Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2023 03:43
Static task
static1
Behavioral task
behavioral1
Sample
00f1RT50167S56T0rTI4c2.msi
Resource
win7-20230703-en
windows7-x64
Behavioral task
behavioral2
Sample
00f1RT50167S56T0rTI4c2.msi
Resource
win10v2004-20230703-en
windows10-2004-x64
General
-
Target
00f1RT50167S56T0rTI4c2.msi
-
Size
7.3MB
-
MD5
9c03935079502fd8e9cdeb9c4ad4d332
-
SHA1
84cbd726276cb692c0eaeef75238db3fb7d16554
-
SHA256
b40e0825b374d997e63a0544cabe0b318931eefbf681e1f51a2671a8394f86db
-
SHA512
bcf526c7ba6844218f1c48d5152d1934176a6af42d8605b6175f1e27ce7e4a0e207b2ab4d98282bf5522c86b065bef519d78fac4b0f58495de6011404dcd2341
-
SSDEEP
196608:33ffvMQqki+YMyfNRl0XWZbOmzAgZeNfvGtHZAFxfTC:33ffvMgiFFl0XcbtMgZ8CCFM
Malware Config
Signatures
-
Blocklisted process makes network request 56 IoCs
flow pid Process 31 4288 MsiExec.exe 33 4288 MsiExec.exe 35 4288 MsiExec.exe 39 4288 MsiExec.exe 40 4288 MsiExec.exe 41 4288 MsiExec.exe 42 4288 MsiExec.exe 43 4288 MsiExec.exe 44 4288 MsiExec.exe 45 4288 MsiExec.exe 52 4288 MsiExec.exe 59 4288 MsiExec.exe 61 4288 MsiExec.exe 62 4288 MsiExec.exe 63 4288 MsiExec.exe 64 4288 MsiExec.exe 65 4288 MsiExec.exe 66 4288 MsiExec.exe 67 4288 MsiExec.exe 68 4288 MsiExec.exe 69 4288 MsiExec.exe 70 4288 MsiExec.exe 72 4288 MsiExec.exe 74 4288 MsiExec.exe 75 4288 MsiExec.exe 76 4288 MsiExec.exe 77 4288 MsiExec.exe 78 4288 MsiExec.exe 79 4288 MsiExec.exe 80 4288 MsiExec.exe 81 4288 MsiExec.exe 85 4288 MsiExec.exe 86 4288 MsiExec.exe 88 4288 MsiExec.exe 89 4288 MsiExec.exe 90 4288 MsiExec.exe 91 4288 MsiExec.exe 92 4288 MsiExec.exe 93 4288 MsiExec.exe 94 4288 MsiExec.exe 95 4288 MsiExec.exe 96 4288 MsiExec.exe 97 4288 MsiExec.exe 98 4288 MsiExec.exe 99 4288 MsiExec.exe 100 4288 MsiExec.exe 101 4288 MsiExec.exe 102 4288 MsiExec.exe 103 4288 MsiExec.exe 104 4288 MsiExec.exe 105 4288 MsiExec.exe 106 4288 MsiExec.exe 109 4288 MsiExec.exe 112 4288 MsiExec.exe 113 4288 MsiExec.exe 114 4288 MsiExec.exe -
Loads dropped DLL 7 IoCs
pid Process 4288 MsiExec.exe 4288 MsiExec.exe 4288 MsiExec.exe 4288 MsiExec.exe 4288 MsiExec.exe 4288 MsiExec.exe 4288 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ipinfo.io 31 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4288 MsiExec.exe 4288 MsiExec.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\Installer\e576d7f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI714B.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{AC72E8C6-41B2-4419-B471-CE193B15B7D0} msiexec.exe File opened for modification C:\Windows\Installer\MSI73BF.tmp msiexec.exe File opened for modification C:\Windows\Installer\e576d7f.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI6E0C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI706E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI712B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7265.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI738F.tmp msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2864 msiexec.exe 2864 msiexec.exe 4288 MsiExec.exe 4288 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeShutdownPrivilege 4728 msiexec.exe Token: SeIncreaseQuotaPrivilege 4728 msiexec.exe Token: SeSecurityPrivilege 2864 msiexec.exe Token: SeCreateTokenPrivilege 4728 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4728 msiexec.exe Token: SeLockMemoryPrivilege 4728 msiexec.exe Token: SeIncreaseQuotaPrivilege 4728 msiexec.exe Token: SeMachineAccountPrivilege 4728 msiexec.exe Token: