51d03aad9e9f8ef2282daa338adc42d8ad0ae2ef67c09bfe384170901c869c36

Analysis

max time kernel
172s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2023, 14:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

x64/setup.exe
Size

218.8MB
MD5

cae7653e477e1bca78905f3ec9ab91e8
SHA1

59c9180f83a6a2f7b7a0292d0392b3040b75e73f
SHA256

188ac68766be38240fa9572209885a37f10aab5868c0d6661f59feadf35a4f09
SHA512

1fc6bf604a2feaea90e6fb13f433b312bf8080065275a56afd5727ceb5e168663b080660048c8ba8c49bd6794e3c859cf3836c0a30e8cf73aad6598c5f763d55
SSDEEP

3145728:K0nR2fs6Lt+8a1w8ihpPnZztqSI8mb90OlXt92wZvJ+KGtwlW9YM6Bgm/hag+:mfs6LUd1ghpNtqSwLhTZZhPprM6vz+

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
35	3960	MSIEXEC.EXE
39	3960	MSIEXEC.EXE

Loads dropped DLL 3 IoCs

pid	Process
3928	MsiExec.exe
3928	MsiExec.exe
3928	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3960	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3960	MSIEXEC.EXE
Token: SeSecurityPrivilege	4596	msiexec.exe
Token: SeCreateTokenPrivilege	3960	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3960	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3960	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3960	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3960	MSIEXEC.EXE
Token: SeTcbPrivilege	3960	MSIEXEC.EXE
Token: SeSecurityPrivilege	3960	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3960	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3960	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3960	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3960	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3960	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3960	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3960	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3960	MSIEXEC.EXE
Token: SeBackupPrivilege	3960	MSIEXEC.EXE
Token: SeRestorePrivilege	3960	MSIEXEC.EXE
Token: SeShutdownPrivilege	3960	MSIEXEC.EXE
Token: SeDebugPrivilege	3960	MSIEXEC.EXE
Token: SeAuditPrivilege	3960	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3960	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3960	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3960	MSIEXEC.EXE
Token: SeUndockPrivilege	3960	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3960	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3960	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3960	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3960	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3960	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	3960	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3960	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3960	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3960	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3960	MSIEXEC.EXE
Token: SeTcbPrivilege	3960	MSIEXEC.EXE
Token: SeSecurityPrivilege	3960	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3960	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3960	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3960	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3960	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3960	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3960	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3960	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3960	MSIEXEC.EXE
Token: SeBackupPrivilege	3960	MSIEXEC.EXE
Token: SeRestorePrivilege	3960	MSIEXEC.EXE
Token: SeShutdownPrivilege	3960	MSIEXEC.EXE
Token: SeDebugPrivilege	3960	MSIEXEC.EXE
Token: SeAuditPrivilege	3960	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3960	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3960	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3960	MSIEXEC.EXE
Token: SeUndockPrivilege	3960	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3960	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3960	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3960	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3960	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3960	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	3960	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3960	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3960	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3960	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 3960	1160	setup.exe	86
PID 1160 wrote to memory of 3960	1160	setup.exe	86
PID 4596 wrote to memory of 3928	4596	msiexec.exe	89
PID 4596 wrote to memory of 3928	4596	msiexec.exe	89
PID 4596 wrote to memory of 3928	4596	msiexec.exe	89

C:\Users\Admin\AppData\Local\Temp\x64\setup.exe
"C:\Users\Admin\AppData\Local\Temp\x64\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\SYSTEM32\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{43CA22CD-3E35-4C99-82EA-F0BAE85517B3}\CSR Harmony Wireless Software Stack.msi" /l*v C:\Users\Admin\AppData\Local\Temp\HarmonyInstall.log TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\{43CA22CD-3E35-4C99-82EA-F0BAE85517B3}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\x64" SETUPEXENAME="setup.exe"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3960

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AE7B2EEE160607AA1EDB2E115CDE654C C
  2⤵
  - Loads dropped DLL
  PID:3928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DLL_{17DEA095-8EE1-49A2-AC5A-9663DB098FA9}.ini

