bc0a0f0534531621033939cbd043a6bcf1d38c193cfd5ea42344abdf0dfab574

Analysis

max time kernel
160s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2023, 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zamok Loader-15.0.93.msi
Size

2.3MB
MD5

9c61d1a4c4f1c33842317bfedbac1554
SHA1

a507708a7a4bb1a070e865336bbb39d2bf837000
SHA256

bc0a0f0534531621033939cbd043a6bcf1d38c193cfd5ea42344abdf0dfab574
SHA512

99293b425fc1d34340b648589beff325817404648200ddb499a0c178208912cdf69ed9222b6eba42a503941e6fb0d20eff7bf48e8eb5d7d7474e3f0c09785724
SSDEEP

49152:i13Y06w1MmjLRdJ7bQYbsrAqyX4ebpuyrOC9rR8Gm3DR2wqL/5cchojH2VACP4AI:i51McLRP3ssqypbpHOC9rR8GmowqL/5

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
1728	MsiExec.exe
1728	MsiExec.exe
1728	MsiExec.exe
1728	MsiExec.exe
1728	MsiExec.exe
1728	MsiExec.exe
1728	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3808	msiexec.exe
Token: SeSecurityPrivilege	3880	msiexec.exe
Token: SeCreateTokenPrivilege	3808	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3808	msiexec.exe
Token: SeLockMemoryPrivilege	3808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3808	msiexec.exe
Token: SeMachineAccountPrivilege	3808	msiexec.exe
Token: SeTcbPrivilege	3808	msiexec.exe
Token: SeSecurityPrivilege	3808	msiexec.exe
Token: SeTakeOwnershipPrivilege	3808	msiexec.exe
Token: SeLoadDriverPrivilege	3808	msiexec.exe
Token: SeSystemProfilePrivilege	3808	msiexec.exe
Token: SeSystemtimePrivilege	3808	msiexec.exe
Token: SeProfSingleProcessPrivilege	3808	msiexec.exe
Token: SeIncBasePriorityPrivilege	3808	msiexec.exe
Token: SeCreatePagefilePrivilege	3808	msiexec.exe
Token: SeCreatePermanentPrivilege	3808	msiexec.exe
Token: SeBackupPrivilege	3808	msiexec.exe
Token: SeRestorePrivilege	3808	msiexec.exe
Token: SeShutdownPrivilege	3808	msiexec.exe
Token: SeDebugPrivilege	3808	msiexec.exe
Token: SeAuditPrivilege	3808	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3808	msiexec.exe
Token: SeChangeNotifyPrivilege	3808	msiexec.exe
Token: SeRemoteShutdownPrivilege	3808	msiexec.exe
Token: SeUndockPrivilege	3808	msiexec.exe
Token: SeSyncAgentPrivilege	3808	msiexec.exe
Token: SeEnableDelegationPrivilege	3808	msiexec.exe
Token: SeManageVolumePrivilege	3808	msiexec.exe
Token: SeImpersonatePrivilege	3808	msiexec.exe
Token: SeCreateGlobalPrivilege	3808	msiexec.exe
Token: SeCreateTokenPrivilege	3808	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3808	msiexec.exe
Token: SeLockMemoryPrivilege	3808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3808	msiexec.exe
Token: SeMachineAccountPrivilege	3808	msiexec.exe
Token: SeTcbPrivilege	3808	msiexec.exe
Token: SeSecurityPrivilege	3808	msiexec.exe
Token: SeTakeOwnershipPrivilege	3808	msiexec.exe
Token: SeLoadDriverPrivilege	3808	msiexec.exe
Token: SeSystemProfilePrivilege	3808	msiexec.exe
Token: SeSystemtimePrivilege	3808	msiexec.exe
Token: SeProfSingleProcessPrivilege	3808	msiexec.exe
Token: SeIncBasePriorityPrivilege	3808	msiexec.exe
Token: SeCreatePagefilePrivilege	3808	msiexec.exe
Token: SeCreatePermanentPrivilege	3808	msiexec.exe
Token: SeBackupPrivilege	3808	msiexec.exe
Token: SeRestorePrivilege	3808	msiexec.exe
Token: SeShutdownPrivilege	3808	msiexec.exe
Token: SeDebugPrivilege	3808	msiexec.exe
Token: SeAuditPrivilege	3808	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3808	msiexec.exe
Token: SeChangeNotifyPrivilege	3808	msiexec.exe
Token: SeRemoteShutdownPrivilege	3808	msiexec.exe
Token: SeUndockPrivilege	3808	msiexec.exe
Token: SeSyncAgentPrivilege	3808	msiexec.exe
Token: SeEnableDelegationPrivilege	3808	msiexec.exe
Token: SeManageVolumePrivilege	3808	msiexec.exe
Token: SeImpersonatePrivilege	3808	msiexec.exe
Token: SeCreateGlobalPrivilege	3808	msiexec.exe
Token: SeCreateTokenPrivilege	3808	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3808	msiexec.exe
Token: SeLockMemoryPrivilege	3808	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3808	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 1728	3880	msiexec.exe	87
PID 3880 wrote to memory of 1728	3880	msiexec.exe	87
PID 3880 wrote to memory of 1728	3880	msiexec.exe	87

