e64775374097f1b1c8fd4173f7d5be4305b88cec26a56d003113aff2837ae08e

Analysis

max time kernel
151s
max time network
78s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-02-2023 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

putty-64bit-0.78-installer.msi
Size

3.5MB
MD5

108b432c4dc0a66b657d985e180bec71
SHA1

262812d43303b7ddc7c04a1c243172ebe6579f00
SHA256

e64775374097f1b1c8fd4173f7d5be4305b88cec26a56d003113aff2837ae08e
SHA512

5ddb97078b417f22c54dce768564dec58fd92a9c190f7a6cac9c7979a0f136dd439da1d59dd3c088e709433f5c4f79c033abd4b6ca8989d38620c20f4623386e
SSDEEP

98304:Ujhyh9EoxGHgBRn8Tg4IDrwRW8FMDMb34+NHC6:UjhyJPR8Tg4IDrwdFMD048

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	1400	msiexec.exe
4	1400	msiexec.exe
6	1400	msiexec.exe
8	1400	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
764	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1400	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1400	msiexec.exe
Token: SeRestorePrivilege	1796	msiexec.exe
Token: SeTakeOwnershipPrivilege	1796	msiexec.exe
Token: SeSecurityPrivilege	1796	msiexec.exe
Token: SeCreateTokenPrivilege	1400	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1400	msiexec.exe
Token: SeLockMemoryPrivilege	1400	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1400	msiexec.exe
Token: SeMachineAccountPrivilege	1400	msiexec.exe
Token: SeTcbPrivilege	1400	msiexec.exe
Token: SeSecurityPrivilege	1400	msiexec.exe
Token: SeTakeOwnershipPrivilege	1400	msiexec.exe
Token: SeLoadDriverPrivilege	1400	msiexec.exe
Token: SeSystemProfilePrivilege	1400	msiexec.exe
Token: SeSystemtimePrivilege	1400	msiexec.exe
Token: SeProfSingleProcessPrivilege	1400	msiexec.exe
Token: SeIncBasePriorityPrivilege	1400	msiexec.exe
Token: SeCreatePagefilePrivilege	1400	msiexec.exe
Token: SeCreatePermanentPrivilege	1400	msiexec.exe
Token: SeBackupPrivilege	1400	msiexec.exe
Token: SeRestorePrivilege	1400	msiexec.exe
Token: SeShutdownPrivilege	1400	msiexec.exe
Token: SeDebugPrivilege	1400	msiexec.exe
Token: SeAuditPrivilege	1400	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1400	msiexec.exe
Token: SeChangeNotifyPrivilege	1400	msiexec.exe
Token: SeRemoteShutdownPrivilege	1400	msiexec.exe
Token: SeUndockPrivilege	1400	msiexec.exe
Token: SeSyncAgentPrivilege	1400	msiexec.exe
Token: SeEnableDelegationPrivilege	1400	msiexec.exe
Token: SeManageVolumePrivilege	1400	msiexec.exe
Token: SeImpersonatePrivilege	1400	msiexec.exe
Token: SeCreateGlobalPrivilege	1400	msiexec.exe
Token: SeCreateTokenPrivilege	1400	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1400	msiexec.exe
Token: SeLockMemoryPrivilege	1400	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1400	msiexec.exe
Token: SeMachineAccountPrivilege	1400	msiexec.exe
Token: SeTcbPrivilege	1400	msiexec.exe
Token: SeSecurityPrivilege	1400	msiexec.exe
Token: SeTakeOwnershipPrivilege	1400	msiexec.exe
Token: SeLoadDriverPrivilege	1400	msiexec.exe
Token: SeSystemProfilePrivilege	1400	msiexec.exe
Token: SeSystemtimePrivilege	1400	msiexec.exe
Token: SeProfSingleProcessPrivilege	1400	msiexec.exe
Token: SeIncBasePriorityPrivilege	1400	msiexec.exe
Token: SeCreatePagefilePrivilege	1400	msiexec.exe
Token: SeCreatePermanentPrivilege	1400	msiexec.exe
Token: SeBackupPrivilege	1400	msiexec.exe
Token: SeRestorePrivilege	1400	msiexec.exe
Token: SeShutdownPrivilege	1400	msiexec.exe
Token: SeDebugPrivilege	1400	msiexec.exe
Token: SeAuditPrivilege	1400	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1400	msiexec.exe
Token: SeChangeNotifyPrivilege	1400	msiexec.exe
Token: SeRemoteShutdownPrivilege	1400	msiexec.exe
Token: SeUndockPrivilege	1400	msiexec.exe
Token: SeSyncAgentPrivilege	1400	msiexec.exe
Token: SeEnableDelegationPrivilege	1400	msiexec.exe
Token: SeManageVolumePrivilege	1400	msiexec.exe
Token: SeImpersonatePrivilege	1400	msiexec.exe
Token: SeCreateGlobalPrivilege	1400	msiexec.exe
Token: SeCreateTokenPrivilege	1400	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1400	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 764	1796	msiexec.exe	28
PID 1796 wrote to memory of 764	1796	msiexec.exe	28
PID 1796 wrote to memory of 764	1796	msiexec.exe	28
PID 1796 wrote to memory of 764	1796	msiexec.exe	28
PID 1796 wrote to memory of 764	1796	msiexec.exe	28
PID 1796 wrote to memory of 764	1796	msiexec.exe	28
PID 1796 wrote to memory of 764	1796	msiexec.exe	28

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\putty-64bit-0.78-installer.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1400

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8651243853BBDC5E22A4D0F836D0C010 C
  2⤵
  - Loads dropped DLL
  PID:764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIF722.tmp

Filesize
102KB

MD5
d9ac1b56edf330a6eb7894ab293f14f6

SHA1
022d8944e3927fff2b330dab54716ddcbb366d16

SHA256
097f1c3f27b18010448d77e3f70c4d9f774cb9c5ab435c62baa1c00e4cadd5ef

SHA512
e434410e2b2c2bb1fba4f3fc7c277b978c45b1df1d3c3994d6dc1530558393d7d42a713506bf95d013b2e40e9da36fd3e588fea8d8dc062a24ad931e4d76c328

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF722.tmp

Filesize
102KB

MD5
d9ac1b56edf330a6eb7894ab293f14f6

SHA1
022d8944e3927fff2b330dab54716ddcbb366d16

SHA256
097f1c3f27b18010448d77e3f70c4d9f774cb9c5ab435c62baa1c00e4cadd5ef

SHA512
e434410e2b2c2bb1fba4f3fc7c277b978c45b1df1d3c3994d6dc1530558393d7d42a713506bf95d013b2e40e9da36fd3e588fea8d8dc062a24ad931e4d76c328

Download Submit
memory/764-57-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download
memory/1400-54-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download