51d03aad9e9f8ef2282daa338adc42d8ad0ae2ef67c09bfe384170901c869c36

Analysis

max time kernel
133s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2023 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

92KB
MD5

86475a2101208040be3dc425121c8ff8
SHA1

e9130507efd90353ebbdbaa89d961426b522866c
SHA256

15181942b137b8c6d5f7e7f6dd8df88ccfc12b6e059f158c43c6b4a98f548b93
SHA512

a8fc80661d3707458a88001d6d7a5b33d28dbebe07244e86728f9b37a4f86f12e01192292d5444dca129fc39552fc82828b7102c659144d58264966562846c34
SSDEEP

1536:hr3ml2LZmMp0mOZSIqixdOD0F/k/8PY9f:lmkLZwzaDu/k/8Ad

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
31	4944	MSIEXEC.EXE
33	4944	MSIEXEC.EXE

Loads dropped DLL 3 IoCs

pid	Process
4324	MsiExec.exe
4324	MsiExec.exe
4324	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4944	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4944	MSIEXEC.EXE
Token: SeSecurityPrivilege	764	msiexec.exe
Token: SeCreateTokenPrivilege	4944	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4944	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4944	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4944	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4944	MSIEXEC.EXE
Token: SeTcbPrivilege	4944	MSIEXEC.EXE
Token: SeSecurityPrivilege	4944	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4944	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4944	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4944	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4944	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4944	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4944	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4944	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4944	MSIEXEC.EXE
Token: SeBackupPrivilege	4944	MSIEXEC.EXE
Token: SeRestorePrivilege	4944	MSIEXEC.EXE
Token: SeShutdownPrivilege	4944	MSIEXEC.EXE
Token: SeDebugPrivilege	4944	MSIEXEC.EXE
Token: SeAuditPrivilege	4944	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4944	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4944	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4944	MSIEXEC.EXE
Token: SeUndockPrivilege	4944	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4944	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4944	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4944	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4944	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4944	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	4944	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4944	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4944	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4944	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4944	MSIEXEC.EXE
Token: SeTcbPrivilege	4944	MSIEXEC.EXE
Token: SeSecurityPrivilege	4944	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4944	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4944	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4944	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4944	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4944	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4944	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4944	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4944	MSIEXEC.EXE
Token: SeBackupPrivilege	4944	MSIEXEC.EXE
Token: SeRestorePrivilege	4944	MSIEXEC.EXE
Token: SeShutdownPrivilege	4944	MSIEXEC.EXE
Token: SeDebugPrivilege	4944	MSIEXEC.EXE
Token: SeAuditPrivilege	4944	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4944	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4944	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4944	MSIEXEC.EXE
Token: SeUndockPrivilege	4944	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4944	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4944	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4944	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4944	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4944	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	4944	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4944	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4944	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4944	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 3172	1632	Setup.exe	82
PID 1632 wrote to memory of 3172	1632	Setup.exe	82
PID 1632 wrote to memory of 3172	1632	Setup.exe	82
PID 3172 wrote to memory of 4944	3172	setup.exe	89
PID 3172 wrote to memory of 4944	3172	setup.exe	89
PID 764 wrote to memory of 4324	764	msiexec.exe	93
PID 764 wrote to memory of 4324	764	msiexec.exe	93
PID 764 wrote to memory of 4324	764	msiexec.exe	93

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\x64\setup.exe
  C:\Users\Admin\AppData\Local\Temp\x64\setup.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SYSTEM32\MSIEXEC.EXE
    MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{7DD0370F-7BBE-4738-A321-7452E9401344}\CSR Harmony Wireless Software Stack.msi" /l*v C:\Users\Admin\AppData\Local\Temp\HarmonyInstall.log TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\{7DD0370F-7BBE-4738-A321-7452E9401344}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\x64" SETUPEXENAME="setup.exe"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4944

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6A4702D64F976369D59F195F1E4FA7FE C
  2⤵
  - Loads dropped DLL
  PID:4324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI448B.tmp

Filesize
57KB

MD5
e514c184fd59569180f9e29648481f64

SHA1
5d2d29c996974d88ab7ac1db76581c79c77cd3be

SHA256
e886026008391aec859db251fff4c9a55a45c50c227e4063d336835073f25745

SHA512
9f2c1fba7c25c743cc4c7129956db96237d78346d9eff2923b542cb5d692a029046ad1528c70e20a6f86747f74f6a81d6308413fbc4e82a3fed1e941603c9c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI448B.tmp

Filesize
57KB

MD5
e514c184fd59569180f9e29648481f64

SHA1
5d2d29c996974d88ab7ac1db76581c79c77cd3be

SHA256
e886026008391aec859db251fff4c9a55a45c50c227e4063d336835073f25745

SHA512
9f2c1fba7c25c743cc4c7129956db96237d78346d9eff2923b542cb5d692a029046ad1528c70e20a6f86747f74f6a81d6308413fbc4e82a3fed1e941603c9c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4845.tmp

Filesize
217KB

MD5
3add3dd4c56dd060be6e883ad0de2061

SHA1
e3ff0637a89a85668bac5ff9b382679add5c8d0e

SHA256
3bac9baff52ca46a14e0153a44d623a01faed15e2b38a98caa5012ad168efad0

SHA512
bd014a679d539344228af7e3d218621e4a33ba1483d0da2a12ce01db3d6f5fa0e3b748d13aac2d34e1dd31e6975492cc8a92f80a696bb7b6c1be639a10826ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4845.tmp

