51d03aad9e9f8ef2282daa338adc42d8ad0ae2ef67c09bfe384170901c869c36

Analysis

max time kernel
55s
max time network
144s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/05/2023, 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

92KB
MD5

86475a2101208040be3dc425121c8ff8
SHA1

e9130507efd90353ebbdbaa89d961426b522866c
SHA256

15181942b137b8c6d5f7e7f6dd8df88ccfc12b6e059f158c43c6b4a98f548b93
SHA512

a8fc80661d3707458a88001d6d7a5b33d28dbebe07244e86728f9b37a4f86f12e01192292d5444dca129fc39552fc82828b7102c659144d58264966562846c34
SSDEEP

1536:hr3ml2LZmMp0mOZSIqixdOD0F/k/8PY9f:lmkLZwzaDu/k/8Ad

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	828	MSIEXEC.EXE
5	828	MSIEXEC.EXE

Loads dropped DLL 3 IoCs

pid	Process
904	MsiExec.exe
904	MsiExec.exe
904	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	828	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	828	MSIEXEC.EXE
Token: SeRestorePrivilege	544	msiexec.exe
Token: SeTakeOwnershipPrivilege	544	msiexec.exe
Token: SeSecurityPrivilege	544	msiexec.exe
Token: SeCreateTokenPrivilege	828	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	828	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	828	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	828	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	828	MSIEXEC.EXE
Token: SeTcbPrivilege	828	MSIEXEC.EXE
Token: SeSecurityPrivilege	828	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	828	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	828	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	828	MSIEXEC.EXE
Token: SeSystemtimePrivilege	828	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	828	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	828	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	828	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	828	MSIEXEC.EXE
Token: SeBackupPrivilege	828	MSIEXEC.EXE
Token: SeRestorePrivilege	828	MSIEXEC.EXE
Token: SeShutdownPrivilege	828	MSIEXEC.EXE
Token: SeDebugPrivilege	828	MSIEXEC.EXE
Token: SeAuditPrivilege	828	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	828	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	828	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	828	MSIEXEC.EXE
Token: SeUndockPrivilege	828	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	828	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	828	MSIEXEC.EXE
Token: SeManageVolumePrivilege	828	MSIEXEC.EXE
Token: SeImpersonatePrivilege	828	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	828	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	828	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	828	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	828	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	828	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	828	MSIEXEC.EXE
Token: SeTcbPrivilege	828	MSIEXEC.EXE
Token: SeSecurityPrivilege	828	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	828	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	828	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	828	MSIEXEC.EXE
Token: SeSystemtimePrivilege	828	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	828	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	828	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	828	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	828	MSIEXEC.EXE
Token: SeBackupPrivilege	828	MSIEXEC.EXE
Token: SeRestorePrivilege	828	MSIEXEC.EXE
Token: SeShutdownPrivilege	828	MSIEXEC.EXE
Token: SeDebugPrivilege	828	MSIEXEC.EXE
Token: SeAuditPrivilege	828	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	828	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	828	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	828	MSIEXEC.EXE
Token: SeUndockPrivilege	828	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	828	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	828	MSIEXEC.EXE
Token: SeManageVolumePrivilege	828	MSIEXEC.EXE
Token: SeImpersonatePrivilege	828	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	828	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	828	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
828	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1756	2008	Setup.exe	28
PID 2008 wrote to memory of 1756	2008	Setup.exe	28
PID 2008 wrote to memory of 1756	2008	Setup.exe	28
PID 2008 wrote to memory of 1756	2008	Setup.exe	28
PID 2008 wrote to memory of 1756	2008	Setup.exe	28
PID 2008 wrote to memory of 1756	2008	Setup.exe	28
PID 2008 wrote to memory of 1756	2008	Setup.exe	28
PID 1756 wrote to memory of 828	1756	setup.exe	29
PID 1756 wrote to memory of 828	1756	setup.exe	29
PID 1756 wrote to memory of 828	1756	setup.exe	29
PID 1756 wrote to memory of 828	1756	setup.exe	29
PID 1756 wrote to memory of 828	1756	setup.exe	29
PID 1756 wrote to memory of 828	1756	setup.exe	29
PID 1756 wrote to memory of 828	1756	setup.exe	29
PID 544 wrote to memory of 904	544	msiexec.exe	31
PID 544 wrote to memory of 904	544	msiexec.exe	31
PID 544 wrote to memory of 904	544	msiexec.exe	31
PID 544 wrote to memory of 904	544	msiexec.exe	31
PID 544 wrote to memory of 904	544	msiexec.exe	31
PID 544 wrote to memory of 904	544	msiexec.exe	31
PID 544 wrote to memory of 904	544	msiexec.exe	31

