1676c13bfdade1612674df394bb54c98fe23587725cd644607e300fa2045db68

Analysis

max time kernel
76s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2023 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ForecastProTRAC.msi
Size

191.8MB
MD5

bc98397c6bd123870fd6160d2cc936b9
SHA1

eea0b42bb9df3fdb394a8d120ab13219b2db9bcd
SHA256

1676c13bfdade1612674df394bb54c98fe23587725cd644607e300fa2045db68
SHA512

957e9a05b40f40f2c63756d0dc6da8aada0ee312230c7c05adb3ff24c4187650117ea1358197ab43f504ebabc80709a4458260833bd7960fa400dede620fc6ab
SSDEEP

3145728:rLkhnhzN3kOwjLw6CYyITL3P6Eo0ViGoiRbmZmoXwarZ5+k5NzwpFD2EpY4i:fynhzOFjLw6V1TOEo0SiR5NyZ5NzwyN

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
13	2808	msiexec.exe
19	2808	msiexec.exe
21	2808	msiexec.exe
27	2808	msiexec.exe

Loads dropped DLL 3 IoCs

pid	Process
4804	MsiExec.exe
4808	MsiExec.exe
4808	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2808	msiexec.exe
Token: SeSecurityPrivilege	1072	msiexec.exe
Token: SeCreateTokenPrivilege	2808	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2808	msiexec.exe
Token: SeLockMemoryPrivilege	2808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2808	msiexec.exe
Token: SeMachineAccountPrivilege	2808	msiexec.exe
Token: SeTcbPrivilege	2808	msiexec.exe
Token: SeSecurityPrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeLoadDriverPrivilege	2808	msiexec.exe
Token: SeSystemProfilePrivilege	2808	msiexec.exe
Token: SeSystemtimePrivilege	2808	msiexec.exe
Token: SeProfSingleProcessPrivilege	2808	msiexec.exe
Token: SeIncBasePriorityPrivilege	2808	msiexec.exe
Token: SeCreatePagefilePrivilege	2808	msiexec.exe
Token: SeCreatePermanentPrivilege	2808	msiexec.exe
Token: SeBackupPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeShutdownPrivilege	2808	msiexec.exe
Token: SeDebugPrivilege	2808	msiexec.exe
Token: SeAuditPrivilege	2808	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2808	msiexec.exe
Token: SeChangeNotifyPrivilege	2808	msiexec.exe
Token: SeRemoteShutdownPrivilege	2808	msiexec.exe
Token: SeUndockPrivilege	2808	msiexec.exe
Token: SeSyncAgentPrivilege	2808	msiexec.exe
Token: SeEnableDelegationPrivilege	2808	msiexec.exe
Token: SeManageVolumePrivilege	2808	msiexec.exe
Token: SeImpersonatePrivilege	2808	msiexec.exe
Token: SeCreateGlobalPrivilege	2808	msiexec.exe
Token: SeCreateTokenPrivilege	2808	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2808	msiexec.exe
Token: SeLockMemoryPrivilege	2808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2808	msiexec.exe
Token: SeMachineAccountPrivilege	2808	msiexec.exe
Token: SeTcbPrivilege	2808	msiexec.exe
Token: SeSecurityPrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeLoadDriverPrivilege	2808	msiexec.exe
Token: SeSystemProfilePrivilege	2808	msiexec.exe
Token: SeSystemtimePrivilege	2808	msiexec.exe
Token: SeProfSingleProcessPrivilege	2808	msiexec.exe
Token: SeIncBasePriorityPrivilege	2808	msiexec.exe
Token: SeCreatePagefilePrivilege	2808	msiexec.exe
Token: SeCreatePermanentPrivilege	2808	msiexec.exe
Token: SeBackupPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeShutdownPrivilege	2808	msiexec.exe
Token: SeDebugPrivilege	2808	msiexec.exe
Token: SeAuditPrivilege	2808	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2808	msiexec.exe
Token: SeChangeNotifyPrivilege	2808	msiexec.exe
Token: SeRemoteShutdownPrivilege	2808	msiexec.exe
Token: SeUndockPrivilege	2808	msiexec.exe
Token: SeSyncAgentPrivilege	2808	msiexec.exe
Token: SeEnableDelegationPrivilege	2808	msiexec.exe
Token: SeManageVolumePrivilege	2808	msiexec.exe
Token: SeImpersonatePrivilege	2808	msiexec.exe
Token: SeCreateGlobalPrivilege	2808	msiexec.exe
Token: SeCreateTokenPrivilege	2808	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2808	msiexec.exe
Token: SeLockMemoryPrivilege	2808	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2808	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 4804	1072	msiexec.exe	88
PID 1072 wrote to memory of 4804	1072	msiexec.exe	88
PID 1072 wrote to memory of 4804	1072	msiexec.exe	88
PID 1072 wrote to memory of 4808	1072	msiexec.exe	97
PID 1072 wrote to memory of 4808	1072	msiexec.exe	97

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ForecastProTRAC.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6B43FBA77238D5F83FDD3E1ED3374668 C
  2⤵
  - Loads dropped DLL
  PID:4804
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 3EE2E0C9C53959248ABDC63FABC03C1D C
  2⤵
  - Loads dropped DLL
  PID:4808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI9242.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9242.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICC7D.tmp

Filesize
144KB

MD5
44d6a166b2aa7a18b0902b4d20170e0c

SHA1
ae41a4cd42d2e68c59e964a200fd0f5c0997b0c1

SHA256
09bb75755b982fa916bf0aef3dbd5b6351f4ae67c45c59bef5533c87de2d4e47

SHA512
64ad13f24261f53d6fa836b6b8bea15d97bd35b2b772f7a1cd6f66fcf628361579441512d72bab15a24df34395a0c655510067a45146b105cbb8c6f60d055934

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICC7D.tmp

Filesize
144KB

MD5
44d6a166b2aa7a18b0902b4d20170e0c

SHA1
ae41a4cd42d2e68c59e964a200fd0f5c0997b0c1

SHA256
09bb75755b982fa916bf0aef3dbd5b6351f4ae67c45c59bef5533c87de2d4e47

SHA512
64ad13f24261f53d6fa836b6b8bea15d97bd35b2b772f7a1cd6f66fcf628361579441512d72bab15a24df34395a0c655510067a45146b105cbb8c6f60d055934

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEF58.tmp

Filesize
144KB

MD5
44d6a166b2aa7a18b0902b4d20170e0c

SHA1
ae41a4cd42d2e68c59e964a200fd0f5c0997b0c1

SHA256
09bb75755b982fa916bf0aef3dbd5b6351f4ae67c45c59bef5533c87de2d4e47

SHA512
64ad13f24261f53d6fa836b6b8bea15d97bd35b2b772f7a1cd6f66fcf628361579441512d72bab15a24df34395a0c655510067a45146b105cbb8c6f60d055934

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEF58.tmp

Filesize
144KB

MD5
44d6a166b2aa7a18b0902b4d20170e0c

SHA1
ae41a4cd42d2e68c59e964a200fd0f5c0997b0c1

SHA256
09bb75755b982fa916bf0aef3dbd5b6351f4ae67c45c59bef5533c87de2d4e47

SHA512
64ad13f24261f53d6fa836b6b8bea15d97bd35b2b772f7a1cd6f66fcf628361579441512d72bab15a24df34395a0c655510067a45146b105cbb8c6f60d055934

Download Submit