Filesize
217KB

MD5
3add3dd4c56dd060be6e883ad0de2061

SHA1
e3ff0637a89a85668bac5ff9b382679add5c8d0e

SHA256
3bac9baff52ca46a14e0153a44d623a01faed15e2b38a98caa5012ad168efad0

SHA512
bd014a679d539344228af7e3d218621e4a33ba1483d0da2a12ce01db3d6f5fa0e3b748d13aac2d34e1dd31e6975492cc8a92f80a696bb7b6c1be639a10826ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI48B3.tmp

Filesize
122KB

MD5
2c65cc2f1516e8eed2f01ee5efa60c93

SHA1
fa8ace92bdf6cb522357384b352389d08b0464de

SHA256
1af4d7548834c516d02c04e13f446dfb528e01f3352eabe8a6c7528e4caffeca

SHA512
f5a55023883795a0c27020ffcf6b4a33c37faefa808e45afbeea1f1b8eb07c4b6a82ef4dfc729d66d8cf93f8f7ffaf3f36e0c7c1cd7cddd76934b23380567f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI48B3.tmp

Filesize
122KB

MD5
2c65cc2f1516e8eed2f01ee5efa60c93

SHA1
fa8ace92bdf6cb522357384b352389d08b0464de

SHA256
1af4d7548834c516d02c04e13f446dfb528e01f3352eabe8a6c7528e4caffeca

SHA512
f5a55023883795a0c27020ffcf6b4a33c37faefa808e45afbeea1f1b8eb07c4b6a82ef4dfc729d66d8cf93f8f7ffaf3f36e0c7c1cd7cddd76934b23380567f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isA2A.tmp

Filesize
113KB

MD5
b744f334a4db8788a3eeb1430cf48d98

SHA1
3778f36a74afc672b2d85e2caac61f6981b5a9ae

SHA256
e0c3583cda9929efe92454f87365f56177f11de88097261ed60d440fc5a16de2

SHA512
596c086bcaa0ccc0f6d4ae65bf49ff8120650d6c8c7766d265be564520398b9ab29795bba46d6936d036b44166f8e8ee4f4363399299225c494c9e29f28f2358

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isE6CE.tmp

Filesize
1KB

MD5
e01626faabeff47b70e930fcd0791ff5

SHA1
aa9b1a8d083ef961599f354c80aef2c129982b44

SHA256
6ce5d8847e9a41651d8f4305e978aafb4dd20a2a52f9c628c128e578c1200530

SHA512
7ca16f96d320c9f187371a792d37f1ffe11d3bf10ebea7d7c96a384bfc12c67053123f2c337503938a834c1365bb6cbc5bb14cac9f642ee7913e59227ef13803

Download Submit
C:\Users\Admin\AppData\Local\Temp\issFFC9.tmp

Filesize
4.6MB

MD5
fb0656d431c089acbd5b5626b2b1bcaa

SHA1
d37e3e2625ea2fda2895456bf04bef1970cdbf80

SHA256
f86f468c2c6550182199c3803f0d5bef5c15fd728452d3ba4bd7b5d98d6e00c9

SHA512
717b6d93c81ddbfb42451b70f4176cf33bae52f543028e31254d95a510cd065bc157f8442258873294d77e1d0ded07e98fe62f5f7992d92200d4bde06d5fbccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7DD0370F-7BBE-4738-A321-7452E9401344}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7DD0370F-7BBE-4738-A321-7452E9401344}\1033.MST

Filesize
12KB

MD5
37311ee451d72647f076ce88652868a8

SHA1
3dc3706ab2073b415a721562bc26e77683d335a2

SHA256
52a8f9ade9d64b98355618c21a2529946f9ea4b159166fc21d57330c2f06c03e

SHA512
98e0c5154ccd8bb31cdbf8272e71d60d8803af006cb6d18eac9a2861b367615eb268887915cf3a8b622364c0c6dfa3a032dc135e4acec97f1340a9e0701d1250

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7DD0370F-7BBE-4738-A321-7452E9401344}\CSR Harmony Wireless Software Stack.msi

Filesize
168.3MB

MD5
4effb94bbc6324d72ada023104dca829

SHA1
86442ff2b769de5dd3c13efc84ab2df71eb43313

SHA256
1f66c773b4861719a7a4a5cdc8f1d39a54d4546adfa2069a40a606630a1e2d08

SHA512
5b52938df04c6976bbb6bff68fe01dfa4981a5e9d5b7512cf1286cb32cf055c912babf2e0833e650df298bec6838197f252b3ed17540adcd89296b570c454ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7DD0370F-7BBE-4738-A321-7452E9401344}\Setup.INI

Filesize
6KB

MD5
fa48500087e24cdc319bb724e096cbf4

SHA1
c03cfe0936f79c36978b6b90cd60f5b6c2cecb6e

SHA256
19f8a6b784e59ac5be68e80e7591f02341a86d9f1d571d6be62aa1917bf0e023

SHA512
3ba4ca5d0e30342a69f3453a20b7006944c2ba5822caac0a61cc9b864334594104beaa0963b3a75b87ce83903e05a89aefad5069387e75b45601304f282c7250

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7DD0370F-7BBE-4738-A321-7452E9401344}\_ISMSIDEL.INI

Filesize
4KB

MD5
19f4005e6bd87e8e9ad8bd6b56120bf7

SHA1
a1fbd21576c888afae5f937aaf462e8df5d45d80

SHA256
5d0c609b068b4f03a35a48fb6e7da4062c9e40c22534f1228821f74cf48c410e

SHA512
6ca049835a98ca2bb1af274291b314beb9f672513617ac4e5b5cf9a6f17ff77a2242b2d3bc173cfe0a5b875d55752f168493736a75dc2df8c3ba442fb0f4dc21

Download Submit