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\x64\setup.exe
  C:\Users\Admin\AppData\Local\Temp\x64\setup.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\system32\MSIEXEC.EXE
    MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{86B6062E-90EF-4278-9D74-FA2A2F8B5A76}\CSR Harmony Wireless Software Stack.msi" /l*v C:\Users\Admin\AppData\Local\Temp\HarmonyInstall.log TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\{86B6062E-90EF-4278-9D74-FA2A2F8B5A76}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\x64" SETUPEXENAME="setup.exe"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:828

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DCA4A7C13399FC8629E93400F8522449 C
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIBEFE.tmp

Filesize
57KB

MD5
e514c184fd59569180f9e29648481f64

SHA1
5d2d29c996974d88ab7ac1db76581c79c77cd3be

SHA256
e886026008391aec859db251fff4c9a55a45c50c227e4063d336835073f25745

SHA512
9f2c1fba7c25c743cc4c7129956db96237d78346d9eff2923b542cb5d692a029046ad1528c70e20a6f86747f74f6a81d6308413fbc4e82a3fed1e941603c9c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC3D0.tmp

Filesize
217KB

MD5
3add3dd4c56dd060be6e883ad0de2061

SHA1
e3ff0637a89a85668bac5ff9b382679add5c8d0e

SHA256
3bac9baff52ca46a14e0153a44d623a01faed15e2b38a98caa5012ad168efad0

SHA512
bd014a679d539344228af7e3d218621e4a33ba1483d0da2a12ce01db3d6f5fa0e3b748d13aac2d34e1dd31e6975492cc8a92f80a696bb7b6c1be639a10826ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC622.tmp

Filesize
122KB

MD5
2c65cc2f1516e8eed2f01ee5efa60c93

SHA1
fa8ace92bdf6cb522357384b352389d08b0464de

SHA256
1af4d7548834c516d02c04e13f446dfb528e01f3352eabe8a6c7528e4caffeca

SHA512
f5a55023883795a0c27020ffcf6b4a33c37faefa808e45afbeea1f1b8eb07c4b6a82ef4dfc729d66d8cf93f8f7ffaf3f36e0c7c1cd7cddd76934b23380567f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is7978.tmp

Filesize
1KB

MD5
e01626faabeff47b70e930fcd0791ff5

SHA1
aa9b1a8d083ef961599f354c80aef2c129982b44

SHA256
6ce5d8847e9a41651d8f4305e978aafb4dd20a2a52f9c628c128e578c1200530

SHA512
7ca16f96d320c9f187371a792d37f1ffe11d3bf10ebea7d7c96a384bfc12c67053123f2c337503938a834c1365bb6cbc5bb14cac9f642ee7913e59227ef13803

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is9566.tmp

Filesize
113KB

MD5
b744f334a4db8788a3eeb1430cf48d98

SHA1
3778f36a74afc672b2d85e2caac61f6981b5a9ae

SHA256
e0c3583cda9929efe92454f87365f56177f11de88097261ed60d440fc5a16de2

SHA512
596c086bcaa0ccc0f6d4ae65bf49ff8120650d6c8c7766d265be564520398b9ab29795bba46d6936d036b44166f8e8ee4f4363399299225c494c9e29f28f2358

Download Submit
C:\Users\Admin\AppData\Local\Temp\iss8D6A.tmp

Filesize
4.6MB

MD5
fb0656d431c089acbd5b5626b2b1bcaa

SHA1
d37e3e2625ea2fda2895456bf04bef1970cdbf80

SHA256
f86f468c2c6550182199c3803f0d5bef5c15fd728452d3ba4bd7b5d98d6e00c9

SHA512
717b6d93c81ddbfb42451b70f4176cf33bae52f543028e31254d95a510cd065bc157f8442258873294d77e1d0ded07e98fe62f5f7992d92200d4bde06d5fbccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{86B6062E-90EF-4278-9D74-FA2A2F8B5A76}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{86B6062E-90EF-4278-9D74-FA2A2F8B5A76}\1033.MST