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Zamok Loader-15.0.93.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 12267F31C321EFA8F683ADD73BE7CD1C C
  2⤵
  - Loads dropped DLL
  PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSICF56.tmp

Filesize
79KB

MD5
c3605f0934c6a4af3800df280094046d

SHA1
d5df56a7b6a96bbad6ebe57d63149b117d5ad6d9

SHA256
1a8d5d34c714fe9c5afcbfd5433ac3c475d302a63361d13977d408c85f9ffa3a

SHA512
a4491125f28500cf2f5461eaa6f27c8f07878f30c61ceae98e135b257ac27a6c40fd8b41c3b7463b44fe90ce2b74c7843a57a88afbedd8296cc21cc1e1634bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICF56.tmp

Filesize
79KB

MD5
c3605f0934c6a4af3800df280094046d

SHA1
d5df56a7b6a96bbad6ebe57d63149b117d5ad6d9

SHA256
1a8d5d34c714fe9c5afcbfd5433ac3c475d302a63361d13977d408c85f9ffa3a

SHA512
a4491125f28500cf2f5461eaa6f27c8f07878f30c61ceae98e135b257ac27a6c40fd8b41c3b7463b44fe90ce2b74c7843a57a88afbedd8296cc21cc1e1634bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID9C7.tmp

Filesize
79KB

MD5
c3605f0934c6a4af3800df280094046d

SHA1
d5df56a7b6a96bbad6ebe57d63149b117d5ad6d9

SHA256
1a8d5d34c714fe9c5afcbfd5433ac3c475d302a63361d13977d408c85f9ffa3a

SHA512
a4491125f28500cf2f5461eaa6f27c8f07878f30c61ceae98e135b257ac27a6c40fd8b41c3b7463b44fe90ce2b74c7843a57a88afbedd8296cc21cc1e1634bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID9C7.tmp

Filesize
79KB

MD5
c3605f0934c6a4af3800df280094046d

SHA1
d5df56a7b6a96bbad6ebe57d63149b117d5ad6d9

SHA256
1a8d5d34c714fe9c5afcbfd5433ac3c475d302a63361d13977d408c85f9ffa3a

SHA512
a4491125f28500cf2f5461eaa6f27c8f07878f30c61ceae98e135b257ac27a6c40fd8b41c3b7463b44fe90ce2b74c7843a57a88afbedd8296cc21cc1e1634bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDA45.tmp

Filesize
79KB

MD5
c3605f0934c6a4af3800df280094046d

SHA1
d5df56a7b6a96bbad6ebe57d63149b117d5ad6d9

SHA256
1a8d5d34c714fe9c5afcbfd5433ac3c475d302a63361d13977d408c85f9ffa3a

SHA512
a4491125f28500cf2f5461eaa6f27c8f07878f30c61ceae98e135b257ac27a6c40fd8b41c3b7463b44fe90ce2b74c7843a57a88afbedd8296cc21cc1e1634bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDA45.tmp

Filesize
79KB

MD5
c3605f0934c6a4af3800df280094046d

SHA1
d5df56a7b6a96bbad6ebe57d63149b117d5ad6d9

SHA256
1a8d5d34c714fe9c5afcbfd5433ac3c475d302a63361d13977d408c85f9ffa3a

SHA512
a4491125f28500cf2f5461eaa6f27c8f07878f30c61ceae98e135b257ac27a6c40fd8b41c3b7463b44fe90ce2b74c7843a57a88afbedd8296cc21cc1e1634bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDA45.tmp

Filesize
79KB

MD5
c3605f0934c6a4af3800df280094046d

SHA1
d5df56a7b6a96bbad6ebe57d63149b117d5ad6d9

SHA256
1a8d5d34c714fe9c5afcbfd5433ac3c475d302a63361d13977d408c85f9ffa3a

SHA512
a4491125f28500cf2f5461eaa6f27c8f07878f30c61ceae98e135b257ac27a6c40fd8b41c3b7463b44fe90ce2b74c7843a57a88afbedd8296cc21cc1e1634bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDA94.tmp

