85368f6f84b60af0e7dc5182bda967e4df4fe652a66e8999db18c72f07b04485

Analysis

max time kernel
138s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ietabhelper1.msi
Size

2.7MB
MD5

b1c30d1dc217abe02766593ffce63985
SHA1

476f3cd4901df51d0aa00030647bdcf8410e81c0
SHA256

85368f6f84b60af0e7dc5182bda967e4df4fe652a66e8999db18c72f07b04485
SHA512

e7179d18076bb0896504b903f83ed08650cf2e2c0cb412005ff996f2bed1952d9b848d537954f7201b50ed437d47ff2e61323dc2476adbbde99384f3140b5a24
SSDEEP

49152:jgc5Y5AHTjZXQGdA1LqwOZR+P48IIwZza9xmqR7Or7O6j1k7kWBUYYXbiEid:RY5At7dA9Oa48AZzaPcnj1qkWBUR

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
6	4624	msiexec.exe
8	4624	msiexec.exe
16	4624	msiexec.exe
17	4624	msiexec.exe
19	4624	msiexec.exe
24	4624	msiexec.exe
27	4624	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
3124	MsiExec.exe
3124	MsiExec.exe
3124	MsiExec.exe
3124	MsiExec.exe
3124	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4624	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4624	msiexec.exe
Token: SeSecurityPrivilege	1288	msiexec.exe
Token: SeCreateTokenPrivilege	4624	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4624	msiexec.exe
Token: SeLockMemoryPrivilege	4624	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4624	msiexec.exe
Token: SeMachineAccountPrivilege	4624	msiexec.exe
Token: SeTcbPrivilege	4624	msiexec.exe
Token: SeSecurityPrivilege	4624	msiexec.exe
Token: SeTakeOwnershipPrivilege	4624	msiexec.exe
Token: SeLoadDriverPrivilege	4624	msiexec.exe
Token: SeSystemProfilePrivilege	4624	msiexec.exe
Token: SeSystemtimePrivilege	4624	msiexec.exe
Token: SeProfSingleProcessPrivilege	4624	msiexec.exe
Token: SeIncBasePriorityPrivilege	4624	msiexec.exe
Token: SeCreatePagefilePrivilege	4624	msiexec.exe
Token: SeCreatePermanentPrivilege	4624	msiexec.exe
Token: SeBackupPrivilege	4624	msiexec.exe
Token: SeRestorePrivilege	4624	msiexec.exe
Token: SeShutdownPrivilege	4624	msiexec.exe
Token: SeDebugPrivilege	4624	msiexec.exe
Token: SeAuditPrivilege	4624	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4624	msiexec.exe
Token: SeChangeNotifyPrivilege	4624	msiexec.exe
Token: SeRemoteShutdownPrivilege	4624	msiexec.exe
Token: SeUndockPrivilege	4624	msiexec.exe
Token: SeSyncAgentPrivilege	4624	msiexec.exe
Token: SeEnableDelegationPrivilege	4624	msiexec.exe
Token: SeManageVolumePrivilege	4624	msiexec.exe
Token: SeImpersonatePrivilege	4624	msiexec.exe
Token: SeCreateGlobalPrivilege	4624	msiexec.exe
Token: SeCreateTokenPrivilege	4624	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4624	msiexec.exe
Token: SeLockMemoryPrivilege	4624	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4624	msiexec.exe
Token: SeMachineAccountPrivilege	4624	msiexec.exe
Token: SeTcbPrivilege	4624	msiexec.exe
Token: SeSecurityPrivilege	4624	msiexec.exe
Token: SeTakeOwnershipPrivilege	4624	msiexec.exe
Token: SeLoadDriverPrivilege	4624	msiexec.exe
Token: SeSystemProfilePrivilege	4624	msiexec.exe
Token: SeSystemtimePrivilege	4624	msiexec.exe
Token: SeProfSingleProcessPrivilege	4624	msiexec.exe
Token: SeIncBasePriorityPrivilege	4624	msiexec.exe
Token: SeCreatePagefilePrivilege	4624	msiexec.exe
Token: SeCreatePermanentPrivilege	4624	msiexec.exe
Token: SeBackupPrivilege	4624	msiexec.exe
Token: SeRestorePrivilege	4624	msiexec.exe
Token: SeShutdownPrivilege	4624	msiexec.exe
Token: SeDebugPrivilege	4624	msiexec.exe
Token: SeAuditPrivilege	4624	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4624	msiexec.exe
Token: SeChangeNotifyPrivilege	4624	msiexec.exe
Token: SeRemoteShutdownPrivilege	4624	msiexec.exe
Token: SeUndockPrivilege	4624	msiexec.exe
Token: SeSyncAgentPrivilege	4624	msiexec.exe
Token: SeEnableDelegationPrivilege	4624	msiexec.exe
Token: SeManageVolumePrivilege	4624	msiexec.exe
Token: SeImpersonatePrivilege	4624	msiexec.exe
Token: SeCreateGlobalPrivilege	4624	msiexec.exe
Token: SeCreateTokenPrivilege	4624	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4624	msiexec.exe
Token: SeLockMemoryPrivilege	4624	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4624	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 3124	1288	msiexec.exe	85
PID 1288 wrote to memory of 3124	1288	msiexec.exe	85
PID 1288 wrote to memory of 3124	1288	msiexec.exe	85

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ietabhelper1.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4624

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8425F71D3525AFA4CE71E59CD1197825 C
  2⤵
  - Loads dropped DLL
  PID:3124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI275F.tmp