Filesize
12KB

MD5
37311ee451d72647f076ce88652868a8

SHA1
3dc3706ab2073b415a721562bc26e77683d335a2

SHA256
52a8f9ade9d64b98355618c21a2529946f9ea4b159166fc21d57330c2f06c03e

SHA512
98e0c5154ccd8bb31cdbf8272e71d60d8803af006cb6d18eac9a2861b367615eb268887915cf3a8b622364c0c6dfa3a032dc135e4acec97f1340a9e0701d1250

Download Submit
C:\Users\Admin\AppData\Local\Temp\{86B6062E-90EF-4278-9D74-FA2A2F8B5A76}\CSR Harmony Wireless Software Stack.msi

Filesize
168.3MB

MD5
4effb94bbc6324d72ada023104dca829

SHA1
86442ff2b769de5dd3c13efc84ab2df71eb43313

SHA256
1f66c773b4861719a7a4a5cdc8f1d39a54d4546adfa2069a40a606630a1e2d08

SHA512
5b52938df04c6976bbb6bff68fe01dfa4981a5e9d5b7512cf1286cb32cf055c912babf2e0833e650df298bec6838197f252b3ed17540adcd89296b570c454ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{86B6062E-90EF-4278-9D74-FA2A2F8B5A76}\Setup.INI

Filesize
6KB

MD5
fa48500087e24cdc319bb724e096cbf4

SHA1
c03cfe0936f79c36978b6b90cd60f5b6c2cecb6e

SHA256
19f8a6b784e59ac5be68e80e7591f02341a86d9f1d571d6be62aa1917bf0e023

SHA512
3ba4ca5d0e30342a69f3453a20b7006944c2ba5822caac0a61cc9b864334594104beaa0963b3a75b87ce83903e05a89aefad5069387e75b45601304f282c7250

Download Submit
C:\Users\Admin\AppData\Local\Temp\{86B6062E-90EF-4278-9D74-FA2A2F8B5A76}\_ISMSIDEL.INI

Filesize
4KB

MD5
63d35e54b94aa8a1bcf2c799bfb25845

SHA1
c62f09ec3f99708182621cf84004e5c21ced6fb3

SHA256
ef81ca21475059d123c2dbae93421e0f8b5817e1823c384875a23273e5ac9ae3

SHA512
579c457327a03c6c58ffc95c1b443a3e853c798b458e2d3499c65886ce9aa3327b9d9811f0d8f95f3c10faeeaf130fd9e3b1b7cb06328eff44be81bd9066a43c

Download Submit
\Users\Admin\AppData\Local\Temp\MSIBEFE.tmp

Filesize
57KB

MD5
e514c184fd59569180f9e29648481f64

SHA1
5d2d29c996974d88ab7ac1db76581c79c77cd3be

SHA256
e886026008391aec859db251fff4c9a55a45c50c227e4063d336835073f25745

SHA512
9f2c1fba7c25c743cc4c7129956db96237d78346d9eff2923b542cb5d692a029046ad1528c70e20a6f86747f74f6a81d6308413fbc4e82a3fed1e941603c9c5c

Download Submit
\Users\Admin\AppData\Local\Temp\MSIC3D0.tmp

Filesize
217KB

MD5
3add3dd4c56dd060be6e883ad0de2061

SHA1
e3ff0637a89a85668bac5ff9b382679add5c8d0e

SHA256
3bac9baff52ca46a14e0153a44d623a01faed15e2b38a98caa5012ad168efad0

SHA512
bd014a679d539344228af7e3d218621e4a33ba1483d0da2a12ce01db3d6f5fa0e3b748d13aac2d34e1dd31e6975492cc8a92f80a696bb7b6c1be639a10826ae8

Download Submit
\Users\Admin\AppData\Local\Temp\MSIC622.tmp

Filesize
122KB

MD5
2c65cc2f1516e8eed2f01ee5efa60c93

SHA1
fa8ace92bdf6cb522357384b352389d08b0464de

SHA256
1af4d7548834c516d02c04e13f446dfb528e01f3352eabe8a6c7528e4caffeca

SHA512
f5a55023883795a0c27020ffcf6b4a33c37faefa808e45afbeea1f1b8eb07c4b6a82ef4dfc729d66d8cf93f8f7ffaf3f36e0c7c1cd7cddd76934b23380567f03

Download Submit