a842f61356caec6ae2ab6642ddf5d927f2e922d812451dd03d2644d3a868c9da

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20/07/2023, 08:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SQLNative2008.msi
Size

8.0MB
MD5

4b52b761a1bd7ca486f61f707f7b34f3
SHA1

284203c4f06433ff0d7119d6625bd793b43963ce
SHA256

a842f61356caec6ae2ab6642ddf5d927f2e922d812451dd03d2644d3a868c9da
SHA512

cb8b8b8f9a2312eb5036f6c67adf313a879bb9e8dcc615b5b00958e59b1e2c69df37be35ecf1a3e1c00dbf4aed36c44cccaf8879e0c214dd220982035e6fbbac
SSDEEP

98304:++UzBj93eAJ4WhYXOh2zQHNHb/khZlHdu1DoQyE/NhKop9Lw8E4et1IxYxeRwHdl:+7Bjv4WDQUHN7/kBkFpy2xDsuxYRyO

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2816	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1368	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1368	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	2804	msiexec.exe
Token: SeTakeOwnershipPrivilege	2804	msiexec.exe
Token: SeSecurityPrivilege	2804	msiexec.exe
Token: SeCreateTokenPrivilege	1368	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1368	msiexec.exe
Token: SeLockMemoryPrivilege	1368	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1368	msiexec.exe
Token: SeMachineAccountPrivilege	1368	msiexec.exe
Token: SeTcbPrivilege	1368	msiexec.exe
Token: SeSecurityPrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeLoadDriverPrivilege	1368	msiexec.exe
Token: SeSystemProfilePrivilege	1368	msiexec.exe
Token: SeSystemtimePrivilege	1368	msiexec.exe
Token: SeProfSingleProcessPrivilege	1368	msiexec.exe
Token: SeIncBasePriorityPrivilege	1368	msiexec.exe
Token: SeCreatePagefilePrivilege	1368	msiexec.exe
Token: SeCreatePermanentPrivilege	1368	msiexec.exe
Token: SeBackupPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeShutdownPrivilege	1368	msiexec.exe
Token: SeDebugPrivilege	1368	msiexec.exe
Token: SeAuditPrivilege	1368	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1368	msiexec.exe
Token: SeChangeNotifyPrivilege	1368	msiexec.exe
Token: SeRemoteShutdownPrivilege	1368	msiexec.exe
Token: SeUndockPrivilege	1368	msiexec.exe
Token: SeSyncAgentPrivilege	1368	msiexec.exe
Token: SeEnableDelegationPrivilege	1368	msiexec.exe
Token: SeManageVolumePrivilege	1368	msiexec.exe
Token: SeImpersonatePrivilege	1368	msiexec.exe
Token: SeCreateGlobalPrivilege	1368	msiexec.exe
Token: SeCreateTokenPrivilege	1368	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1368	msiexec.exe
Token: SeLockMemoryPrivilege	1368	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1368	msiexec.exe
Token: SeMachineAccountPrivilege	1368	msiexec.exe
Token: SeTcbPrivilege	1368	msiexec.exe
Token: SeSecurityPrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeLoadDriverPrivilege	1368	msiexec.exe
Token: SeSystemProfilePrivilege	1368	msiexec.exe
Token: SeSystemtimePrivilege	1368	msiexec.exe
Token: SeProfSingleProcessPrivilege	1368	msiexec.exe
Token: SeIncBasePriorityPrivilege	1368	msiexec.exe
Token: SeCreatePagefilePrivilege	1368	msiexec.exe
Token: SeCreatePermanentPrivilege	1368	msiexec.exe
Token: SeBackupPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeShutdownPrivilege	1368	msiexec.exe
Token: SeDebugPrivilege	1368	msiexec.exe
Token: SeAuditPrivilege	1368	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1368	msiexec.exe
Token: SeChangeNotifyPrivilege	1368	msiexec.exe
Token: SeRemoteShutdownPrivilege	1368	msiexec.exe
Token: SeUndockPrivilege	1368	msiexec.exe
Token: SeSyncAgentPrivilege	1368	msiexec.exe
Token: SeEnableDelegationPrivilege	1368	msiexec.exe
Token: SeManageVolumePrivilege	1368	msiexec.exe
Token: SeImpersonatePrivilege	1368	msiexec.exe
Token: SeCreateGlobalPrivilege	1368	msiexec.exe
Token: SeCreateTokenPrivilege	1368	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1368	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2816	2804	msiexec.exe	29
PID 2804 wrote to memory of 2816	2804	msiexec.exe	29
PID 2804 wrote to memory of 2816	2804	msiexec.exe	29
PID 2804 wrote to memory of 2816	2804	msiexec.exe	29
PID 2804 wrote to memory of 2816	2804	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SQLNative2008.msi
1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1368

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 7DF186DF57335217766C63171B658189 C
  2⤵
  - Loads dropped DLL
  PID:2816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI8E5D.tmp

Filesize
99KB

MD5
4a55df5ca74e8d9edfbd12f6d6e23ca9

SHA1
9eb28f09bf0efd39e155a9612a3b501c4a3df2c7

SHA256
4a453d4a50f1fc4b969151cf0255335f1cdf17a6d60d48e80d374146e4e06ac4

SHA512
ddee0c178154288ad80d7d1399d33f15d5c23edf9d0a3581f15ef5a42baa65bacc5f61b775ef1dcf6846f80b9d2e6a60dad9ec3bbe52c3175551a2baad543704

Download Submit
\Users\Admin\AppData\Local\Temp\MSI8E5D.tmp

Filesize
99KB

MD5
4a55df5ca74e8d9edfbd12f6d6e23ca9

SHA1
9eb28f09bf0efd39e155a9612a3b501c4a3df2c7

SHA256
4a453d4a50f1fc4b969151cf0255335f1cdf17a6d60d48e80d374146e4e06ac4

SHA512
ddee0c178154288ad80d7d1399d33f15d5c23edf9d0a3581f15ef5a42baa65bacc5f61b775ef1dcf6846f80b9d2e6a60dad9ec3bbe52c3175551a2baad543704

Download Submit