6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6

Analysis

max time kernel
137s
max time network
107s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-06-2023 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowsInstallerDirPatchCleaner_1.4.2.0.exe
Size

1.3MB
MD5

70d0bd7633d10c492839272c97b2544e
SHA1

4da0e8c2fe1f06b13985d700fe15686a1015c3bb
SHA256

6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6
SHA512

99d43ed2060eb6371a54f73af407fe4cc7644a93e5f856419ad0cb8769b2664139cb9097ff4be4b8dbb93f2c5da4fc90bc48eeac6fe0b3df5f8bc12428b5b5b2
SSDEEP

24576:91OYdaPtyx5f3bpaOZpBr8Mok3CwAvCJYNsO7z7YHgEzmvDjvANu29N:91Os1gOpBrRokSwAqJY73Sz2Qv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

2028 setup.exe
Loads dropped DLL 5 IoCs

Processes:

WindowsInstallerDirPatchCleaner_1.4.2.0.exesetup.exeMsiExec.exe

pid process

1780 WindowsInstallerDirPatchCleaner_1.4.2.0.exe
2028 setup.exe
2028 setup.exe
640 MsiExec.exe
640 MsiExec.exe

pid	process
2028	setup.exe

pid	process
1780	WindowsInstallerDirPatchCleaner_1.4.2.0.exe
2028	setup.exe
2028	setup.exe
640	MsiExec.exe
640	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msiexec.exe

pid process

584 msiexec.exe

pid	process
584	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	584	msiexec.exe
Token: SeIncreaseQuotaPrivilege	584	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeSecurityPrivilege	1996	msiexec.exe
Token: SeCreateTokenPrivilege	584	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	584	msiexec.exe
Token: SeLockMemoryPrivilege	584	msiexec.exe
Token: SeIncreaseQuotaPrivilege	584	msiexec.exe
Token: SeMachineAccountPrivilege	584	msiexec.exe
Token: SeTcbPrivilege	584	msiexec.exe
Token: SeSecurityPrivilege	584	msiexec.exe
Token: SeTakeOwnershipPrivilege	584	msiexec.exe
Token: SeLoadDriverPrivilege	584	msiexec.exe
Token: SeSystemProfilePrivilege	584	msiexec.exe
Token: SeSystemtimePrivilege	584	msiexec.exe
Token: SeProfSingleProcessPrivilege	584	msiexec.exe
Token: SeIncBasePriorityPrivilege	584	msiexec.exe
Token: SeCreatePagefilePrivilege	584	msiexec.exe
Token: SeCreatePermanentPrivilege	584	msiexec.exe
Token: SeBackupPrivilege	584	msiexec.exe
Token: SeRestorePrivilege	584	msiexec.exe
Token: SeShutdownPrivilege	584	msiexec.exe
Token: SeDebugPrivilege	584	msiexec.exe
Token: SeAuditPrivilege	584	msiexec.exe
Token: SeSystemEnvironmentPrivilege	584	msiexec.exe
Token: SeChangeNotifyPrivilege	584	msiexec.exe
Token: SeRemoteShutdownPrivilege	584	msiexec.exe
Token: SeUndockPrivilege	584	msiexec.exe
Token: SeSyncAgentPrivilege	584	msiexec.exe
Token: SeEnableDelegationPrivilege	584	msiexec.exe
Token: SeManageVolumePrivilege	584	msiexec.exe
Token: SeImpersonatePrivilege	584	msiexec.exe
Token: SeCreateGlobalPrivilege	584	msiexec.exe
Token: SeCreateTokenPrivilege	584	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	584	msiexec.exe
Token: SeLockMemoryPrivilege	584	msiexec.exe
Token: SeIncreaseQuotaPrivilege	584	msiexec.exe
Token: SeMachineAccountPrivilege	584	msiexec.exe
Token: SeTcbPrivilege	584	msiexec.exe
Token: SeSecurityPrivilege	584	msiexec.exe
Token: SeTakeOwnershipPrivilege	584	msiexec.exe
Token: SeLoadDriverPrivilege	584	msiexec.exe
Token: SeSystemProfilePrivilege	584	msiexec.exe
Token: SeSystemtimePrivilege	584	msiexec.exe
Token: SeProfSingleProcessPrivilege	584	msiexec.exe
Token: SeIncBasePriorityPrivilege	584	msiexec.exe
Token: SeCreatePagefilePrivilege	584	msiexec.exe
Token: SeCreatePermanentPrivilege	584	msiexec.exe
Token: SeBackupPrivilege	584	msiexec.exe
Token: SeRestorePrivilege	584	msiexec.exe
Token: SeShutdownPrivilege	584	msiexec.exe
Token: SeDebugPrivilege	584	msiexec.exe
Token: SeAuditPrivilege	584	msiexec.exe
Token: SeSystemEnvironmentPrivilege	584	msiexec.exe
Token: SeChangeNotifyPrivilege	584	msiexec.exe
Token: SeRemoteShutdownPrivilege	584	msiexec.exe
Token: SeUndockPrivilege	584	msiexec.exe
Token: SeSyncAgentPrivilege	584	msiexec.exe
Token: SeEnableDelegationPrivilege	584	msiexec.exe
Token: SeManageVolumePrivilege	584	msiexec.exe
Token: SeImpersonatePrivilege	584	msiexec.exe
Token: SeCreateGlobalPrivilege	584	msiexec.exe
Token: SeCreateTokenPrivilege	584	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

