51d03aad9e9f8ef2282daa338adc42d8ad0ae2ef67c09bfe384170901c869c36

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/05/2023, 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x64/setup.exe
Size

218.8MB
MD5

cae7653e477e1bca78905f3ec9ab91e8
SHA1

59c9180f83a6a2f7b7a0292d0392b3040b75e73f
SHA256

188ac68766be38240fa9572209885a37f10aab5868c0d6661f59feadf35a4f09
SHA512

1fc6bf604a2feaea90e6fb13f433b312bf8080065275a56afd5727ceb5e168663b080660048c8ba8c49bd6794e3c859cf3836c0a30e8cf73aad6598c5f763d55
SSDEEP

3145728:K0nR2fs6Lt+8a1w8ihpPnZztqSI8mb90OlXt92wZvJ+KGtwlW9YM6Bgm/hag+:mfs6LUd1ghpNtqSwLhTZZhPprM6vz+

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	620	MSIEXEC.EXE
5	620	MSIEXEC.EXE

Loads dropped DLL 3 IoCs

pid	Process
1696	MsiExec.exe
1696	MsiExec.exe
1696	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
620	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	620	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	620	MSIEXEC.EXE
Token: SeRestorePrivilege	728	msiexec.exe
Token: SeTakeOwnershipPrivilege	728	msiexec.exe
Token: SeSecurityPrivilege	728	msiexec.exe
Token: SeCreateTokenPrivilege	620	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	620	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	620	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	620	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	620	MSIEXEC.EXE
Token: SeTcbPrivilege	620	MSIEXEC.EXE
Token: SeSecurityPrivilege	620	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	620	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	620	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	620	MSIEXEC.EXE
Token: SeSystemtimePrivilege	620	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	620	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	620	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	620	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	620	MSIEXEC.EXE
Token: SeBackupPrivilege	620	MSIEXEC.EXE
Token: SeRestorePrivilege	620	MSIEXEC.EXE
Token: SeShutdownPrivilege	620	MSIEXEC.EXE
Token: SeDebugPrivilege	620	MSIEXEC.EXE
Token: SeAuditPrivilege	620	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	620	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	620	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	620	MSIEXEC.EXE
Token: SeUndockPrivilege	620	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	620	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	620	MSIEXEC.EXE
Token: SeManageVolumePrivilege	620	MSIEXEC.EXE
Token: SeImpersonatePrivilege	620	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	620	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	620	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	620	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	620	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	620	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	620	MSIEXEC.EXE
Token: SeTcbPrivilege	620	MSIEXEC.EXE
Token: SeSecurityPrivilege	620	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	620	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	620	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	620	MSIEXEC.EXE
Token: SeSystemtimePrivilege	620	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	620	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	620	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	620	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	620	MSIEXEC.EXE
Token: SeBackupPrivilege	620	MSIEXEC.EXE
Token: SeRestorePrivilege	620	MSIEXEC.EXE
Token: SeShutdownPrivilege	620	MSIEXEC.EXE
Token: SeDebugPrivilege	620	MSIEXEC.EXE
Token: SeAuditPrivilege	620	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	620	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	620	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	620	MSIEXEC.EXE
Token: SeUndockPrivilege	620	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	620	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	620	MSIEXEC.EXE
Token: SeManageVolumePrivilege	620	MSIEXEC.EXE
Token: SeImpersonatePrivilege	620	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	620	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	620	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
620	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 620	1620	setup.exe	27
PID 1620 wrote to memory of 620	1620	setup.exe	27
PID 1620 wrote to memory of 620	1620	setup.exe	27
PID 1620 wrote to memory of 620	1620	setup.exe	27
PID 1620 wrote to memory of 620	1620	setup.exe	27
PID 1620 wrote to memory of 620	1620	setup.exe	27
PID 1620 wrote to memory of 620	1620	setup.exe	27
PID 728 wrote to memory of 1696	728	msiexec.exe	29
PID 728 wrote to memory of 1696	728	msiexec.exe	29
PID 728 wrote to memory of 1696	728	msiexec.exe	29
PID 728 wrote to memory of 1696	728	msiexec.exe	29
PID 728 wrote to memory of 1696	728	msiexec.exe	29
PID 728 wrote to memory of 1696	728	msiexec.exe	29
PID 728 wrote to memory of 1696	728	msiexec.exe	29

