2fb8930172097d4d5c3310160076e4bfd2ccf427c52ee4496cfe46e00e726e74

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2023, 17:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Archive_PDF.052023645b9d8911d28.msi
Size

2.9MB
MD5

141be3e938c68bda36c5950a31bab8d0
SHA1

b55d620307ab78f6dcd682c3f2b85d9a6be33fec
SHA256

2fb8930172097d4d5c3310160076e4bfd2ccf427c52ee4496cfe46e00e726e74
SHA512

1ac50b3acbdda2a990f0c1a8f49337ba2d2b83211c360789d05c9d265a1a8b9b459a50c9e03262e7eeb8ffd552449d91eadfffc9db54c4f7ae2cbf2b2c1eca4b
SSDEEP

49152:A3fL2PMM5fS7Et9TU3h0VoZvE8IWWVsckTc9n4W7jizoL5laI3x:LMQYG9TM80vE/WWVJ0

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
1460	MsiExec.exe
1460	MsiExec.exe
1460	MsiExec.exe
1460	MsiExec.exe
3280	MsiExec.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002317e-157.dat	upx
behavioral2/files/0x000600000002317e-158.dat	upx
behavioral2/memory/3280-159-0x00000000723B0000-0x0000000072CD8000-memory.dmp	upx

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI7AA6.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI795C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A47.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{91BFES6N-93LN-4537-R6MB-IVQZIR5RDS9E}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D28.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D96.tmp	msiexec.exe
File created	C:\Windows\Installer\e566f49.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e566f49.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI76EA.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3980	msiexec.exe
3980	msiexec.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4980	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4980	msiexec.exe
Token: SeSecurityPrivilege	3980	msiexec.exe
Token: SeCreateTokenPrivilege	4980	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4980	msiexec.exe
Token: SeLockMemoryPrivilege	4980	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4980	msiexec.exe
Token: SeMachineAccountPrivilege	4980	msiexec.exe
Token: SeTcbPrivilege	4980	msiexec.exe
Token: SeSecurityPrivilege	4980	msiexec.exe
Token: SeTakeOwnershipPrivilege	4980	msiexec.exe
Token: SeLoadDriverPrivilege	4980	msiexec.exe
Token: SeSystemProfilePrivilege	4980	msiexec.exe
Token: SeSystemtimePrivilege	4980	msiexec.exe
Token: SeProfSingleProcessPrivilege	4980	msiexec.exe
Token: SeIncBasePriorityPrivilege	4980	msiexec.exe
Token: SeCreatePagefilePrivilege	4980	msiexec.exe
Token: SeCreatePermanentPrivilege	4980	msiexec.exe
Token: SeBackupPrivilege	4980	msiexec.exe
Token: SeRestorePrivilege	4980	msiexec.exe
Token: SeShutdownPrivilege	4980	msiexec.exe
Token: SeDebugPrivilege	4980	msiexec.exe
Token: SeAuditPrivilege	4980	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4980	msiexec.exe
Token: SeChangeNotifyPrivilege	4980	msiexec.exe
Token: SeRemoteShutdownPrivilege	4980	msiexec.exe
Token: SeUndockPrivilege	4980	msiexec.exe
Token: SeSyncAgentPrivilege	4980	msiexec.exe
Token: SeEnableDelegationPrivilege	4980	msiexec.exe
Token: SeManageVolumePrivilege	4980	msiexec.exe
Token: SeImpersonatePrivilege	4980	msiexec.exe
Token: SeCreateGlobalPrivilege	4980	msiexec.exe
Token: SeRestorePrivilege	3980	msiexec.exe
Token: SeTakeOwnershipPrivilege	3980	msiexec.exe
Token: SeRestorePrivilege	3980	msiexec.exe
Token: SeTakeOwnershipPrivilege	3980	msiexec.exe
Token: SeRestorePrivilege	3980	msiexec.exe
Token: SeTakeOwnershipPrivilege	3980	msiexec.exe
Token: SeRestorePrivilege	3980	msiexec.exe
Token: SeTakeOwnershipPrivilege	3980	msiexec.exe
Token: SeRestorePrivilege	3980	msiexec.exe
Token: SeTakeOwnershipPrivilege	3980	msiexec.exe
Token: SeRestorePrivilege	3980	msiexec.exe
Token: SeTakeOwnershipPrivilege	3980	msiexec.exe
Token: SeRestorePrivilege	3980	msiexec.exe
Token: SeTakeOwnershipPrivilege	3980	msiexec.exe
Token: SeRestorePrivilege	3980	msiexec.exe
Token: SeTakeOwnershipPrivilege	3980	msiexec.exe
Token: SeRestorePrivilege	3980	msiexec.exe
Token: SeTakeOwnershipPrivilege	3980	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4980	msiexec.exe
4980	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 1460	3980	msiexec.exe	86
PID 3980 wrote to memory of 1460	3980	msiexec.exe	86
PID 3980 wrote to memory of 1460	3980	msiexec.exe	86
PID 3980 wrote to memory of 3280	3980	msiexec.exe	87
PID 3980 wrote to memory of 3280	3980	msiexec.exe	87

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Archive_PDF.052023645b9d8911d28.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4980

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9FA5578EC968D5221F7FCF35533944D8
  2⤵
  - Loads dropped DLL
  PID:1460
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 90E9AE3837D83B0F38E32717C148CA8A
  2⤵
  - Loads dropped DLL
  PID:3280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e566f4b.rbs

Filesize
577B

MD5
613d2b5415659c34e2b4844c97a9995c

SHA1
9d7e229cbe2429477a838db0e7c6d213dd61cda3

SHA256
3f535c7142affb9842d5646603830a03ddcc98671014ae58336da93dd2161492

SHA512
ef0d837147cfd582869956c9f049b99e31416ba19a54cb4e5161c52a677fc62a1cf2631e8200de2ff08712245082969db588f5ce2f242608ddc32495522e7598

Download Submit
C:\Windows\Installer\MSI76EA.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI76EA.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI795C.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI795C.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI7A47.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI7A47.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI7A47.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI7AA6.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI7AA6.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI7D96.tmp

Filesize
1.9MB

MD5
f52794d1d8c5af992fb03deef44b7b38

SHA1
fb3b90be02731d84f8300f3bdd6bba1a48c182ea

SHA256
e7279f515facb6b76da0159858b6490461699829cbd1f05b0258bd392b897cad

SHA512
01a3e6b73bc53f03d08ba9351ca1403e82e486a4b54a1c83662558168114590bf391d4397150fe675dfeacc93ce1c8939b3d9c052c44d6ce174992e37b53379c

Download Submit
C:\Windows\Installer\MSI7D96.tmp

Filesize
1.9MB

MD5
f52794d1d8c5af992fb03deef44b7b38

SHA1
fb3b90be02731d84f8300f3bdd6bba1a48c182ea

SHA256
e7279f515facb6b76da0159858b6490461699829cbd1f05b0258bd392b897cad

SHA512
01a3e6b73bc53f03d08ba9351ca1403e82e486a4b54a1c83662558168114590bf391d4397150fe675dfeacc93ce1c8939b3d9c052c44d6ce174992e37b53379c

Download Submit
memory/3280-159-0x00000000723B0000-0x0000000072CD8000-memory.dmp

Filesize
9.2MB

Download