51d03aad9e9f8ef2282daa338adc42d8ad0ae2ef67c09bfe384170901c869c36

Analysis

max time kernel
147s
max time network
162s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/05/2023, 14:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

x32/setup.exe
Size

189.8MB
MD5

da0bb7868fa68de62c1cfac34e8dd2bd
SHA1

1f1496ea9f490161a1c2ee8839fdadb4a94b3725
SHA256

539e20a7820d76833a884e46c180afe925eae26940860cf3be7706ace5419e88
SHA512

708feba022827f0e3d5c7fc821dfd244ce75c35c95b8b7f140ca0ae5e07ef9af6a8e8c6f21e8169baae3e9ede4038f2300d4b482917111481236160be6e8737d
SSDEEP

3145728:r0u49gTTDzlJOf/R1z67naI26pEftQOEUO9Qa5jlDD/lKJLomIP1xzE9I9tde7Kb:o+NJwbzgaIQO/lf/lKJLiNFEa9tcO8DS

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	1280	MSIEXEC.EXE
5	1280	MSIEXEC.EXE
6	1280	MSIEXEC.EXE

Loads dropped DLL 3 IoCs

pid	Process
1104	MsiExec.exe
1104	MsiExec.exe
1104	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1280	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1280	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1280	MSIEXEC.EXE
Token: SeRestorePrivilege	820	msiexec.exe
Token: SeTakeOwnershipPrivilege	820	msiexec.exe
Token: SeSecurityPrivilege	820	msiexec.exe
Token: SeCreateTokenPrivilege	1280	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1280	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1280	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1280	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1280	MSIEXEC.EXE
Token: SeTcbPrivilege	1280	MSIEXEC.EXE
Token: SeSecurityPrivilege	1280	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1280	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1280	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1280	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1280	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1280	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1280	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1280	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1280	MSIEXEC.EXE
Token: SeBackupPrivilege	1280	MSIEXEC.EXE
Token: SeRestorePrivilege	1280	MSIEXEC.EXE
Token: SeShutdownPrivilege	1280	MSIEXEC.EXE
Token: SeDebugPrivilege	1280	MSIEXEC.EXE
Token: SeAuditPrivilege	1280	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1280	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1280	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1280	MSIEXEC.EXE
Token: SeUndockPrivilege	1280	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1280	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1280	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1280	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1280	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1280	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	1280	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1280	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1280	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1280	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1280	MSIEXEC.EXE
Token: SeTcbPrivilege	1280	MSIEXEC.EXE
Token: SeSecurityPrivilege	1280	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1280	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1280	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1280	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1280	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1280	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1280	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1280	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1280	MSIEXEC.EXE
Token: SeBackupPrivilege	1280	MSIEXEC.EXE
Token: SeRestorePrivilege	1280	MSIEXEC.EXE
Token: SeShutdownPrivilege	1280	MSIEXEC.EXE
Token: SeDebugPrivilege	1280	MSIEXEC.EXE
Token: SeAuditPrivilege	1280	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1280	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1280	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1280	MSIEXEC.EXE
Token: SeUndockPrivilege	1280	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1280	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1280	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1280	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1280	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1280	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	1280	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1280	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1280	1300	setup.exe	28
PID 1300 wrote to memory of 1280	1300	setup.exe	28
PID 1300 wrote to memory of 1280	1300	setup.exe	28
PID 1300 wrote to memory of 1280	1300	setup.exe	28
PID 1300 wrote to memory of 1280	1300	setup.exe	28
PID 1300 wrote to memory of 1280	1300	setup.exe	28
PID 1300 wrote to memory of 1280	1300	setup.exe	28
PID 820 wrote to memory of 1104	820	msiexec.exe	30
PID 820 wrote to memory of 1104	820	msiexec.exe	30
PID 820 wrote to memory of 1104	820	msiexec.exe	30
PID 820 wrote to memory of 1104	820	msiexec.exe	30
PID 820 wrote to memory of 1104	820	msiexec.exe	30
PID 820 wrote to memory of 1104	820	msiexec.exe	30
PID 820 wrote to memory of 1104	820	msiexec.exe	30

