2e59a34a4fe7eabafd77610e510fa5169e0820bfdeb4e238e3f3723b1b8ab1d8

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23/05/2023, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16d867042d77ced691c495d2c5ae56f9.msi
Size

3.9MB
MD5

16d867042d77ced691c495d2c5ae56f9
SHA1

adaf3d3eafe5d2f7874670408ae11bf0ec0f8f66
SHA256

2e59a34a4fe7eabafd77610e510fa5169e0820bfdeb4e238e3f3723b1b8ab1d8
SHA512

005db9a037750f60d1c5c5f083724dce0c9549849e9e8d8fb1064eee2aa2096154fc85069f5c36f473513e79b2bc19988f5ec879bf52ea9e3db6cc3f5ecfadde
SSDEEP

98304:710kRtFsll9JpVplRNZo5gy3IhQ2sbe0BwL9v0:710UtEl9JpVpPfSX1Kpv

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1520	MsiExec.exe
1520	MsiExec.exe
1520	MsiExec.exe
532	MsiExec.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001231c-73.dat	upx
behavioral1/files/0x000800000001231c-74.dat	upx
behavioral1/memory/532-75-0x0000000072AD0000-0x00000000736BA000-memory.dmp	upx

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c0fe9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1085.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\6c0feb.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A1C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c0fe9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13E0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI145E.tmp	msiexec.exe
File created	C:\Windows\Installer\6c0feb.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI19DB.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1672	msiexec.exe
1672	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1344	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1672	msiexec.exe
Token: SeTakeOwnershipPrivilege	1672	msiexec.exe
Token: SeSecurityPrivilege	1672	msiexec.exe
Token: SeCreateTokenPrivilege	1344	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1344	msiexec.exe
Token: SeLockMemoryPrivilege	1344	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1344	msiexec.exe
Token: SeMachineAccountPrivilege	1344	msiexec.exe
Token: SeTcbPrivilege	1344	msiexec.exe
Token: SeSecurityPrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe
Token: SeLoadDriverPrivilege	1344	msiexec.exe
Token: SeSystemProfilePrivilege	1344	msiexec.exe
Token: SeSystemtimePrivilege	1344	msiexec.exe
Token: SeProfSingleProcessPrivilege	1344	msiexec.exe
Token: SeIncBasePriorityPrivilege	1344	msiexec.exe
Token: SeCreatePagefilePrivilege	1344	msiexec.exe
Token: SeCreatePermanentPrivilege	1344	msiexec.exe
Token: SeBackupPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeShutdownPrivilege	1344	msiexec.exe
Token: SeDebugPrivilege	1344	msiexec.exe
Token: SeAuditPrivilege	1344	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1344	msiexec.exe
Token: SeChangeNotifyPrivilege	1344	msiexec.exe
Token: SeRemoteShutdownPrivilege	1344	msiexec.exe
Token: SeUndockPrivilege	1344	msiexec.exe
Token: SeSyncAgentPrivilege	1344	msiexec.exe
Token: SeEnableDelegationPrivilege	1344	msiexec.exe
Token: SeManageVolumePrivilege	1344	msiexec.exe
Token: SeImpersonatePrivilege	1344	msiexec.exe
Token: SeCreateGlobalPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1672	msiexec.exe
Token: SeTakeOwnershipPrivilege	1672	msiexec.exe
Token: SeRestorePrivilege	1672	msiexec.exe
Token: SeTakeOwnershipPrivilege	1672	msiexec.exe
Token: SeRestorePrivilege	1672	msiexec.exe
Token: SeTakeOwnershipPrivilege	1672	msiexec.exe
Token: SeRestorePrivilege	1672	msiexec.exe
Token: SeTakeOwnershipPrivilege	1672	msiexec.exe
Token: SeRestorePrivilege	1672	msiexec.exe
Token: SeTakeOwnershipPrivilege	1672	msiexec.exe
Token: SeRestorePrivilege	1672	msiexec.exe
Token: SeTakeOwnershipPrivilege	1672	msiexec.exe
Token: SeRestorePrivilege	1672	msiexec.exe
Token: SeTakeOwnershipPrivilege	1672	msiexec.exe
Token: SeRestorePrivilege	1672	msiexec.exe
Token: SeTakeOwnershipPrivilege	1672	msiexec.exe
Token: SeRestorePrivilege	1672	msiexec.exe
Token: SeTakeOwnershipPrivilege	1672	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1344	msiexec.exe
1344	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1520	1672	msiexec.exe	29
PID 1672 wrote to memory of 1520	1672	msiexec.exe	29
PID 1672 wrote to memory of 1520	1672	msiexec.exe	29
PID 1672 wrote to memory of 1520	1672	msiexec.exe	29
PID 1672 wrote to memory of 1520	1672	msiexec.exe	29
PID 1672 wrote to memory of 1520	1672	msiexec.exe	29
PID 1672 wrote to memory of 1520	1672	msiexec.exe	29
PID 1672 wrote to memory of 532	1672	msiexec.exe	30
PID 1672 wrote to memory of 532	1672	msiexec.exe	30
PID 1672 wrote to memory of 532	1672	msiexec.exe	30
PID 1672 wrote to memory of 532	1672	msiexec.exe	30
PID 1672 wrote to memory of 532	1672	msiexec.exe	30

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\16d867042d77ced691c495d2c5ae56f9.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1344

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5F2956B6529617F481DB8131465E246E
  2⤵
  - Loads dropped DLL
  PID:1520
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 47B2C4389F2785D02775895167A1A08D
  2⤵
  - Loads dropped DLL
  PID:532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6c0fec.rbs

Filesize
570B

MD5
0cbef04058d9de259a98560928a47a64

SHA1
1930292c66c3a57facb0fc35cde6ab46d4a8b22a

SHA256
d844574986a9aeddec77766ac51e84d948ac34e97a967429ba6d50a4949e76ab

SHA512
01528f5f2c35df9eb16ce07d996cbab97886c7395d7893331a532a1c51e6a40319a641bc98373d73c51ad0ec4b2690ecfb596cf467d8d3eaac9629f362f247ba

Download Submit
C:\Windows\Installer\MSI1085.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI13E0.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI145E.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI145E.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI1A1C.tmp

Filesize
2.8MB

MD5
d22764ab8542c7244cd7a254e8aaedf3

SHA1
7e82749d9b6758d56c46b6dd9e4fcaf0b6419546

SHA256
ffc0260bd2d65cded173f626ae73e9aa1c02084ddfa4349f8876bbe23536d2d6

SHA512
f3935e14c37ceb7d0d0550b0fdd5cd2527d1a94c21bdbfa8d0488d1c081d1074c5a0d9ad25036b89eac1cfdc27780af4c8efe8c708e7f4468a8b7e95926d46b9

Download Submit
\Windows\Installer\MSI1085.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSI13E0.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSI145E.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSI1A1C.tmp

Filesize
2.8MB

MD5
d22764ab8542c7244cd7a254e8aaedf3

SHA1
7e82749d9b6758d56c46b6dd9e4fcaf0b6419546

SHA256
ffc0260bd2d65cded173f626ae73e9aa1c02084ddfa4349f8876bbe23536d2d6

SHA512
f3935e14c37ceb7d0d0550b0fdd5cd2527d1a94c21bdbfa8d0488d1c081d1074c5a0d9ad25036b89eac1cfdc27780af4c8efe8c708e7f4468a8b7e95926d46b9

Download Submit
memory/532-75-0x0000000072AD0000-0x00000000736BA000-memory.dmp

Filesize
11.9MB

Download