Filesize
90KB

MD5
61e0d69413e1d3f975d6910fe04cadd8

SHA1
382dc5ab38f75c40430c28affe9146dc583a5909

SHA256
a4d9154276def89a52cfba94aa872c0284a01780d5728a4f57b8b562eaa4a5e0

SHA512
518d04c87818a66825f25d0fd9d79aaf1a6c030b917fb59caed5f7341cfc912b1f635d2544a92dffef04054ef98eba65031978804458ca777d6cc8a6df62e930

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI275F.tmp

Filesize
90KB

MD5
61e0d69413e1d3f975d6910fe04cadd8

SHA1
382dc5ab38f75c40430c28affe9146dc583a5909

SHA256
a4d9154276def89a52cfba94aa872c0284a01780d5728a4f57b8b562eaa4a5e0

SHA512
518d04c87818a66825f25d0fd9d79aaf1a6c030b917fb59caed5f7341cfc912b1f635d2544a92dffef04054ef98eba65031978804458ca777d6cc8a6df62e930

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2954.tmp

Filesize
294KB

MD5
36885842c1e86ac026470d3931c1fb16

SHA1
c9264ee7d297d8873651d1b780f2ee40430539c7

SHA256
e760209574843bd3879ff1f631c377df8f4be0a5e2c6c09ffe60c9e52c9a4308

SHA512
c5b831bb08dc9e70e462e6b747fd7be6200a55e51ff4060bc9c4e8f9c0544206194466f9c1e0c3b5a6963b6aee5c9e27f4b968a804fae7339a8334b6f62839c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2954.tmp

Filesize
294KB

MD5
36885842c1e86ac026470d3931c1fb16

SHA1
c9264ee7d297d8873651d1b780f2ee40430539c7

SHA256
e760209574843bd3879ff1f631c377df8f4be0a5e2c6c09ffe60c9e52c9a4308

SHA512
c5b831bb08dc9e70e462e6b747fd7be6200a55e51ff4060bc9c4e8f9c0544206194466f9c1e0c3b5a6963b6aee5c9e27f4b968a804fae7339a8334b6f62839c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2A30.tmp

Filesize
90KB

MD5
61e0d69413e1d3f975d6910fe04cadd8

SHA1
382dc5ab38f75c40430c28affe9146dc583a5909

SHA256
a4d9154276def89a52cfba94aa872c0284a01780d5728a4f57b8b562eaa4a5e0

SHA512
518d04c87818a66825f25d0fd9d79aaf1a6c030b917fb59caed5f7341cfc912b1f635d2544a92dffef04054ef98eba65031978804458ca777d6cc8a6df62e930

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2A30.tmp

Filesize
90KB

MD5
61e0d69413e1d3f975d6910fe04cadd8

SHA1
382dc5ab38f75c40430c28affe9146dc583a5909

SHA256
a4d9154276def89a52cfba94aa872c0284a01780d5728a4f57b8b562eaa4a5e0

SHA512
518d04c87818a66825f25d0fd9d79aaf1a6c030b917fb59caed5f7341cfc912b1f635d2544a92dffef04054ef98eba65031978804458ca777d6cc8a6df62e930

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2A30.tmp

Filesize
90KB

MD5
61e0d69413e1d3f975d6910fe04cadd8

SHA1
382dc5ab38f75c40430c28affe9146dc583a5909

SHA256
a4d9154276def89a52cfba94aa872c0284a01780d5728a4f57b8b562eaa4a5e0

SHA512
518d04c87818a66825f25d0fd9d79aaf1a6c030b917fb59caed5f7341cfc912b1f635d2544a92dffef04054ef98eba65031978804458ca777d6cc8a6df62e930

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2A8E.tmp

Filesize
101KB

MD5
de63b5e2df7820d48045359040bba887

SHA1
90543f1bb16a154c7a286eeb0dfc02476b5109b8

SHA256
c8cadbcb77695f042e939fb45b40be36cb9d6a074106d35d922b6a71c0e4be47

SHA512
ac29c22d7a4d12fbf0c7f39a43a1027a2b6c513c318cf6b506b7f9d4640bc01942bcb241a4dfd79f5b02c7ebbe2f68b516e53a5a7fe20267a9a46009e46d782b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2A8E.tmp

Filesize
101KB

MD5
de63b5e2df7820d48045359040bba887

SHA1
90543f1bb16a154c7a286eeb0dfc02476b5109b8

SHA256
c8cadbcb77695f042e939fb45b40be36cb9d6a074106d35d922b6a71c0e4be47

SHA512
ac29c22d7a4d12fbf0c7f39a43a1027a2b6c513c318cf6b506b7f9d4640bc01942bcb241a4dfd79f5b02c7ebbe2f68b516e53a5a7fe20267a9a46009e46d782b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE65D.tmp

Filesize
90KB

MD5
61e0d69413e1d3f975d6910fe04cadd8

SHA1
382dc5ab38f75c40430c28affe9146dc583a5909

SHA256
a4d9154276def89a52cfba94aa872c0284a01780d5728a4f57b8b562eaa4a5e0

SHA512
518d04c87818a66825f25d0fd9d79aaf1a6c030b917fb59caed5f7341cfc912b1f635d2544a92dffef04054ef98eba65031978804458ca777d6cc8a6df62e930

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE65D.tmp

Filesize
90KB

MD5
61e0d69413e1d3f975d6910fe04cadd8

SHA1
382dc5ab38f75c40430c28affe9146dc583a5909

SHA256
a4d9154276def89a52cfba94aa872c0284a01780d5728a4f57b8b562eaa4a5e0

SHA512
518d04c87818a66825f25d0fd9d79aaf1a6c030b917fb59caed5f7341cfc912b1f635d2544a92dffef04054ef98eba65031978804458ca777d6cc8a6df62e930

Download Submit