b3eb1c8e475b12a4bd28be7c75350d909620b88af906610d01985b4bf1bb5bf8

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24/07/2023, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RemoteApp.Tool.6000.msi
Size

2.1MB
MD5

ab032800eb0bf6d1e4c18b62c4af9943
SHA1

ce70b7d4b655a8751879e5b5b40bc55543c9d896
SHA256

b3eb1c8e475b12a4bd28be7c75350d909620b88af906610d01985b4bf1bb5bf8
SHA512

a9d008d58143335a2b39ea5c74a6c4f4ac15aa68c96d3d120bcbe11ae08cda695ff260eb53a1d6a73f6d3f7a7a0098af6ad066f0748288d7aea01b97567d5c9f
SSDEEP

49152:vYvMV3MVYugTdAwPsJ6ma8zotlmfwrgxMyoy29IAan6DrpoVB6U6iidXS:vYvMV37rA+AfwrtyfB6piidC

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2980	MsiExec.exe
2980	MsiExec.exe
2980	MsiExec.exe
2980	MsiExec.exe
2980	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2372	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	1588	msiexec.exe
Token: SeTakeOwnershipPrivilege	1588	msiexec.exe
Token: SeSecurityPrivilege	1588	msiexec.exe
Token: SeCreateTokenPrivilege	2372	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2372	msiexec.exe
Token: SeLockMemoryPrivilege	2372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2372	msiexec.exe
Token: SeMachineAccountPrivilege	2372	msiexec.exe
Token: SeTcbPrivilege	2372	msiexec.exe
Token: SeSecurityPrivilege	2372	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	msiexec.exe
Token: SeLoadDriverPrivilege	2372	msiexec.exe
Token: SeSystemProfilePrivilege	2372	msiexec.exe
Token: SeSystemtimePrivilege	2372	msiexec.exe
Token: SeProfSingleProcessPrivilege	2372	msiexec.exe
Token: SeIncBasePriorityPrivilege	2372	msiexec.exe
Token: SeCreatePagefilePrivilege	2372	msiexec.exe
Token: SeCreatePermanentPrivilege	2372	msiexec.exe
Token: SeBackupPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	2372	msiexec.exe
Token: SeShutdownPrivilege	2372	msiexec.exe
Token: SeDebugPrivilege	2372	msiexec.exe
Token: SeAuditPrivilege	2372	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2372	msiexec.exe
Token: SeChangeNotifyPrivilege	2372	msiexec.exe
Token: SeRemoteShutdownPrivilege	2372	msiexec.exe
Token: SeUndockPrivilege	2372	msiexec.exe
Token: SeSyncAgentPrivilege	2372	msiexec.exe
Token: SeEnableDelegationPrivilege	2372	msiexec.exe
Token: SeManageVolumePrivilege	2372	msiexec.exe
Token: SeImpersonatePrivilege	2372	msiexec.exe
Token: SeCreateGlobalPrivilege	2372	msiexec.exe
Token: SeCreateTokenPrivilege	2372	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2372	msiexec.exe
Token: SeLockMemoryPrivilege	2372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2372	msiexec.exe
Token: SeMachineAccountPrivilege	2372	msiexec.exe
Token: SeTcbPrivilege	2372	msiexec.exe
Token: SeSecurityPrivilege	2372	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	msiexec.exe
Token: SeLoadDriverPrivilege	2372	msiexec.exe
Token: SeSystemProfilePrivilege	2372	msiexec.exe
Token: SeSystemtimePrivilege	2372	msiexec.exe
Token: SeProfSingleProcessPrivilege	2372	msiexec.exe
Token: SeIncBasePriorityPrivilege	2372	msiexec.exe
Token: SeCreatePagefilePrivilege	2372	msiexec.exe
Token: SeCreatePermanentPrivilege	2372	msiexec.exe
Token: SeBackupPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	2372	msiexec.exe
Token: SeShutdownPrivilege	2372	msiexec.exe
Token: SeDebugPrivilege	2372	msiexec.exe
Token: SeAuditPrivilege	2372	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2372	msiexec.exe
Token: SeChangeNotifyPrivilege	2372	msiexec.exe
Token: SeRemoteShutdownPrivilege	2372	msiexec.exe
Token: SeUndockPrivilege	2372	msiexec.exe
Token: SeSyncAgentPrivilege	2372	msiexec.exe
Token: SeEnableDelegationPrivilege	2372	msiexec.exe
Token: SeManageVolumePrivilege	2372	msiexec.exe
Token: SeImpersonatePrivilege	2372	msiexec.exe
Token: SeCreateGlobalPrivilege	2372	msiexec.exe
Token: SeCreateTokenPrivilege	2372	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2372	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2980	1588	msiexec.exe	29
PID 1588 wrote to memory of 2980	1588	msiexec.exe	29
PID 1588 wrote to memory of 2980	1588	msiexec.exe	29
PID 1588 wrote to memory of 2980	1588	msiexec.exe	29
PID 1588 wrote to memory of 2980	1588	msiexec.exe	29
PID 1588 wrote to memory of 2980	1588	msiexec.exe	29
PID 1588 wrote to memory of 2980	1588	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\RemoteApp.Tool.6000.msi
1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2372

