57020f3e585d0f2a7ee783054c50886db4c65af1bbbe5e12e114dbf674326184

Analysis

max time kernel
53s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-05-2023 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AccessData_FTK_Imager_4.7.1.exe
Size

51.0MB
MD5

9b2aff0559976cf518cfc03b76498296
SHA1

8cda871aaef4af47c9045716fd777d5f7df4bfa7
SHA256

57020f3e585d0f2a7ee783054c50886db4c65af1bbbe5e12e114dbf674326184
SHA512

63721410c56608ec998c2db85772a995ae09e971aa11ff3296af5d23538d7af317674866bc2dcaebe4994daa915176d16362db378db9232c54649a67c2a2939f
SSDEEP

1572864:4qBBNBHkaP0aQs88ct1TQqqdd4O5hL8XV3e:4aUc89tWqi35h4A

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
796	AccessData_FTK_Imager_4.7.1.exe

Loads dropped DLL 2 IoCs

pid	Process
1520	AccessData_FTK_Imager_4.7.1.exe
1068	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1652	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1652	MSIEXEC.EXE
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeSecurityPrivilege	1972	msiexec.exe
Token: SeCreateTokenPrivilege	1652	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1652	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1652	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1652	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1652	MSIEXEC.EXE
Token: SeTcbPrivilege	1652	MSIEXEC.EXE
Token: SeSecurityPrivilege	1652	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1652	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1652	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1652	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1652	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1652	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1652	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1652	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1652	MSIEXEC.EXE
Token: SeBackupPrivilege	1652	MSIEXEC.EXE
Token: SeRestorePrivilege	1652	MSIEXEC.EXE
Token: SeShutdownPrivilege	1652	MSIEXEC.EXE
Token: SeDebugPrivilege	1652	MSIEXEC.EXE
Token: SeAuditPrivilege	1652	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1652	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1652	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1652	MSIEXEC.EXE
Token: SeUndockPrivilege	1652	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1652	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1652	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1652	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1652	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1652	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	1652	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1652	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1652	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1652	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1652	MSIEXEC.EXE
Token: SeTcbPrivilege	1652	MSIEXEC.EXE
Token: SeSecurityPrivilege	1652	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1652	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1652	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1652	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1652	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1652	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1652	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1652	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1652	MSIEXEC.EXE
Token: SeBackupPrivilege	1652	MSIEXEC.EXE
Token: SeRestorePrivilege	1652	MSIEXEC.EXE
Token: SeShutdownPrivilege	1652	MSIEXEC.EXE
Token: SeDebugPrivilege	1652	MSIEXEC.EXE
Token: SeAuditPrivilege	1652	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1652	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1652	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1652	MSIEXEC.EXE
Token: SeUndockPrivilege	1652	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1652	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1652	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1652	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1652	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1652	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	1652	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1652	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 796	1520	AccessData_FTK_Imager_4.7.1.exe	27
PID 1520 wrote to memory of 796	1520	AccessData_FTK_Imager_4.7.1.exe	27
PID 1520 wrote to memory of 796	1520	AccessData_FTK_Imager_4.7.1.exe	27
PID 1520 wrote to memory of 796	1520	AccessData_FTK_Imager_4.7.1.exe	27
PID 1520 wrote to memory of 796	1520	AccessData_FTK_Imager_4.7.1.exe	27
PID 1520 wrote to memory of 796	1520	AccessData_FTK_Imager_4.7.1.exe	27
PID 1520 wrote to memory of 796	1520	AccessData_FTK_Imager_4.7.1.exe	27
PID 796 wrote to memory of 1652	796	AccessData_FTK_Imager_4.7.1.exe	28
PID 796 wrote to memory of 1652	796	AccessData_FTK_Imager_4.7.1.exe	28
PID 796 wrote to memory of 1652	796	AccessData_FTK_Imager_4.7.1.exe	28
PID 796 wrote to memory of 1652	796	AccessData_FTK_Imager_4.7.1.exe	28
PID 796 wrote to memory of 1652	796	AccessData_FTK_Imager_4.7.1.exe	28
PID 796 wrote to memory of 1652	796	AccessData_FTK_Imager_4.7.1.exe	28
PID 796 wrote to memory of 1652	796	AccessData_FTK_Imager_4.7.1.exe	28
PID 1972 wrote to memory of 1068	1972	msiexec.exe	30
PID 1972 wrote to memory of 1068	1972	msiexec.exe	30
PID 1972 wrote to memory of 1068	1972	msiexec.exe	30
PID 1972 wrote to memory of 1068	1972	msiexec.exe	30
PID 1972 wrote to memory of 1068	1972	msiexec.exe	30
PID 1972 wrote to memory of 1068	1972	msiexec.exe	30
PID 1972 wrote to memory of 1068	1972	msiexec.exe	30

C:\Users\Admin\AppData\Local\Temp\AccessData_FTK_Imager_4.7.1.exe
"C:\Users\Admin\AppData\Local\Temp\AccessData_FTK_Imager_4.7.1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\{BB0D9962-039E-411B-84C6-D1C644F4812A}\AccessData_FTK_Imager_4.7.1.exe
  C:\Users\Admin\AppData\Local\Temp\{BB0D9962-039E-411B-84C6-D1C644F4812A}\AccessData_FTK_Imager_4.7.1.exe /q"C:\Users\Admin\AppData\Local\Temp\AccessData_FTK_Imager_4.7.1.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{BB0D9962-039E-411B-84C6-D1C644F4812A}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Windows\system32\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{BB0D9962-039E-411B-84C6-D1C644F4812A}\AccessData_FTK_Imager_(x64).msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="AccessData_FTK_Imager_4.7.1.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1652