Filesize
79KB

MD5
c3605f0934c6a4af3800df280094046d

SHA1
d5df56a7b6a96bbad6ebe57d63149b117d5ad6d9

SHA256
1a8d5d34c714fe9c5afcbfd5433ac3c475d302a63361d13977d408c85f9ffa3a

SHA512
a4491125f28500cf2f5461eaa6f27c8f07878f30c61ceae98e135b257ac27a6c40fd8b41c3b7463b44fe90ce2b74c7843a57a88afbedd8296cc21cc1e1634bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDA94.tmp

Filesize
79KB

MD5
c3605f0934c6a4af3800df280094046d

SHA1
d5df56a7b6a96bbad6ebe57d63149b117d5ad6d9

SHA256
1a8d5d34c714fe9c5afcbfd5433ac3c475d302a63361d13977d408c85f9ffa3a

SHA512
a4491125f28500cf2f5461eaa6f27c8f07878f30c61ceae98e135b257ac27a6c40fd8b41c3b7463b44fe90ce2b74c7843a57a88afbedd8296cc21cc1e1634bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDAE3.tmp

Filesize
287KB

MD5
5b3cf81faca9510b9cbc12931f37bd85

SHA1
42e7e7ef48d18e95efe1bedeff13eab2f9cb864f

SHA256
d81ed126b02e9e3f7d2edb2181684386ddf4142d68f5c13074a9ed469702c60a

SHA512
696d0e1d08da0327541f1a41678b6f71ec27ca1812c2160e33a6a38b7640897c19ca8594595808965433072248c7680ac040cfc0e9c7fe8459db9e89c81ad180

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDAE3.tmp

Filesize
287KB

MD5
5b3cf81faca9510b9cbc12931f37bd85

SHA1
42e7e7ef48d18e95efe1bedeff13eab2f9cb864f

SHA256
d81ed126b02e9e3f7d2edb2181684386ddf4142d68f5c13074a9ed469702c60a

SHA512
696d0e1d08da0327541f1a41678b6f71ec27ca1812c2160e33a6a38b7640897c19ca8594595808965433072248c7680ac040cfc0e9c7fe8459db9e89c81ad180

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDB23.tmp

Filesize
79KB

MD5
c3605f0934c6a4af3800df280094046d

SHA1
d5df56a7b6a96bbad6ebe57d63149b117d5ad6d9

SHA256
1a8d5d34c714fe9c5afcbfd5433ac3c475d302a63361d13977d408c85f9ffa3a

SHA512
a4491125f28500cf2f5461eaa6f27c8f07878f30c61ceae98e135b257ac27a6c40fd8b41c3b7463b44fe90ce2b74c7843a57a88afbedd8296cc21cc1e1634bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDB23.tmp

Filesize
79KB

MD5
c3605f0934c6a4af3800df280094046d

SHA1
d5df56a7b6a96bbad6ebe57d63149b117d5ad6d9

SHA256
1a8d5d34c714fe9c5afcbfd5433ac3c475d302a63361d13977d408c85f9ffa3a

SHA512
a4491125f28500cf2f5461eaa6f27c8f07878f30c61ceae98e135b257ac27a6c40fd8b41c3b7463b44fe90ce2b74c7843a57a88afbedd8296cc21cc1e1634bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDB52.tmp

Filesize
95KB

MD5
24705681707fdd06e5a0d6c5aeb40d12

SHA1
3812226a762b5eaa604003ff21aa8c483157c8f9

SHA256
e2fe324b079c510f0033ce2997567ffd209a30e955c027b9e8a7a09277bb248c

SHA512
1e19cc0a5825df5ce005c6e944ba6293c96565fbaa58c4a761b3fce148f9d413b2cf7c8f60dd50e1038f43b739f5ddf848341e35d8bbe5a4fa200d3dc039274c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDB52.tmp

Filesize
95KB

MD5
24705681707fdd06e5a0d6c5aeb40d12

SHA1
3812226a762b5eaa604003ff21aa8c483157c8f9

SHA256
e2fe324b079c510f0033ce2997567ffd209a30e955c027b9e8a7a09277bb248c

SHA512
1e19cc0a5825df5ce005c6e944ba6293c96565fbaa58c4a761b3fce148f9d413b2cf7c8f60dd50e1038f43b739f5ddf848341e35d8bbe5a4fa200d3dc039274c

Download Submit