Filesize
405B

MD5
6816c4f521e50cf773fdb81563074d9d

SHA1
5bc539dbf88b4c85fffd256dd33a0db45b37950f

SHA256
c796f29d990eb0386b54a1eed21455a22a677f650d715025a66fbf9e62b969bd

SHA512
64e00259ff9292eefb970093e050c9908ca25c40eac893345020d0bd7a4728b8dfd1c297ed063dbd40ce5bfe5d21156cf3e02d9d0da860257a328e416bef6462

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1171.tmp

Filesize
217KB

MD5
3add3dd4c56dd060be6e883ad0de2061

SHA1
e3ff0637a89a85668bac5ff9b382679add5c8d0e

SHA256
3bac9baff52ca46a14e0153a44d623a01faed15e2b38a98caa5012ad168efad0

SHA512
bd014a679d539344228af7e3d218621e4a33ba1483d0da2a12ce01db3d6f5fa0e3b748d13aac2d34e1dd31e6975492cc8a92f80a696bb7b6c1be639a10826ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1171.tmp

Filesize
217KB

MD5
3add3dd4c56dd060be6e883ad0de2061

SHA1
e3ff0637a89a85668bac5ff9b382679add5c8d0e

SHA256
3bac9baff52ca46a14e0153a44d623a01faed15e2b38a98caa5012ad168efad0

SHA512
bd014a679d539344228af7e3d218621e4a33ba1483d0da2a12ce01db3d6f5fa0e3b748d13aac2d34e1dd31e6975492cc8a92f80a696bb7b6c1be639a10826ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1181.tmp

Filesize
122KB

MD5
2c65cc2f1516e8eed2f01ee5efa60c93

SHA1
fa8ace92bdf6cb522357384b352389d08b0464de

SHA256
1af4d7548834c516d02c04e13f446dfb528e01f3352eabe8a6c7528e4caffeca

SHA512
f5a55023883795a0c27020ffcf6b4a33c37faefa808e45afbeea1f1b8eb07c4b6a82ef4dfc729d66d8cf93f8f7ffaf3f36e0c7c1cd7cddd76934b23380567f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1181.tmp

Filesize
122KB

MD5
2c65cc2f1516e8eed2f01ee5efa60c93

SHA1
fa8ace92bdf6cb522357384b352389d08b0464de

SHA256
1af4d7548834c516d02c04e13f446dfb528e01f3352eabe8a6c7528e4caffeca

SHA512
f5a55023883795a0c27020ffcf6b4a33c37faefa808e45afbeea1f1b8eb07c4b6a82ef4dfc729d66d8cf93f8f7ffaf3f36e0c7c1cd7cddd76934b23380567f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID2A.tmp

Filesize
57KB

MD5
e514c184fd59569180f9e29648481f64

SHA1
5d2d29c996974d88ab7ac1db76581c79c77cd3be

SHA256
e886026008391aec859db251fff4c9a55a45c50c227e4063d336835073f25745

SHA512
9f2c1fba7c25c743cc4c7129956db96237d78346d9eff2923b542cb5d692a029046ad1528c70e20a6f86747f74f6a81d6308413fbc4e82a3fed1e941603c9c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID2A.tmp

Filesize
57KB

MD5
e514c184fd59569180f9e29648481f64

SHA1
5d2d29c996974d88ab7ac1db76581c79c77cd3be

SHA256
e886026008391aec859db251fff4c9a55a45c50c227e4063d336835073f25745

SHA512
9f2c1fba7c25c743cc4c7129956db96237d78346d9eff2923b542cb5d692a029046ad1528c70e20a6f86747f74f6a81d6308413fbc4e82a3fed1e941603c9c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is9406.tmp

Filesize
1KB

MD5
e01626faabeff47b70e930fcd0791ff5

SHA1
aa9b1a8d083ef961599f354c80aef2c129982b44

SHA256
6ce5d8847e9a41651d8f4305e978aafb4dd20a2a52f9c628c128e578c1200530

SHA512
7ca16f96d320c9f187371a792d37f1ffe11d3bf10ebea7d7c96a384bfc12c67053123f2c337503938a834c1365bb6cbc5bb14cac9f642ee7913e59227ef13803