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A58E1224272429154EDF385C49A799F4 C
  2⤵
  - Loads dropped DLL
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI79D1.tmp

Filesize
377KB

MD5
8b03c31b6d87a2103405ea8c5f337799

SHA1
5cc2be39a0f1f4bb3cfb561c77f5ae7e96eca6fa

SHA256
75741fff4c3726689be3329dfc16d45becbd6937d3e5b8211fc7997d8d4695ec

SHA512
c38226b1c86eb9c661204b94e2455c608749f2a4d80686c18681a2577446afff9edd6aeaf85ef253ffe509a2a5cfa715bd2ada573d44d4e31271868707ede143

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7BA6.tmp

Filesize
377KB

MD5
8b03c31b6d87a2103405ea8c5f337799

SHA1
5cc2be39a0f1f4bb3cfb561c77f5ae7e96eca6fa

SHA256
75741fff4c3726689be3329dfc16d45becbd6937d3e5b8211fc7997d8d4695ec

SHA512
c38226b1c86eb9c661204b94e2455c608749f2a4d80686c18681a2577446afff9edd6aeaf85ef253ffe509a2a5cfa715bd2ada573d44d4e31271868707ede143

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7C15.tmp

Filesize
377KB

MD5
8b03c31b6d87a2103405ea8c5f337799

SHA1
5cc2be39a0f1f4bb3cfb561c77f5ae7e96eca6fa

SHA256
75741fff4c3726689be3329dfc16d45becbd6937d3e5b8211fc7997d8d4695ec

SHA512
c38226b1c86eb9c661204b94e2455c608749f2a4d80686c18681a2577446afff9edd6aeaf85ef253ffe509a2a5cfa715bd2ada573d44d4e31271868707ede143

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7C15.tmp

Filesize
377KB

MD5
8b03c31b6d87a2103405ea8c5f337799

SHA1
5cc2be39a0f1f4bb3cfb561c77f5ae7e96eca6fa

SHA256
75741fff4c3726689be3329dfc16d45becbd6937d3e5b8211fc7997d8d4695ec

SHA512
c38226b1c86eb9c661204b94e2455c608749f2a4d80686c18681a2577446afff9edd6aeaf85ef253ffe509a2a5cfa715bd2ada573d44d4e31271868707ede143

