ce932f4db02219bdde5dbd9a0f1c8fe9700b8be7ee20a9bbd948ef68ee39f209

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2023, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

anyconnectwin.msi
Size

7.7MB
MD5

aeb125e79518d3b0e8dff6111cae8407
SHA1

30a2f4c80dc1b57a99c30b3771c5dd3d2e23386c
SHA256

ce932f4db02219bdde5dbd9a0f1c8fe9700b8be7ee20a9bbd948ef68ee39f209
SHA512

c9405157f577ba60050cadf73a83f49fbf06f0bd62a010a3c976e882be07c3da0cb66c324d230cf81e7ca59e39e062b4085df49977cc8d9a9090775ac1fa03b9
SSDEEP

196608:9ga91rVdQuq/fpJKTYpQhv6HIsrKBl0ifKX2cu6WzkDCZmlmEj/wK:9ga9NVdV6fpJKMpQhC72BS0KX2vnZncX

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	4424	msiexec.exe
6	4424	msiexec.exe
8	4424	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
528	MsiExec.exe
528	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4424	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4424	msiexec.exe
Token: SeSecurityPrivilege	1228	msiexec.exe
Token: SeCreateTokenPrivilege	4424	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4424	msiexec.exe
Token: SeLockMemoryPrivilege	4424	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4424	msiexec.exe
Token: SeMachineAccountPrivilege	4424	msiexec.exe
Token: SeTcbPrivilege	4424	msiexec.exe
Token: SeSecurityPrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeLoadDriverPrivilege	4424	msiexec.exe
Token: SeSystemProfilePrivilege	4424	msiexec.exe
Token: SeSystemtimePrivilege	4424	msiexec.exe
Token: SeProfSingleProcessPrivilege	4424	msiexec.exe
Token: SeIncBasePriorityPrivilege	4424	msiexec.exe
Token: SeCreatePagefilePrivilege	4424	msiexec.exe
Token: SeCreatePermanentPrivilege	4424	msiexec.exe
Token: SeBackupPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeShutdownPrivilege	4424	msiexec.exe
Token: SeDebugPrivilege	4424	msiexec.exe
Token: SeAuditPrivilege	4424	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4424	msiexec.exe
Token: SeChangeNotifyPrivilege	4424	msiexec.exe
Token: SeRemoteShutdownPrivilege	4424	msiexec.exe
Token: SeUndockPrivilege	4424	msiexec.exe
Token: SeSyncAgentPrivilege	4424	msiexec.exe
Token: SeEnableDelegationPrivilege	4424	msiexec.exe
Token: SeManageVolumePrivilege	4424	msiexec.exe
Token: SeImpersonatePrivilege	4424	msiexec.exe
Token: SeCreateGlobalPrivilege	4424	msiexec.exe
Token: SeCreateTokenPrivilege	4424	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4424	msiexec.exe
Token: SeLockMemoryPrivilege	4424	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4424	msiexec.exe
Token: SeMachineAccountPrivilege	4424	msiexec.exe
Token: SeTcbPrivilege	4424	msiexec.exe
Token: SeSecurityPrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeLoadDriverPrivilege	4424	msiexec.exe
Token: SeSystemProfilePrivilege	4424	msiexec.exe
Token: SeSystemtimePrivilege	4424	msiexec.exe
Token: SeProfSingleProcessPrivilege	4424	msiexec.exe
Token: SeIncBasePriorityPrivilege	4424	msiexec.exe
Token: SeCreatePagefilePrivilege	4424	msiexec.exe
Token: SeCreatePermanentPrivilege	4424	msiexec.exe
Token: SeBackupPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeShutdownPrivilege	4424	msiexec.exe
Token: SeDebugPrivilege	4424	msiexec.exe
Token: SeAuditPrivilege	4424	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4424	msiexec.exe
Token: SeChangeNotifyPrivilege	4424	msiexec.exe
Token: SeRemoteShutdownPrivilege	4424	msiexec.exe
Token: SeUndockPrivilege	4424	msiexec.exe
Token: SeSyncAgentPrivilege	4424	msiexec.exe
Token: SeEnableDelegationPrivilege	4424	msiexec.exe
Token: SeManageVolumePrivilege	4424	msiexec.exe
Token: SeImpersonatePrivilege	4424	msiexec.exe
Token: SeCreateGlobalPrivilege	4424	msiexec.exe
Token: SeCreateTokenPrivilege	4424	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4424	msiexec.exe
Token: SeLockMemoryPrivilege	4424	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4424	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 528	1228	msiexec.exe	88
PID 1228 wrote to memory of 528	1228	msiexec.exe	88
PID 1228 wrote to memory of 528	1228	msiexec.exe	88

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\anyconnectwin.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4424

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A254C999D4C336F26A600C7CE19D09A6 C
  2⤵
  - Loads dropped DLL
  PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI7341.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7341.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI77B6.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI77B6.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit