7d0549f8579adadedbd856b4e16aecb4a334d6c5ce5fcbf2d17342d5e4a04eb34199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D

Filesize
282B

MD5
ef9b47aa5b3849e83b623bbd350cc9ac

SHA1
886852eeedff78032df962075e6622691e2c05bf

SHA256
9a2e4b3874bb7eb58aaf3c245fe6ecf5dd1d74d236956ddfcd95d543c1969aeb

SHA512
991d8cb5ac42bdc4e1837b44f69d271a53830dd3b771364946e69383ee171822ff1a79583822da6729fe36544385439c2c867b194c31aff3d12880ecb816f954

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B7AED56F69397028F35E77E6DD681FC

Filesize
482B

MD5
067d9ae74c3e214083b8afc57d8ca7ed

SHA1
f154bbfef88eff1ffa02d6e522579106060b3f2f

SHA256
07b8b28de0b49de27dab44f3055b9009671f9fbc1b64151a243c537c8704d3e9

SHA512
21fc3d208a9aa57535ee271ba8b7186b2f1da3d6c9e075dfd3d623432e28468747bce0746012d2e0ed8f69130832e52fdfc3603c0879b9f978b41eaa141255b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\17B8570797F8F0965A8D2F21BCB58771

Filesize
362B

MD5
6ec84b29db4f2837a226ef41396be690

SHA1
7e436f5116ee86e1a549c78adc8bb056d0f48c3e

SHA256
1c39f39f2fca52c7dbe2fafa94db915ae41b563856a201df77e335d0342cef26

SHA512
d52f9451a0bff7faa82e34a925bb63a1b22fdf6644556c7e8f88e4194b78664c8721a6a1d32de93a178916a190719ea4e0ef43e4bd906464b7167340d7c97920

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D

Filesize
200B

MD5
df8907aaf8821ba559573ec2c9635b66

SHA1
ee631fc99d591ea99553c42d46e332df51c076f2

SHA256
31c254c79c90e9ad46a6707df9b84d6891a0cdd58b21d327e8aac2afa73fad70

SHA512
626a2bdf45ddefa2608fbb1e0456754364948fbbfc398af5a838ca32a9eeb64562a4c345ce139e9ed0875b9823d2b67993d7f9dd7edac3db7ead93d84dd98f48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B7AED56F69397028F35E77E6DD681FC

Filesize
344B

MD5
fea8ae94b2ec1c0f13af3f47b34adbab

SHA1
808be2b207abe7a63adc27475ae2caf55ca5c2e0

SHA256
a8107eb1fe3c20e3e750dcdea111b2394db74f07280e0b6320ae23fd4045b267

SHA512
86ab47019c69db255d98356bc3377bc0ca8413d0940404d68e0ddf6e9edf8e59db22dd217aa5ebefdcd16741a3e2c554c4130fce631744f6999c328c864b67aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26fc202cd370b2545e5650addb5ed3d5

SHA1
b248f6e650f44f6e2771c9e0fbc1e89ecd6a9b93

SHA256
6e120b241270d8a47ba72988d710f0a325d6c70925ff3e04f7063b54fc4cf19b

SHA512
e97f5e64803365c304ff1e5a83e8444715bb3128da96de7b921c69ef6fccb95db1bcc96a9a0a3f9efe25902ecd729e073c833e5bb50bbc5bff0a772d7fcf9e11

Download Submit
memory/1380-54-0x000007FEFC481000-0x000007FEFC483000-memory.dmp

Filesize
8KB

Download