8a380923e090d1186933a0c9e14f421e67fe7510605fae512aa6fd71fb87d796

Analysis

max time kernel
111s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/02/2023, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caa880e7820c1605ae509cb9f5e564037fdbda6da9b9b29f65fbc9bd8b3802d8.msi
Size

22.6MB
MD5

2fa1c3c3fbc961de2b894ae5a3f5275d
SHA1

a5859c55101782aac5fdd9433a551a1158c63e71
SHA256

caa880e7820c1605ae509cb9f5e564037fdbda6da9b9b29f65fbc9bd8b3802d8
SHA512

dc9aeff9d72f0619e2bd443ada14611a0f46af9c0e5197867a30807e5b82fd4a818feb5664e391958207dca98bf8df153751bde52c2b3d0412244d0fbf218c65
SSDEEP

393216:lFwcn04ph6pVrsGJB1Mv42sgoYlC9nclm5wX11Q6xLbDUtAcDHqCyox1+:lFwYc5sm1g4f7YlsnclVQ6xLbjayox1

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
4524	MsiExec.exe
4524	MsiExec.exe
4524	MsiExec.exe
4524	MsiExec.exe
4524	MsiExec.exe
4524	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4268	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4268	msiexec.exe
Token: SeSecurityPrivilege	3156	msiexec.exe
Token: SeCreateTokenPrivilege	4268	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4268	msiexec.exe
Token: SeLockMemoryPrivilege	4268	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4268	msiexec.exe
Token: SeMachineAccountPrivilege	4268	msiexec.exe
Token: SeTcbPrivilege	4268	msiexec.exe
Token: SeSecurityPrivilege	4268	msiexec.exe
Token: SeTakeOwnershipPrivilege	4268	msiexec.exe
Token: SeLoadDriverPrivilege	4268	msiexec.exe
Token: SeSystemProfilePrivilege	4268	msiexec.exe
Token: SeSystemtimePrivilege	4268	msiexec.exe
Token: SeProfSingleProcessPrivilege	4268	msiexec.exe
Token: SeIncBasePriorityPrivilege	4268	msiexec.exe
Token: SeCreatePagefilePrivilege	4268	msiexec.exe
Token: SeCreatePermanentPrivilege	4268	msiexec.exe
Token: SeBackupPrivilege	4268	msiexec.exe
Token: SeRestorePrivilege	4268	msiexec.exe
Token: SeShutdownPrivilege	4268	msiexec.exe
Token: SeDebugPrivilege	4268	msiexec.exe
Token: SeAuditPrivilege	4268	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4268	msiexec.exe
Token: SeChangeNotifyPrivilege	4268	msiexec.exe
Token: SeRemoteShutdownPrivilege	4268	msiexec.exe
Token: SeUndockPrivilege	4268	msiexec.exe
Token: SeSyncAgentPrivilege	4268	msiexec.exe
Token: SeEnableDelegationPrivilege	4268	msiexec.exe
Token: SeManageVolumePrivilege	4268	msiexec.exe
Token: SeImpersonatePrivilege	4268	msiexec.exe
Token: SeCreateGlobalPrivilege	4268	msiexec.exe
Token: SeCreateTokenPrivilege	4268	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4268	msiexec.exe
Token: SeLockMemoryPrivilege	4268	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4268	msiexec.exe
Token: SeMachineAccountPrivilege	4268	msiexec.exe
Token: SeTcbPrivilege	4268	msiexec.exe
Token: SeSecurityPrivilege	4268	msiexec.exe
Token: SeTakeOwnershipPrivilege	4268	msiexec.exe
Token: SeLoadDriverPrivilege	4268	msiexec.exe
Token: SeSystemProfilePrivilege	4268	msiexec.exe
Token: SeSystemtimePrivilege	4268	msiexec.exe
Token: SeProfSingleProcessPrivilege	4268	msiexec.exe
Token: SeIncBasePriorityPrivilege	4268	msiexec.exe
Token: SeCreatePagefilePrivilege	4268	msiexec.exe
Token: SeCreatePermanentPrivilege	4268	msiexec.exe
Token: SeBackupPrivilege	4268	msiexec.exe
Token: SeRestorePrivilege	4268	msiexec.exe
Token: SeShutdownPrivilege	4268	msiexec.exe
Token: SeDebugPrivilege	4268	msiexec.exe
Token: SeAuditPrivilege	4268	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4268	msiexec.exe
Token: SeChangeNotifyPrivilege	4268	msiexec.exe
Token: SeRemoteShutdownPrivilege	4268	msiexec.exe
Token: SeUndockPrivilege	4268	msiexec.exe
Token: SeSyncAgentPrivilege	4268	msiexec.exe
Token: SeEnableDelegationPrivilege	4268	msiexec.exe
Token: SeManageVolumePrivilege	4268	msiexec.exe
Token: SeImpersonatePrivilege	4268	msiexec.exe
Token: SeCreateGlobalPrivilege	4268	msiexec.exe
Token: SeCreateTokenPrivilege	4268	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4268	msiexec.exe
Token: SeLockMemoryPrivilege	4268	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4268	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 4524	3156	msiexec.exe	82
PID 3156 wrote to memory of 4524	3156	msiexec.exe	82
PID 3156 wrote to memory of 4524	3156	msiexec.exe	82

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\caa880e7820c1605ae509cb9f5e564037fdbda6da9b9b29f65fbc9bd8b3802d8.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4268

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C03420DBA0863687C045473F4B769598 C
  2⤵
  - Loads dropped DLL
  PID:4524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI69DA.tmp

Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI69DA.tmp

Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6D08.tmp

Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6D08.tmp

Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6EAF.tmp

Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6EAF.tmp

Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6EDF.tmp

Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6EDF.tmp

Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6F2E.tmp

Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6F2E.tmp

Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7009.tmp

Filesize
837KB

MD5
e76f80f8c9a51813813c351e35bf0755

SHA1
ec69253f3fd681d2829d60f3a14a48c779fabbb4

SHA256
87388281ef2eb907b4ad843c8bc0e3ec13dae903edfe53b29f78557588eb5161

SHA512
134a7be4012dc52763e5ac28eed7ce8e423a913f17449a672ce9f1192e69e5e00c62bce1f0374f76443832345eded1668f28fb9fbe7d287fc51dfdc199911dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7009.tmp

Filesize
837KB

MD5
e76f80f8c9a51813813c351e35bf0755

SHA1
ec69253f3fd681d2829d60f3a14a48c779fabbb4

SHA256
87388281ef2eb907b4ad843c8bc0e3ec13dae903edfe53b29f78557588eb5161

SHA512
134a7be4012dc52763e5ac28eed7ce8e423a913f17449a672ce9f1192e69e5e00c62bce1f0374f76443832345eded1668f28fb9fbe7d287fc51dfdc199911dc5

Download Submit