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7CD1.tmp

Filesize
837KB

MD5
61536f46edd7d0581179a47583f61fd9

SHA1
83dde6c1b39a23dabe4db3ac1918a45f4c114c61

SHA256
039658b48bfd372344beb5d2c128fb5e6c144194a54ebd9667d1af7810c04fe1

SHA512
a610510b0a2429ad4f996b7363467320f692388dd5978cf1cc98436bb6ee5b4904ae789c6ac00a6aa5c6e7969aa84d15bc0caa58a372ba85f90eb0861b5eea68

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7D8D.tmp

Filesize
377KB

MD5
8b03c31b6d87a2103405ea8c5f337799

SHA1
5cc2be39a0f1f4bb3cfb561c77f5ae7e96eca6fa

SHA256
75741fff4c3726689be3329dfc16d45becbd6937d3e5b8211fc7997d8d4695ec

SHA512
c38226b1c86eb9c661204b94e2455c608749f2a4d80686c18681a2577446afff9edd6aeaf85ef253ffe509a2a5cfa715bd2ada573d44d4e31271868707ede143

Download Submit
\Users\Admin\AppData\Local\Temp\MSI79D1.tmp

Filesize
377KB

MD5
8b03c31b6d87a2103405ea8c5f337799

SHA1
5cc2be39a0f1f4bb3cfb561c77f5ae7e96eca6fa

SHA256
75741fff4c3726689be3329dfc16d45becbd6937d3e5b8211fc7997d8d4695ec

SHA512
c38226b1c86eb9c661204b94e2455c608749f2a4d80686c18681a2577446afff9edd6aeaf85ef253ffe509a2a5cfa715bd2ada573d44d4e31271868707ede143

Download Submit
\Users\Admin\AppData\Local\Temp\MSI7BA6.tmp

Filesize
377KB

MD5
8b03c31b6d87a2103405ea8c5f337799

SHA1
5cc2be39a0f1f4bb3cfb561c77f5ae7e96eca6fa

SHA256
75741fff4c3726689be3329dfc16d45becbd6937d3e5b8211fc7997d8d4695ec

SHA512
c38226b1c86eb9c661204b94e2455c608749f2a4d80686c18681a2577446afff9edd6aeaf85ef253ffe509a2a5cfa715bd2ada573d44d4e31271868707ede143

Download Submit
\Users\Admin\AppData\Local\Temp\MSI7C15.tmp

Filesize
377KB

MD5
8b03c31b6d87a2103405ea8c5f337799

SHA1
5cc2be39a0f1f4bb3cfb561c77f5ae7e96eca6fa

SHA256
75741fff4c3726689be3329dfc16d45becbd6937d3e5b8211fc7997d8d4695ec

SHA512
c38226b1c86eb9c661204b94e2455c608749f2a4d80686c18681a2577446afff9edd6aeaf85ef253ffe509a2a5cfa715bd2ada573d44d4e31271868707ede143

Download Submit
\Users\Admin\AppData\Local\Temp\MSI7CD1.tmp

Filesize
837KB

MD5
61536f46edd7d0581179a47583f61fd9

SHA1
83dde6c1b39a23dabe4db3ac1918a45f4c114c61

SHA256
039658b48bfd372344beb5d2c128fb5e6c144194a54ebd9667d1af7810c04fe1

SHA512
a610510b0a2429ad4f996b7363467320f692388dd5978cf1cc98436bb6ee5b4904ae789c6ac00a6aa5c6e7969aa84d15bc0caa58a372ba85f90eb0861b5eea68

Download Submit
\Users\Admin\AppData\Local\Temp\MSI7D8D.tmp

Filesize
377KB

MD5
8b03c31b6d87a2103405ea8c5f337799

SHA1
5cc2be39a0f1f4bb3cfb561c77f5ae7e96eca6fa

SHA256
75741fff4c3726689be3329dfc16d45becbd6937d3e5b8211fc7997d8d4695ec

SHA512
c38226b1c86eb9c661204b94e2455c608749f2a4d80686c18681a2577446afff9edd6aeaf85ef253ffe509a2a5cfa715bd2ada573d44d4e31271868707ede143

Download Submit