2fb8930172097d4d5c3310160076e4bfd2ccf427c52ee4496cfe46e00e726e74

Analysis

max time kernel
27s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/05/2023, 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Archive_PDF.052023645b9d8911d28.msi
Size

2.9MB
MD5

141be3e938c68bda36c5950a31bab8d0
SHA1

b55d620307ab78f6dcd682c3f2b85d9a6be33fec
SHA256

2fb8930172097d4d5c3310160076e4bfd2ccf427c52ee4496cfe46e00e726e74
SHA512

1ac50b3acbdda2a990f0c1a8f49337ba2d2b83211c360789d05c9d265a1a8b9b459a50c9e03262e7eeb8ffd552449d91eadfffc9db54c4f7ae2cbf2b2c1eca4b
SSDEEP

49152:A3fL2PMM5fS7Et9TU3h0VoZvE8IWWVsckTc9n4W7jizoL5laI3x:LMQYG9TM80vE/WWVJ0

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1764	MsiExec.exe
1764	MsiExec.exe
1764	MsiExec.exe
1976	MsiExec.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000130e0-74.dat	upx
behavioral1/files/0x00060000000130e0-73.dat	upx
behavioral1/memory/1976-76-0x0000000072CC0000-0x00000000735E8000-memory.dmp	upx
behavioral1/memory/1976-75-0x0000000072CC0000-0x00000000735E8000-memory.dmp	upx

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\6c5dda.msi	msiexec.exe
File created	C:\Windows\Installer\6c5dda.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI624E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6319.tmp	msiexec.exe
File created	C:\Windows\Installer\6c5ddc.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6932.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI69D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c5ddc.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EA5.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1692	msiexec.exe
1692	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	748	msiexec.exe
Token: SeIncreaseQuotaPrivilege	748	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeSecurityPrivilege	1692	msiexec.exe
Token: SeCreateTokenPrivilege	748	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	748	msiexec.exe
Token: SeLockMemoryPrivilege	748	msiexec.exe
Token: SeIncreaseQuotaPrivilege	748	msiexec.exe
Token: SeMachineAccountPrivilege	748	msiexec.exe
Token: SeTcbPrivilege	748	msiexec.exe
Token: SeSecurityPrivilege	748	msiexec.exe
Token: SeTakeOwnershipPrivilege	748	msiexec.exe
Token: SeLoadDriverPrivilege	748	msiexec.exe
Token: SeSystemProfilePrivilege	748	msiexec.exe
Token: SeSystemtimePrivilege	748	msiexec.exe
Token: SeProfSingleProcessPrivilege	748	msiexec.exe
Token: SeIncBasePriorityPrivilege	748	msiexec.exe
Token: SeCreatePagefilePrivilege	748	msiexec.exe
Token: SeCreatePermanentPrivilege	748	msiexec.exe
Token: SeBackupPrivilege	748	msiexec.exe
Token: SeRestorePrivilege	748	msiexec.exe
Token: SeShutdownPrivilege	748	msiexec.exe
Token: SeDebugPrivilege	748	msiexec.exe
Token: SeAuditPrivilege	748	msiexec.exe
Token: SeSystemEnvironmentPrivilege	748	msiexec.exe
Token: SeChangeNotifyPrivilege	748	msiexec.exe
Token: SeRemoteShutdownPrivilege	748	msiexec.exe
Token: SeUndockPrivilege	748	msiexec.exe
Token: SeSyncAgentPrivilege	748	msiexec.exe
Token: SeEnableDelegationPrivilege	748	msiexec.exe
Token: SeManageVolumePrivilege	748	msiexec.exe
Token: SeImpersonatePrivilege	748	msiexec.exe
Token: SeCreateGlobalPrivilege	748	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe
Token: SeRestorePrivilege	1692	msiexec.exe
Token: SeTakeOwnershipPrivilege	1692	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
748	msiexec.exe
748	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1764	1692	msiexec.exe	27
PID 1692 wrote to memory of 1764	1692	msiexec.exe	27
PID 1692 wrote to memory of 1764	1692	msiexec.exe	27
PID 1692 wrote to memory of 1764	1692	msiexec.exe	27
PID 1692 wrote to memory of 1764	1692	msiexec.exe	27
PID 1692 wrote to memory of 1764	1692	msiexec.exe	27
PID 1692 wrote to memory of 1764	1692	msiexec.exe	27
PID 1692 wrote to memory of 1976	1692	msiexec.exe	28
PID 1692 wrote to memory of 1976	1692	msiexec.exe	28
PID 1692 wrote to memory of 1976	1692	msiexec.exe	28
PID 1692 wrote to memory of 1976	1692	msiexec.exe	28
PID 1692 wrote to memory of 1976	1692	msiexec.exe	28

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Archive_PDF.052023645b9d8911d28.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:748

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 63855EFC033C3349B15FE9DFDBCF8942
  2⤵
  - Loads dropped DLL
  PID:1764
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding E9D0BB91C1DBC1DC1CD93108A18C1538
  2⤵
  - Loads dropped DLL
  PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6c5ddd.rbs

Filesize
577B

MD5
c50d9dfa23cb85dfe2b00b2c150bca16

SHA1
fa218e575b80eae384830880fd80de213a1866ae

SHA256
cc4edd1999f1ecc4349d5b3a55ba9a746ab9d79f0bccff75055268c1395f9fa2

SHA512
1246bd962aef3ace8f04120941ac3f14bc2f654cebdd360f72115fb3b8a2e6c94fac34cc370f6dcb85eb9202ec43b17bfc09e67b83be03e72f44093dbb006aa3

Download Submit
C:\Windows\Installer\MSI5EA5.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI624E.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI6319.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI6319.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI69D0.tmp

Filesize
1.9MB

MD5
f52794d1d8c5af992fb03deef44b7b38

SHA1
fb3b90be02731d84f8300f3bdd6bba1a48c182ea

SHA256
e7279f515facb6b76da0159858b6490461699829cbd1f05b0258bd392b897cad

SHA512
01a3e6b73bc53f03d08ba9351ca1403e82e486a4b54a1c83662558168114590bf391d4397150fe675dfeacc93ce1c8939b3d9c052c44d6ce174992e37b53379c

Download Submit
\Windows\Installer\MSI5EA5.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSI624E.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSI6319.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSI69D0.tmp

Filesize
1.9MB

MD5
f52794d1d8c5af992fb03deef44b7b38

SHA1
fb3b90be02731d84f8300f3bdd6bba1a48c182ea

SHA256
e7279f515facb6b76da0159858b6490461699829cbd1f05b0258bd392b897cad

SHA512
01a3e6b73bc53f03d08ba9351ca1403e82e486a4b54a1c83662558168114590bf391d4397150fe675dfeacc93ce1c8939b3d9c052c44d6ce174992e37b53379c

Download Submit
memory/1976-76-0x0000000072CC0000-0x00000000735E8000-memory.dmp

Filesize
9.2MB

Download
memory/1976-75-0x0000000072CC0000-0x00000000735E8000-memory.dmp

Filesize
9.2MB

Download