5c3c4dea886a802441f51fc087162f842317405a0c096fc10e4dfc884e0ded61

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2023, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c3c4dea886a802441f51fc087162f842317405a0c096fc10e4dfc884e0ded61.msi
Size

8.1MB
MD5

b9fa8b12507f0ea84e5127c63241a6d5
SHA1

1779ef84c670bd9f693c69f210e5c5f02b45466d
SHA256

5c3c4dea886a802441f51fc087162f842317405a0c096fc10e4dfc884e0ded61
SHA512

d6734705b20a1b37fc0fc351df936ef466024ee9e7677526efe1d841de9297232ebcda972664d31f23987d41d8b66e7bb9b193cb99e15ef33914a49ec96b6505
SSDEEP

98304:f7mwfu3+HPHY1hL+9KwMUplRPRfCervzxCDsvA/MPH85N:f7osA1jhSPrvzs4N

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
1504	MsiExec.exe
1504	MsiExec.exe
1504	MsiExec.exe
1504	MsiExec.exe
1504	MsiExec.exe
1504	MsiExec.exe
1504	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI8EF6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI91D6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI940B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e568ded.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e568ded.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI936E.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{503450DE-680B-4826-91BB-E0C0899D52CB}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9545.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9575.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI92D1.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1884	msiexec.exe
1884	msiexec.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4680	msiexec.exe
Token: SeSecurityPrivilege	1884	msiexec.exe
Token: SeCreateTokenPrivilege	4680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4680	msiexec.exe
Token: SeLockMemoryPrivilege	4680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4680	msiexec.exe
Token: SeMachineAccountPrivilege	4680	msiexec.exe
Token: SeTcbPrivilege	4680	msiexec.exe
Token: SeSecurityPrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeLoadDriverPrivilege	4680	msiexec.exe
Token: SeSystemProfilePrivilege	4680	msiexec.exe
Token: SeSystemtimePrivilege	4680	msiexec.exe
Token: SeProfSingleProcessPrivilege	4680	msiexec.exe
Token: SeIncBasePriorityPrivilege	4680	msiexec.exe
Token: SeCreatePagefilePrivilege	4680	msiexec.exe
Token: SeCreatePermanentPrivilege	4680	msiexec.exe
Token: SeBackupPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeShutdownPrivilege	4680	msiexec.exe
Token: SeDebugPrivilege	4680	msiexec.exe
Token: SeAuditPrivilege	4680	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4680	msiexec.exe
Token: SeChangeNotifyPrivilege	4680	msiexec.exe
Token: SeRemoteShutdownPrivilege	4680	msiexec.exe
Token: SeUndockPrivilege	4680	msiexec.exe
Token: SeSyncAgentPrivilege	4680	msiexec.exe
Token: SeEnableDelegationPrivilege	4680	msiexec.exe
Token: SeManageVolumePrivilege	4680	msiexec.exe
Token: SeImpersonatePrivilege	4680	msiexec.exe
Token: SeCreateGlobalPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	1884	msiexec.exe
Token: SeTakeOwnershipPrivilege	1884	msiexec.exe
Token: SeRestorePrivilege	1884	msiexec.exe
Token: SeTakeOwnershipPrivilege	1884	msiexec.exe
Token: SeRestorePrivilege	1884	msiexec.exe
Token: SeTakeOwnershipPrivilege	1884	msiexec.exe
Token: SeRestorePrivilege	1884	msiexec.exe
Token: SeTakeOwnershipPrivilege	1884	msiexec.exe
Token: SeRestorePrivilege	1884	msiexec.exe
Token: SeTakeOwnershipPrivilege	1884	msiexec.exe
Token: SeRestorePrivilege	1884	msiexec.exe
Token: SeTakeOwnershipPrivilege	1884	msiexec.exe
Token: SeRestorePrivilege	1884	msiexec.exe
Token: SeTakeOwnershipPrivilege	1884	msiexec.exe
Token: SeRestorePrivilege	1884	msiexec.exe
Token: SeTakeOwnershipPrivilege	1884	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4680	msiexec.exe
4680	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1504	1884	msiexec.exe	86
PID 1884 wrote to memory of 1504	1884	msiexec.exe	86
PID 1884 wrote to memory of 1504	1884	msiexec.exe	86

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5c3c4dea886a802441f51fc087162f842317405a0c096fc10e4dfc884e0ded61.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4680

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DDB1A9DB214F474336B7293F47EFF7AA
  2⤵
  - Loads dropped DLL
  PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI8EF6.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Windows\Installer\MSI8EF6.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Windows\Installer\MSI91D6.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Windows\Installer\MSI91D6.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Windows\Installer\MSI92D1.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Windows\Installer\MSI92D1.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Windows\Installer\MSI92D1.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Windows\Installer\MSI936E.tmp

Filesize
1.0MB

MD5
5566149fc623f29d55ca72018369c780

SHA1
8ae947ab0ae9182f1c09bd266ff360c0e8b88326

SHA256
a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608

SHA512
f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5

Download Submit
C:\Windows\Installer\MSI936E.tmp

Filesize
1.0MB

MD5
5566149fc623f29d55ca72018369c780

SHA1
8ae947ab0ae9182f1c09bd266ff360c0e8b88326

SHA256
a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608

SHA512
f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5

Download Submit
C:\Windows\Installer\MSI940B.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Windows\Installer\MSI940B.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Windows\Installer\MSI9575.tmp

Filesize
5.4MB

MD5
2e3366709a91e8c6f35c1bef246b188a

SHA1
5dd43004b0d644d48f03c001d02acf0b7dafa0d9

SHA256
2fe720c6e5338ec44e47ec9ff62f08bf4fb3b386288d3c16c43b96d05b19dd88

SHA512
5327747be3882f39a2ca9e340f8651986d379741623cdc3c5547a2cdf8d29e6cb8dc1bf6030cbb905971184fc6da9adaa4bf000803a45752d62c01f24bfc3d7b

Download Submit
C:\Windows\Installer\MSI9575.tmp

Filesize
5.4MB

MD5
2e3366709a91e8c6f35c1bef246b188a

SHA1
5dd43004b0d644d48f03c001d02acf0b7dafa0d9

SHA256
2fe720c6e5338ec44e47ec9ff62f08bf4fb3b386288d3c16c43b96d05b19dd88

SHA512
5327747be3882f39a2ca9e340f8651986d379741623cdc3c5547a2cdf8d29e6cb8dc1bf6030cbb905971184fc6da9adaa4bf000803a45752d62c01f24bfc3d7b

Download Submit
C:\Windows\Installer\MSI9575.tmp

Filesize
5.4MB

MD5
2e3366709a91e8c6f35c1bef246b188a

SHA1
5dd43004b0d644d48f03c001d02acf0b7dafa0d9

SHA256
2fe720c6e5338ec44e47ec9ff62f08bf4fb3b386288d3c16c43b96d05b19dd88

SHA512
5327747be3882f39a2ca9e340f8651986d379741623cdc3c5547a2cdf8d29e6cb8dc1bf6030cbb905971184fc6da9adaa4bf000803a45752d62c01f24bfc3d7b

Download Submit
memory/1504-160-0x0000000002920000-0x0000000002E91000-memory.dmp

Filesize
5.4MB

Download
memory/1504-161-0x0000000002920000-0x0000000002E91000-memory.dmp

Filesize
5.4MB

Download
memory/1504-162-0x0000000002920000-0x0000000002E91000-memory.dmp

Filesize
5.4MB

Download