C:\Users\Admin\AppData\Local\Temp\x32\setup.exe
"C:\Users\Admin\AppData\Local\Temp\x32\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{9FF9A525-E026-4930-A0B6-B791DEE56F88}\CSR Harmony Wireless Software Stack.msi" /l*v C:\Users\Admin\AppData\Local\Temp\HarmonyInstall.log TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\{9FF9A525-E026-4930-A0B6-B791DEE56F88}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\x32" SETUPEXENAME="setup.exe"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1280

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4697BBB729C117A74DC36E279659DF0F C
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI7C1.tmp

Filesize
57KB

MD5
e514c184fd59569180f9e29648481f64

SHA1
5d2d29c996974d88ab7ac1db76581c79c77cd3be

SHA256
e886026008391aec859db251fff4c9a55a45c50c227e4063d336835073f25745

SHA512
9f2c1fba7c25c743cc4c7129956db96237d78346d9eff2923b542cb5d692a029046ad1528c70e20a6f86747f74f6a81d6308413fbc4e82a3fed1e941603c9c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI85E.tmp

Filesize
217KB

MD5
3add3dd4c56dd060be6e883ad0de2061

SHA1
e3ff0637a89a85668bac5ff9b382679add5c8d0e

SHA256
3bac9baff52ca46a14e0153a44d623a01faed15e2b38a98caa5012ad168efad0

SHA512
bd014a679d539344228af7e3d218621e4a33ba1483d0da2a12ce01db3d6f5fa0e3b748d13aac2d34e1dd31e6975492cc8a92f80a696bb7b6c1be639a10826ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI87E.tmp

Filesize
122KB

MD5
2c65cc2f1516e8eed2f01ee5efa60c93

SHA1
fa8ace92bdf6cb522357384b352389d08b0464de

SHA256
1af4d7548834c516d02c04e13f446dfb528e01f3352eabe8a6c7528e4caffeca

SHA512
f5a55023883795a0c27020ffcf6b4a33c37faefa808e45afbeea1f1b8eb07c4b6a82ef4dfc729d66d8cf93f8f7ffaf3f36e0c7c1cd7cddd76934b23380567f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is804C.tmp

Filesize
1KB

MD5
a326980e42c0c8af656451bdcf61b2d4

SHA1
c3aed84d944bc382d7987da8b9dc3df84bbaf37a

SHA256
bb9b46f495d457758c368e54fc3ff16e35e73c86f1ebe806bab5c1eb98142cd5

SHA512
344cc75be73168867c246f21eb2ae278df184837eed68482c75aaf81b0effda835de0f8830d650a62a3722ee01b92869ec3caabb2c5565ce84133023c8e1caef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isA2DE.tmp

Filesize
113KB

MD5
b744f334a4db8788a3eeb1430cf48d98

SHA1
3778f36a74afc672b2d85e2caac61f6981b5a9ae

SHA256
e0c3583cda9929efe92454f87365f56177f11de88097261ed60d440fc5a16de2

SHA512
596c086bcaa0ccc0f6d4ae65bf49ff8120650d6c8c7766d265be564520398b9ab29795bba46d6936d036b44166f8e8ee4f4363399299225c494c9e29f28f2358

Download Submit
C:\Users\Admin\AppData\Local\Temp\iss999A.tmp

Filesize
4.6MB

MD5
216f73e8a91feaa9efb1e9ec92b93693

SHA1
4f68295bd87446f86e334c89362376ef8cdc9f85

SHA256
940f0f1d4e4bc1c0a265301dd3d564caf733aa80cbe26b52d4ebf24bbf0f3241

SHA512
820da4f047729e9a582d02f38bd9cfe391da254aca87b19829943c59bb528a49569bb7d57392f4b19f2a5f21916aeea55b0c84b06cacf6ed244d6f3c7dbb49f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9FF9A525-E026-4930-A0B6-B791DEE56F88}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9FF9A525-E026-4930-A0B6-B791DEE56F88}\1033.MST