C:\Users\Admin\AppData\Local\Temp\x64\setup.exe
"C:\Users\Admin\AppData\Local\Temp\x64\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\system32\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{B656CB47-97C0-45A2-A2C6-432559FC38B7}\CSR Harmony Wireless Software Stack.msi" /l*v C:\Users\Admin\AppData\Local\Temp\HarmonyInstall.log TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\{B656CB47-97C0-45A2-A2C6-432559FC38B7}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\x64" SETUPEXENAME="setup.exe"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:620

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8C5152A715F1AD0EFCA4C2332703A7AD C
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI1CD7.tmp

Filesize
57KB

MD5
e514c184fd59569180f9e29648481f64

SHA1
5d2d29c996974d88ab7ac1db76581c79c77cd3be

SHA256
e886026008391aec859db251fff4c9a55a45c50c227e4063d336835073f25745

SHA512
9f2c1fba7c25c743cc4c7129956db96237d78346d9eff2923b542cb5d692a029046ad1528c70e20a6f86747f74f6a81d6308413fbc4e82a3fed1e941603c9c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1F48.tmp

Filesize
217KB

MD5
3add3dd4c56dd060be6e883ad0de2061

SHA1
e3ff0637a89a85668bac5ff9b382679add5c8d0e

SHA256
3bac9baff52ca46a14e0153a44d623a01faed15e2b38a98caa5012ad168efad0

SHA512
bd014a679d539344228af7e3d218621e4a33ba1483d0da2a12ce01db3d6f5fa0e3b748d13aac2d34e1dd31e6975492cc8a92f80a696bb7b6c1be639a10826ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1F97.tmp

Filesize
122KB

MD5
2c65cc2f1516e8eed2f01ee5efa60c93

SHA1
fa8ace92bdf6cb522357384b352389d08b0464de

SHA256
1af4d7548834c516d02c04e13f446dfb528e01f3352eabe8a6c7528e4caffeca

SHA512
f5a55023883795a0c27020ffcf6b4a33c37faefa808e45afbeea1f1b8eb07c4b6a82ef4dfc729d66d8cf93f8f7ffaf3f36e0c7c1cd7cddd76934b23380567f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is75A.tmp

Filesize
113KB

MD5
b744f334a4db8788a3eeb1430cf48d98

SHA1
3778f36a74afc672b2d85e2caac61f6981b5a9ae

SHA256
e0c3583cda9929efe92454f87365f56177f11de88097261ed60d440fc5a16de2

SHA512
596c086bcaa0ccc0f6d4ae65bf49ff8120650d6c8c7766d265be564520398b9ab29795bba46d6936d036b44166f8e8ee4f4363399299225c494c9e29f28f2358

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isE535.tmp

Filesize
1KB

MD5
e01626faabeff47b70e930fcd0791ff5

SHA1
aa9b1a8d083ef961599f354c80aef2c129982b44

SHA256
6ce5d8847e9a41651d8f4305e978aafb4dd20a2a52f9c628c128e578c1200530

SHA512
7ca16f96d320c9f187371a792d37f1ffe11d3bf10ebea7d7c96a384bfc12c67053123f2c337503938a834c1365bb6cbc5bb14cac9f642ee7913e59227ef13803

Download Submit
C:\Users\Admin\AppData\Local\Temp\issFC52.tmp

Filesize
4.6MB

MD5
fb0656d431c089acbd5b5626b2b1bcaa

SHA1
d37e3e2625ea2fda2895456bf04bef1970cdbf80

SHA256
f86f468c2c6550182199c3803f0d5bef5c15fd728452d3ba4bd7b5d98d6e00c9

SHA512
717b6d93c81ddbfb42451b70f4176cf33bae52f543028e31254d95a510cd065bc157f8442258873294d77e1d0ded07e98fe62f5f7992d92200d4bde06d5fbccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B656CB47-97C0-45A2-A2C6-432559FC38B7}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B656CB47-97C0-45A2-A2C6-432559FC38B7}\1033.MST