584 msiexec.exe

pid	process
584	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

WindowsInstallerDirPatchCleaner_1.4.2.0.exesetup.exemsiexec.exe

description	pid	process	target process
PID 1780 wrote to memory of 2028	1780	WindowsInstallerDirPatchCleaner_1.4.2.0.exe	setup.exe
PID 1780 wrote to memory of 2028	1780	WindowsInstallerDirPatchCleaner_1.4.2.0.exe	setup.exe
PID 1780 wrote to memory of 2028	1780	WindowsInstallerDirPatchCleaner_1.4.2.0.exe	setup.exe
PID 1780 wrote to memory of 2028	1780	WindowsInstallerDirPatchCleaner_1.4.2.0.exe	setup.exe
PID 1780 wrote to memory of 2028	1780	WindowsInstallerDirPatchCleaner_1.4.2.0.exe	setup.exe
PID 1780 wrote to memory of 2028	1780	WindowsInstallerDirPatchCleaner_1.4.2.0.exe	setup.exe
PID 1780 wrote to memory of 2028	1780	WindowsInstallerDirPatchCleaner_1.4.2.0.exe	setup.exe
PID 2028 wrote to memory of 584	2028	setup.exe	msiexec.exe
PID 2028 wrote to memory of 584	2028	setup.exe	msiexec.exe
PID 2028 wrote to memory of 584	2028	setup.exe	msiexec.exe
PID 2028 wrote to memory of 584	2028	setup.exe	msiexec.exe
PID 2028 wrote to memory of 584	2028	setup.exe	msiexec.exe
PID 2028 wrote to memory of 584	2028	setup.exe	msiexec.exe
PID 2028 wrote to memory of 584	2028	setup.exe	msiexec.exe
PID 1996 wrote to memory of 640	1996	msiexec.exe	MsiExec.exe
PID 1996 wrote to memory of 640	1996	msiexec.exe	MsiExec.exe
PID 1996 wrote to memory of 640	1996	msiexec.exe	MsiExec.exe
PID 1996 wrote to memory of 640	1996	msiexec.exe	MsiExec.exe
PID 1996 wrote to memory of 640	1996	msiexec.exe	MsiExec.exe
PID 1996 wrote to memory of 640	1996	msiexec.exe	MsiExec.exe
PID 1996 wrote to memory of 640	1996	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\WindowsInstallerDirPatchCleaner_1.4.2.0.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsInstallerDirPatchCleaner_1.4.2.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\7zS8C2A.tmp\setup.exe
  .\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\7zS8C2A.tmp\PatchCleaner.msi"
    3⤵
    - Enumerates connected drives
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:584