SeTcbPrivilege 4728 msiexec.exe Token: SeSecurityPrivilege 4728 msiexec.exe Token: SeTakeOwnershipPrivilege 4728 msiexec.exe Token: SeLoadDriverPrivilege 4728 msiexec.exe Token: SeSystemProfilePrivilege 4728 msiexec.exe Token: SeSystemtimePrivilege 4728 msiexec.exe Token: SeProfSingleProcessPrivilege 4728 msiexec.exe Token: SeIncBasePriorityPrivilege 4728 msiexec.exe Token: SeCreatePagefilePrivilege 4728 msiexec.exe Token: SeCreatePermanentPrivilege 4728 msiexec.exe Token: SeBackupPrivilege 4728 msiexec.exe Token: SeRestorePrivilege 4728 msiexec.exe Token: SeShutdownPrivilege 4728 msiexec.exe Token: SeDebugPrivilege 4728 msiexec.exe Token: SeAuditPrivilege 4728 msiexec.exe Token: SeSystemEnvironmentPrivilege 4728 msiexec.exe Token: SeChangeNotifyPrivilege 4728 msiexec.exe Token: SeRemoteShutdownPrivilege 4728 msiexec.exe Token: SeUndockPrivilege 4728 msiexec.exe Token: SeSyncAgentPrivilege 4728 msiexec.exe Token: SeEnableDelegationPrivilege 4728 msiexec.exe Token: SeManageVolumePrivilege 4728 msiexec.exe Token: SeImpersonatePrivilege 4728 msiexec.exe Token: SeCreateGlobalPrivilege 4728 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4728 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2864 wrote to memory of 4288 2864 msiexec.exe 87 PID 2864 wrote to memory of 4288 2864 msiexec.exe 87 PID 2864 wrote to memory of 4288 2864 msiexec.exe 87
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\00f1RT50167S56T0rTI4c2.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4728
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 14E7F20A068663F2F89F9819DB20615A2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4288
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
860KB
MD571b541254864bd52f85e932e2040cbe8
SHA1713766e1818f8d7ca814c86109c9cdd5d57914ef
SHA256b29ab4744ff6c8c9c440e878abf6f76255c538e71564e6a6279513b543be0538
SHA5124d2e0a30fd6729eb40fad358795db152327b0441da574052a371762f33c9f9e7b9a77c4a4762207bcb401a2d3ef6438730c245916f4a81cd20f748857d5170d2
-
Filesize
860KB
MD571b541254864bd52f85e932e2040cbe8
SHA1713766e1818f8d7ca814c86109c9cdd5d57914ef
SHA256b29ab4744ff6c8c9c440e878abf6f76255c538e71564e6a6279513b543be0538
SHA5124d2e0a30fd6729eb40fad358795db152327b0441da574052a371762f33c9f9e7b9a77c4a4762207bcb401a2d3ef6438730c245916f4a81cd20f748857d5170d2
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
376KB
MD5e12c5bcc254c953b1a46d1434804f4d2
SHA199f67acf34af1294f3c6e5eb521c862e1c772397
SHA2565316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
SHA5129a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b
-
Filesize
5.9MB
MD521a1b3e23c9d647da31b974c8bfdb01f
SHA1b3ba524d31555cca0bc0df2d277c2310a5bb0ab5
SHA25633448acd722b1eda62865788fdc0272eb794dd7f11b9fb6c7926b97d13808f66
SHA5120af3e2ba774aa421667a3f4b19e79c8f0312c3873136d11faea9fb1d69212a155f5a39827ba91d1feeca376fde048c20efbcfc4dec61c3cda1ed360c61cf6578
-
Filesize
5.9MB
MD521a1b3e23c9d647da31b974c8bfdb01f
SHA1b3ba524d31555cca0bc0df2d277c2310a5bb0ab5
SHA25633448acd722b1eda62865788fdc0272eb794dd7f11b9fb6c7926b97d13808f66
SHA5120af3e2ba774aa421667a3f4b19e79c8f0312c3873136d11faea9fb1d69212a155f5a39827ba91d1feeca376fde048c20efbcfc4dec61c3cda1ed360c61cf6578
-
Filesize
5.9MB
MD521a1b3e23c9d647da31b974c8bfdb01f
SHA1b3ba524d31555cca0bc0df2d277c2310a5bb0ab5
SHA25633448acd722b1eda62865788fdc0272eb794dd7f11b9fb6c7926b97d13808f66
SHA5120af3e2ba774aa421667a3f4b19e79c8f0312c3873136d11faea9fb1d69212a155f5a39827ba91d1feeca376fde048c20efbcfc4dec61c3cda1ed360c61cf6578