Filesize
12KB

MD5
0cf6c912e9f721a45792fe95938544e1

SHA1
812f5dfd92ffbc27d11c490906d356d8843b7a27

SHA256
6c3c15e07f63d192ac35108a11b688a2344b7f90aeda8c41e686de94539e9cb0

SHA512
c76c42cb50b0b8462f2dc68baff8dbaf2ccf7a1c38886eabfaff69b7562153bd0ed141ebda456475cea033b770b723ba7aba08d2cf4d66c6f7796f5156e030a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9FF9A525-E026-4930-A0B6-B791DEE56F88}\CSR Harmony Wireless Software Stack.msi

Filesize
162.5MB

MD5
286e8a6bbf205220957714e9753f9bb7

SHA1
5eb02326a70930a2208816b516b40703db488962

SHA256
ba9f34c47547c4b0dbffc8104a6416ac3969e5cf965f459251b0f3ad077da9fe

SHA512
c31de431ad1911ae4f1a41b1690725179f7481894ac32326a7d72b8cb5c61df5adc7d50f982adf0c423420792994c580916c996c8efdb9bfa24fdb95bd23a649

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9FF9A525-E026-4930-A0B6-B791DEE56F88}\Setup.INI

Filesize
6KB

MD5
59740d6e67fc73a6b0e04fecd8037e8f

SHA1
0c6a4848a9845354ebf17b5e17a8b00c270fa54e

SHA256
da21d345647389ce764245b79da356a7dd9b26513e1df31de7ca0a01cd2ee6ca

SHA512
2363dbd0163b89479093eb9ef6e367fd22f4fe9ac619eb6c6eb34443a405806c2666469194838d4a9199d1753651a625229b69c9bf3055c626606a40fbe9f454

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9FF9A525-E026-4930-A0B6-B791DEE56F88}\_ISMSIDEL.INI

Filesize
596B

MD5
1609b0f9a781f58a4ab9a434f0a10cc4

SHA1
aafd39cd2bdfc1efe5a370ca19c96673ac63f859

SHA256
a42c268ba6a6e1b05d03797c170476f50b50bfc5bd922a336d7f526508b40c3d

SHA512
ec7554097d845d53cd2edd451c4ed0951b9316feb9665096b63697261ae4fb22577ce6c3f3642b5aed20c07a6eba660239665f254878772bee114f828e441b4c

Download Submit
\Users\Admin\AppData\Local\Temp\MSI7C1.tmp

Filesize
57KB

MD5
e514c184fd59569180f9e29648481f64

SHA1
5d2d29c996974d88ab7ac1db76581c79c77cd3be

SHA256
e886026008391aec859db251fff4c9a55a45c50c227e4063d336835073f25745

SHA512
9f2c1fba7c25c743cc4c7129956db96237d78346d9eff2923b542cb5d692a029046ad1528c70e20a6f86747f74f6a81d6308413fbc4e82a3fed1e941603c9c5c

Download Submit
\Users\Admin\AppData\Local\Temp\MSI85E.tmp

Filesize
217KB

MD5
3add3dd4c56dd060be6e883ad0de2061

SHA1
e3ff0637a89a85668bac5ff9b382679add5c8d0e

SHA256
3bac9baff52ca46a14e0153a44d623a01faed15e2b38a98caa5012ad168efad0

SHA512
bd014a679d539344228af7e3d218621e4a33ba1483d0da2a12ce01db3d6f5fa0e3b748d13aac2d34e1dd31e6975492cc8a92f80a696bb7b6c1be639a10826ae8

Download Submit
\Users\Admin\AppData\Local\Temp\MSI87E.tmp

Filesize
122KB

MD5
2c65cc2f1516e8eed2f01ee5efa60c93

SHA1
fa8ace92bdf6cb522357384b352389d08b0464de

SHA256
1af4d7548834c516d02c04e13f446dfb528e01f3352eabe8a6c7528e4caffeca

SHA512
f5a55023883795a0c27020ffcf6b4a33c37faefa808e45afbeea1f1b8eb07c4b6a82ef4dfc729d66d8cf93f8f7ffaf3f36e0c7c1cd7cddd76934b23380567f03

Download Submit