Filesize
12KB

MD5
37311ee451d72647f076ce88652868a8

SHA1
3dc3706ab2073b415a721562bc26e77683d335a2

SHA256
52a8f9ade9d64b98355618c21a2529946f9ea4b159166fc21d57330c2f06c03e

SHA512
98e0c5154ccd8bb31cdbf8272e71d60d8803af006cb6d18eac9a2861b367615eb268887915cf3a8b622364c0c6dfa3a032dc135e4acec97f1340a9e0701d1250

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B656CB47-97C0-45A2-A2C6-432559FC38B7}\CSR Harmony Wireless Software Stack.msi

Filesize
168.3MB

MD5
4effb94bbc6324d72ada023104dca829

SHA1
86442ff2b769de5dd3c13efc84ab2df71eb43313

SHA256
1f66c773b4861719a7a4a5cdc8f1d39a54d4546adfa2069a40a606630a1e2d08

SHA512
5b52938df04c6976bbb6bff68fe01dfa4981a5e9d5b7512cf1286cb32cf055c912babf2e0833e650df298bec6838197f252b3ed17540adcd89296b570c454ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B656CB47-97C0-45A2-A2C6-432559FC38B7}\Setup.INI

Filesize
6KB

MD5
fa48500087e24cdc319bb724e096cbf4

SHA1
c03cfe0936f79c36978b6b90cd60f5b6c2cecb6e

SHA256
19f8a6b784e59ac5be68e80e7591f02341a86d9f1d571d6be62aa1917bf0e023

SHA512
3ba4ca5d0e30342a69f3453a20b7006944c2ba5822caac0a61cc9b864334594104beaa0963b3a75b87ce83903e05a89aefad5069387e75b45601304f282c7250

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B656CB47-97C0-45A2-A2C6-432559FC38B7}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B656CB47-97C0-45A2-A2C6-432559FC38B7}\_ISMSIDEL.INI

Filesize
5KB

MD5
8fc7900907fb5093d8d5e88bc34f3aec

SHA1
9907820c1f3caca9dda5a2a93298cc17c27d1ba9

SHA256
da6f0d89f478d35e6ea47deef79dcd7fdacb9fa084bed38153e4f136a913f056

SHA512
3626b559250c6babc925688d3a9583286096751175d6f48c87a551f9621e58a6d90248baf7c2109d7d2cb369c38e00d85f7d6a6919acc703e0c3931ea7b5e074

Download Submit
\Users\Admin\AppData\Local\Temp\MSI1CD7.tmp

Filesize
57KB

MD5
e514c184fd59569180f9e29648481f64

SHA1
5d2d29c996974d88ab7ac1db76581c79c77cd3be

SHA256
e886026008391aec859db251fff4c9a55a45c50c227e4063d336835073f25745

SHA512
9f2c1fba7c25c743cc4c7129956db96237d78346d9eff2923b542cb5d692a029046ad1528c70e20a6f86747f74f6a81d6308413fbc4e82a3fed1e941603c9c5c

Download Submit
\Users\Admin\AppData\Local\Temp\MSI1F48.tmp

Filesize
217KB

MD5
3add3dd4c56dd060be6e883ad0de2061

SHA1
e3ff0637a89a85668bac5ff9b382679add5c8d0e

SHA256
3bac9baff52ca46a14e0153a44d623a01faed15e2b38a98caa5012ad168efad0

SHA512
bd014a679d539344228af7e3d218621e4a33ba1483d0da2a12ce01db3d6f5fa0e3b748d13aac2d34e1dd31e6975492cc8a92f80a696bb7b6c1be639a10826ae8

Download Submit
\Users\Admin\AppData\Local\Temp\MSI1F97.tmp

Filesize
122KB

MD5
2c65cc2f1516e8eed2f01ee5efa60c93

SHA1
fa8ace92bdf6cb522357384b352389d08b0464de

SHA256
1af4d7548834c516d02c04e13f446dfb528e01f3352eabe8a6c7528e4caffeca

SHA512
f5a55023883795a0c27020ffcf6b4a33c37faefa808e45afbeea1f1b8eb07c4b6a82ef4dfc729d66d8cf93f8f7ffaf3f36e0c7c1cd7cddd76934b23380567f03

Download Submit