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BAE9DCA1DC2753CF3C5FDE2EE10F38F1 C
  2⤵
  - Loads dropped DLL
  PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSICAF.tmp

Filesize
166KB

MD5
f174086a71fa34b4a612ea330f0df3db

SHA1
d317e17f3d70cbb82829bfac8b90600887433c01

SHA256
c30c8a461175ae3240c7a835c9a4946a913a54e55f4b87f42b729c685a40448a

SHA512
946c8fd10db3f87a813576af81106c40544754852fad7eaa1095cd5ed7d6b817488ca443ae83f3dbb9e512bba461661d9602da0c2470d9d79725eaecf1a9fc76

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BB0D9962-039E-411B-84C6-D1C644F4812A}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BB0D9962-039E-411B-84C6-D1C644F4812A}\AccessData_FTK_Imager_(x64).msi

Filesize
51.2MB

MD5
726a0505f04d137fd03c018584896b55

SHA1
d6cc03c0ace325d21c50bdfe80c7bf36e1810f69

SHA256
ac4420d09d3dae86f847eda655bfdc0101c4ad9f71ffa83698af702fd505f1f7

SHA512
adb1292279ddae1dbc7a24bed28c881853036b3cc1043e8be5568e3befc11fbf759fa9185dfb43f1d08a97b2f5bc65777bd313a6f8e114d72e89b5672853693c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BB0D9962-039E-411B-84C6-D1C644F4812A}\AccessData_FTK_Imager_4.7.1.exe

Filesize
51.0MB

MD5
9b2aff0559976cf518cfc03b76498296

SHA1
8cda871aaef4af47c9045716fd777d5f7df4bfa7

SHA256
57020f3e585d0f2a7ee783054c50886db4c65af1bbbe5e12e114dbf674326184

SHA512
63721410c56608ec998c2db85772a995ae09e971aa11ff3296af5d23538d7af317674866bc2dcaebe4994daa915176d16362db378db9232c54649a67c2a2939f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BB0D9962-039E-411B-84C6-D1C644F4812A}\AccessData_FTK_Imager_4.7.1.exe

Filesize
51.0MB

MD5
9b2aff0559976cf518cfc03b76498296

SHA1
8cda871aaef4af47c9045716fd777d5f7df4bfa7

SHA256
57020f3e585d0f2a7ee783054c50886db4c65af1bbbe5e12e114dbf674326184

SHA512
63721410c56608ec998c2db85772a995ae09e971aa11ff3296af5d23538d7af317674866bc2dcaebe4994daa915176d16362db378db9232c54649a67c2a2939f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BB0D9962-039E-411B-84C6-D1C644F4812A}\_ISMSIDEL.INI

Filesize
680B

MD5
b3586a54abe3eb8a1ed91b81fda8d10a

SHA1
aaeb0fc385fe06e677c9e03474e7b1d113045564

SHA256
41ad5fe9f8e22cbe06aeeef8de2bda291b37f84e8e9fcc5ed11fee3f0617d8f3

SHA512
e10628c61f58fa9f0661c7a35da6c9599cc948b8433533cc4fc9de063df58eeb1c869381fe3bc9036a8429f6891b44f181adca4b21be1dd88b2d47c184844d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8691.tmp

Filesize
5KB

MD5
c103a5dea86afd1418ef947af7805b8f

SHA1
b9bd1209f76bfdd54b63d5f09d12ee1725883b16

SHA256
b4de52c07a92152b8a2a0421edfa24232b7c44e841c04c074cad96ea12cba8be

SHA512
59626df3a1b77b70f55381d31939b01331cca6c6717792fefe29aff8393bd7b443104be7b1bc54ddca79b9d41040129cb05daa7e2aea7acd13098641f152e3d0

Download Submit
\Users\Admin\AppData\Local\Temp\MSICAF.tmp

Filesize
166KB

MD5
f174086a71fa34b4a612ea330f0df3db

SHA1
d317e17f3d70cbb82829bfac8b90600887433c01

SHA256
c30c8a461175ae3240c7a835c9a4946a913a54e55f4b87f42b729c685a40448a

SHA512
946c8fd10db3f87a813576af81106c40544754852fad7eaa1095cd5ed7d6b817488ca443ae83f3dbb9e512bba461661d9602da0c2470d9d79725eaecf1a9fc76

Download Submit
\Users\Admin\AppData\Local\Temp\{BB0D9962-039E-411B-84C6-D1C644F4812A}\AccessData_FTK_Imager_4.7.1.exe

Filesize
51.0MB

MD5
9b2aff0559976cf518cfc03b76498296

SHA1
8cda871aaef4af47c9045716fd777d5f7df4bfa7

SHA256
57020f3e585d0f2a7ee783054c50886db4c65af1bbbe5e12e114dbf674326184

SHA512
63721410c56608ec998c2db85772a995ae09e971aa11ff3296af5d23538d7af317674866bc2dcaebe4994daa915176d16362db378db9232c54649a67c2a2939f

Download Submit