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 47B638E9BBDB5E32F1175EDCFCF36EF8 C
  2⤵
  - Loads dropped DLL
  PID:640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8C2A.tmp\PatchCleaner.msi

Filesize
2.0MB

MD5
ca19dc264e480db621d11429e08ca62b

SHA1
732fa43146301e30c7dfbb700081691ddb4e28c7

SHA256
c43f57c1aff7a3571fb89a6467247417bdf5b5ae2cd3ab60ce444490bc4df164

SHA512
af419f36fa581d6fb1cbfb6f598283c1a9a4e3315e19d227cb4806e3de7b929b400913ca3f09e5c3c58646907b363ebf2cf282610d54ac507a3d66eaf71b1a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C2A.tmp\setup.exe

Filesize
772KB

MD5
fb3fdbb47f9b738a64f8a874247ad219

SHA1
2103c9ffd7f5af42f5e0e3a929ff59f61b9e4eab

SHA256
e1c84c55cd245d0b487cfc816676c13729c53cb8f0462d955dd6a39219053c62

SHA512
bd82b76fa95730cfa2fd3e833a9b1a65f5c27b0d348d26e245c57f15d34a3ff2988cf19625d0351cd0fa7f56bca372085092394397f7d3a19d5ad6cae428a57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C2A.tmp\setup.exe

Filesize
772KB

MD5
fb3fdbb47f9b738a64f8a874247ad219

SHA1
2103c9ffd7f5af42f5e0e3a929ff59f61b9e4eab

SHA256
e1c84c55cd245d0b487cfc816676c13729c53cb8f0462d955dd6a39219053c62

SHA512
bd82b76fa95730cfa2fd3e833a9b1a65f5c27b0d348d26e245c57f15d34a3ff2988cf19625d0351cd0fa7f56bca372085092394397f7d3a19d5ad6cae428a57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI98BA.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI99F3.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8C2A.tmp\setup.exe

Filesize
772KB

MD5
fb3fdbb47f9b738a64f8a874247ad219

SHA1
2103c9ffd7f5af42f5e0e3a929ff59f61b9e4eab

SHA256
e1c84c55cd245d0b487cfc816676c13729c53cb8f0462d955dd6a39219053c62

SHA512
bd82b76fa95730cfa2fd3e833a9b1a65f5c27b0d348d26e245c57f15d34a3ff2988cf19625d0351cd0fa7f56bca372085092394397f7d3a19d5ad6cae428a57c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8C2A.tmp\setup.exe

Filesize
772KB

MD5
fb3fdbb47f9b738a64f8a874247ad219

SHA1
2103c9ffd7f5af42f5e0e3a929ff59f61b9e4eab

SHA256
e1c84c55cd245d0b487cfc816676c13729c53cb8f0462d955dd6a39219053c62

SHA512
bd82b76fa95730cfa2fd3e833a9b1a65f5c27b0d348d26e245c57f15d34a3ff2988cf19625d0351cd0fa7f56bca372085092394397f7d3a19d5ad6cae428a57c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8C2A.tmp\setup.exe

Filesize
772KB

MD5
fb3fdbb47f9b738a64f8a874247ad219

SHA1
2103c9ffd7f5af42f5e0e3a929ff59f61b9e4eab

SHA256
e1c84c55cd245d0b487cfc816676c13729c53cb8f0462d955dd6a39219053c62

SHA512
bd82b76fa95730cfa2fd3e833a9b1a65f5c27b0d348d26e245c57f15d34a3ff2988cf19625d0351cd0fa7f56bca372085092394397f7d3a19d5ad6cae428a57c

Download Submit
\Users\Admin\AppData\Local\Temp\MSI98BA.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit
\Users\Admin\AppData\Local\Temp\MSI99F3.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit