a477fda8a78097e8546e5075a5d768f0077978d3410f6fb03fb93c33e1748c7a

Analysis

max time kernel
33s
max time network
99s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-05-2023 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a95de370372249406f5fa4c9f23d9acb7cadb2690e265965586f335350b3fecc.msi
Size

596KB
MD5

8403ebe786ee689c4c39d12bc5648a51
SHA1

8ae6b2938ff6b225b7634b793c47faeed7e1d00f
SHA256

a95de370372249406f5fa4c9f23d9acb7cadb2690e265965586f335350b3fecc
SHA512

3ac47dec19792bf9df950a782da9e92c986db3e46d9dfb42853908ef4282d01c0b9c5611028520254475e9498f6fc42ca98f30dbab0b4fdef972b00093746162
SSDEEP

12288:Puyi2V1O/DKoX20Wa7R/uWT8CuCvnMrC5Pw0lyWSeOWJiFQKVO8Wze5:WyDn4ma7R/aPCvMrCOwhHuHVO7ze

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	2044	msiexec.exe
4	2044	msiexec.exe
6	2044	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
1948	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c15a4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c15a4.msi	msiexec.exe
File created	C:\Windows\Installer\6c15a5.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2040.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2071.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c15a5.ipi	msiexec.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
960	sc.exe
1996	sc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
940	msiexec.exe
940	msiexec.exe
1948	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2044	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	940	msiexec.exe
Token: SeTakeOwnershipPrivilege	940	msiexec.exe
Token: SeSecurityPrivilege	940	msiexec.exe
Token: SeCreateTokenPrivilege	2044	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2044	msiexec.exe
Token: SeLockMemoryPrivilege	2044	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2044	msiexec.exe
Token: SeMachineAccountPrivilege	2044	msiexec.exe
Token: SeTcbPrivilege	2044	msiexec.exe
Token: SeSecurityPrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeLoadDriverPrivilege	2044	msiexec.exe
Token: SeSystemProfilePrivilege	2044	msiexec.exe
Token: SeSystemtimePrivilege	2044	msiexec.exe
Token: SeProfSingleProcessPrivilege	2044	msiexec.exe
Token: SeIncBasePriorityPrivilege	2044	msiexec.exe
Token: SeCreatePagefilePrivilege	2044	msiexec.exe
Token: SeCreatePermanentPrivilege	2044	msiexec.exe
Token: SeBackupPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeShutdownPrivilege	2044	msiexec.exe
Token: SeDebugPrivilege	2044	msiexec.exe
Token: SeAuditPrivilege	2044	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2044	msiexec.exe
Token: SeChangeNotifyPrivilege	2044	msiexec.exe
Token: SeRemoteShutdownPrivilege	2044	msiexec.exe
Token: SeUndockPrivilege	2044	msiexec.exe
Token: SeSyncAgentPrivilege	2044	msiexec.exe
Token: SeEnableDelegationPrivilege	2044	msiexec.exe
Token: SeManageVolumePrivilege	2044	msiexec.exe
Token: SeImpersonatePrivilege	2044	msiexec.exe
Token: SeCreateGlobalPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	940	msiexec.exe
Token: SeTakeOwnershipPrivilege	940	msiexec.exe
Token: SeRestorePrivilege	940	msiexec.exe
Token: SeTakeOwnershipPrivilege	940	msiexec.exe
Token: SeRestorePrivilege	940	msiexec.exe
Token: SeTakeOwnershipPrivilege	940	msiexec.exe
Token: SeRestorePrivilege	940	msiexec.exe
Token: SeTakeOwnershipPrivilege	940	msiexec.exe
Token: SeDebugPrivilege	1948	MsiExec.exe
Token: SeRestorePrivilege	940	msiexec.exe
Token: SeTakeOwnershipPrivilege	940	msiexec.exe
Token: SeRestorePrivilege	940	msiexec.exe
Token: SeTakeOwnershipPrivilege	940	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2044	msiexec.exe
2044	msiexec.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 1948	940	msiexec.exe	28
PID 940 wrote to memory of 1948	940	msiexec.exe	28
PID 940 wrote to memory of 1948	940	msiexec.exe	28
PID 940 wrote to memory of 1948	940	msiexec.exe	28
PID 940 wrote to memory of 1948	940	msiexec.exe	28
PID 940 wrote to memory of 1948	940	msiexec.exe	28
PID 940 wrote to memory of 1948	940	msiexec.exe	28
PID 1948 wrote to memory of 1720	1948	MsiExec.exe	29
PID 1948 wrote to memory of 1720	1948	MsiExec.exe	29
PID 1948 wrote to memory of 1720	1948	MsiExec.exe	29
PID 1948 wrote to memory of 1720	1948	MsiExec.exe	29
PID 1720 wrote to memory of 960	1720	cmd.exe	31
PID 1720 wrote to memory of 960	1720	cmd.exe	31
PID 1720 wrote to memory of 960	1720	cmd.exe	31
PID 1720 wrote to memory of 960	1720	cmd.exe	31
PID 1720 wrote to memory of 1504	1720	cmd.exe	32
PID 1720 wrote to memory of 1504	1720	cmd.exe	32
PID 1720 wrote to memory of 1504	1720	cmd.exe	32
PID 1720 wrote to memory of 1504	1720	cmd.exe	32
PID 1948 wrote to memory of 1008	1948	MsiExec.exe	33
PID 1948 wrote to memory of 1008	1948	MsiExec.exe	33
PID 1948 wrote to memory of 1008	1948	MsiExec.exe	33
PID 1948 wrote to memory of 1008	1948	MsiExec.exe	33
PID 1008 wrote to memory of 1996	1008	cmd.exe	35
PID 1008 wrote to memory of 1996	1008	cmd.exe	35
PID 1008 wrote to memory of 1996	1008	cmd.exe	35
PID 1008 wrote to memory of 1996	1008	cmd.exe	35
PID 1008 wrote to memory of 1828	1008	cmd.exe	36
PID 1008 wrote to memory of 1828	1008	cmd.exe	36
PID 1008 wrote to memory of 1828	1008	cmd.exe	36
PID 1008 wrote to memory of 1828	1008	cmd.exe	36

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\a95de370372249406f5fa4c9f23d9acb7cadb2690e265965586f335350b3fecc.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FC29A08186428E498505DBDC853296C2 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query NPF | FIND /C "RUNNING"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\SysWOW64\sc.exe
      sc query NPF
      4⤵
      Launches sc.exe
      PID:960
  - - C:\Windows\SysWOW64\find.exe
      FIND /C "RUNNING"
      4⤵
      PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc query npcap | FIND /C "RUNNING"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\SysWOW64\sc.exe
      sc query npcap
      4⤵
      Launches sc.exe
      PID:1996
  - - C:\Windows\SysWOW64\find.exe
      FIND /C "RUNNING"
      4⤵
      PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6c15a6.rbs

Filesize
1KB

MD5
a980e58730f7681818be0e99f88381ae

SHA1
4873f99e877dfd10fd869c83905dbe596c4255c8

SHA256
a5619cd6d7ae205c6f4428fbb4f67e1bb2c90c0c8dd2cbeeb5c6b18c3ee822db

SHA512
ffcde23b4ff7920bf07b9c6ab024e0b053f7197dab13d57ce1c5cd1686ac32038a281ebe4f1bb88eedd3b09e61ec25c687d8fb2bad3b0c5fb3fe16312eb85ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
471B

MD5
958811d68d39a22f170e785c8d2fdbcf

SHA1
58124d43176cf9803b5a9c15f35e3c899f0edcec

SHA256
8ca645a1c6b0d0773ca4e294b13b375ba09a12e1e3812ae9b0cc60be26c18b1e

SHA512
066f5a1469d43735829f46e8a0e95271ac01feb9515e3c482c829eea7822280e7a2052f69ce9c69d1c75461dae61ef4bf60f47e1ecf804ea48402ddc19d0f836

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_16710757B462C0433C09A9344AF8D42D

Filesize
490B

MD5
2693e78d5a975ad7cae80f292accdece

SHA1
d2c27bc35a1fe26b9fa5171972bd530c44854458

SHA256
05e509a5c2b336c9254f9b76750093dde03d341ccd703c97165692bb6927f730

SHA512
e185a4e6debad434eb198713c41c0531ba462a1d84f9f9127896dcad775ddbde4b4b435530d199adbf75ebd3c3f1e88d1e2cd90ea07191c30015b9a8abc2fe3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
396B

MD5
7181197e4ddb4b640a7ee096aed8d263

SHA1
8cd80eeb339cf055862d6ac14e57e259a44fabd6

SHA256
55c074847553a87d08f9678f9b9f4a01211f7f4df515b1049d0e0d57c0974026

SHA512
aa744801543ee89cfca3d740b903b492cee178fd72bb3ae7cdf715c50f320dd790e23faa80a4c4c934fead51050162ffd52a42f5fd39b879d1d9922f3b8f4087

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
22cf6f82b52193113c9f35172a9be15a

SHA1
56da84136707b223a5d71a1b7f4bbe8fb3d00755

SHA256
8a925c80bd69e04808a020521ef3f4292e3d0dfa4340f5ebb297d274b7707d8b

SHA512
68153daa25316c766a9efe22872767680c6dab2dba0ee21569cce02e1348f5632209072f1bd8e3700f66aa11c906be64e6c4c9bf5653475a4bb75e9641d3ba5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_16710757B462C0433C09A9344AF8D42D

Filesize
442B

MD5
4bf24075d0dec862b2d4f1fcb6dc6e76

SHA1
e619a3681d7e974dc5b6bf5ddfa6c444ebd68e8f

SHA256
fb0899a87a1d0467df9646da3dfe790c1eccd372b2884605abe82959a4ee0aa9

SHA512
c29c8d82aafc9f855dec71f64e32b78591482cb4c4fec3fbf519eb215f5e2da0b5090431b3dff1006165dd691040358ab4953165a5bdf73064752ee42039d443

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE36.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1815.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEE5.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Windows\Installer\MSI2071.tmp

Filesize
554KB

MD5
2c33eef3186ab404c5a0cda2a60683e2

SHA1
20f82e3e40dc0cd8e3b256ab8dc0e90ee4a0a585

SHA256
d8e1669e02a51a6830521539862c8c1fbef4215321f988a6edcc61253b787a7f

SHA512
69371bea4335692a51bf828685b55ad044f34709f95937620c4ca834a4aea4ebae0ee76b86b6c03323fe071c981ecfefd3e19448f312a72ed804b5e43505b679

Download Submit
\Windows\Installer\MSI2071.tmp

Filesize
554KB

MD5
2c33eef3186ab404c5a0cda2a60683e2

SHA1
20f82e3e40dc0cd8e3b256ab8dc0e90ee4a0a585

SHA256
d8e1669e02a51a6830521539862c8c1fbef4215321f988a6edcc61253b787a7f

SHA512
69371bea4335692a51bf828685b55ad044f34709f95937620c4ca834a4aea4ebae0ee76b86b6c03323fe071c981ecfefd3e19448f312a72ed804b5e43505b679

Download Submit
memory/1948-132-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download