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isB956.tmp

Filesize
113KB

MD5
b744f334a4db8788a3eeb1430cf48d98

SHA1
3778f36a74afc672b2d85e2caac61f6981b5a9ae

SHA256
e0c3583cda9929efe92454f87365f56177f11de88097261ed60d440fc5a16de2

SHA512
596c086bcaa0ccc0f6d4ae65bf49ff8120650d6c8c7766d265be564520398b9ab29795bba46d6936d036b44166f8e8ee4f4363399299225c494c9e29f28f2358

Download Submit
C:\Users\Admin\AppData\Local\Temp\issAEF5.tmp

Filesize
4.6MB

MD5
fb0656d431c089acbd5b5626b2b1bcaa

SHA1
d37e3e2625ea2fda2895456bf04bef1970cdbf80

SHA256
f86f468c2c6550182199c3803f0d5bef5c15fd728452d3ba4bd7b5d98d6e00c9

SHA512
717b6d93c81ddbfb42451b70f4176cf33bae52f543028e31254d95a510cd065bc157f8442258873294d77e1d0ded07e98fe62f5f7992d92200d4bde06d5fbccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{43CA22CD-3E35-4C99-82EA-F0BAE85517B3}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{43CA22CD-3E35-4C99-82EA-F0BAE85517B3}\1033.MST

Filesize
12KB

MD5
37311ee451d72647f076ce88652868a8

SHA1
3dc3706ab2073b415a721562bc26e77683d335a2

SHA256
52a8f9ade9d64b98355618c21a2529946f9ea4b159166fc21d57330c2f06c03e

SHA512
98e0c5154ccd8bb31cdbf8272e71d60d8803af006cb6d18eac9a2861b367615eb268887915cf3a8b622364c0c6dfa3a032dc135e4acec97f1340a9e0701d1250

Download Submit
C:\Users\Admin\AppData\Local\Temp\{43CA22CD-3E35-4C99-82EA-F0BAE85517B3}\CSR Harmony Wireless Software Stack.msi

Filesize
168.3MB

MD5
4effb94bbc6324d72ada023104dca829

SHA1
86442ff2b769de5dd3c13efc84ab2df71eb43313

SHA256
1f66c773b4861719a7a4a5cdc8f1d39a54d4546adfa2069a40a606630a1e2d08

SHA512
5b52938df04c6976bbb6bff68fe01dfa4981a5e9d5b7512cf1286cb32cf055c912babf2e0833e650df298bec6838197f252b3ed17540adcd89296b570c454ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{43CA22CD-3E35-4C99-82EA-F0BAE85517B3}\Setup.INI

Filesize
6KB

MD5
fa48500087e24cdc319bb724e096cbf4

SHA1
c03cfe0936f79c36978b6b90cd60f5b6c2cecb6e

SHA256
19f8a6b784e59ac5be68e80e7591f02341a86d9f1d571d6be62aa1917bf0e023

SHA512
3ba4ca5d0e30342a69f3453a20b7006944c2ba5822caac0a61cc9b864334594104beaa0963b3a75b87ce83903e05a89aefad5069387e75b45601304f282c7250

Download Submit
C:\Users\Admin\AppData\Local\Temp\{43CA22CD-3E35-4C99-82EA-F0BAE85517B3}\_ISMSIDEL.INI

Filesize
4KB

MD5
70385dbc99db8a402e0f2b5e4d3c7118

SHA1
2f81edb8dc37c097d9d110e09b26ac6753237294

SHA256
7530efa89d048f400f432f2d213d1fcaaabd3a99601d3e396a12930ef1651de3

SHA512
ca19ab0d691f11d9cdf0be22ea64a3506afd7bc1e5d4991bd1f761716d4a3d27e5fca3bd50e3e071ebed2726f8b79d24942ca6eb742f56559ebbd5286d13d20e

Download Submit