Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230712-es -
resource tags
arch:x64arch:x86image:win7-20230712-eslocale:es-esos:windows7-x64systemwindows -
submitted
18-08-2023 20:34
Static task
static1
Behavioral task
behavioral1
Sample
ReF_SaT589.msi
Resource
win7-20230712-es
windows7-x64
Behavioral task
behavioral2
Sample
ReF_SaT589.msi
Resource
win10v2004-20230703-es
windows10-2004-x64
General
-
Target
ReF_SaT589.msi
-
Size
12.3MB
-
MD5
9b61bbdf8d85729e4ebe0785fe6436c9
-
SHA1
ec07c46d7a3903cc7bd9b868efec4aba81548332
-
SHA256
e7d27ef86adb6f7d75a19675742a12f7390bfafb60bfeb17a16d80ec211761db
-
SHA512
592104b2208347953c96431b9cbb36813d62d068a380e1956cd0bbbda85da2d2073f916307f9e742d2ba44ae6523ed02645e43fbd3f926fa7305ffd9f8a78d9f
-
SSDEEP
98304:07mwfue/kPH85N5a91u83vTezizUZ8e5PWPz4SX5zXX9qYAe7z9KCdHgTTMrZUxT:07mQeLecNPz4yRXcaz5dHSIrZVWPEi
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 2228 MsiExec.exe 2228 MsiExec.exe 2228 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIE419.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE497.tmp msiexec.exe File created C:\Windows\Installer\f76e11c.msi msiexec.exe File opened for modification C:\Windows\Installer\f76e11c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE1D7.tmp msiexec.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeShutdownPrivilege 1520 msiexec.exe Token: SeIncreaseQuotaPrivilege 1520 msiexec.exe Token: SeRestorePrivilege 2184 msiexec.exe Token: SeTakeOwnershipPrivilege 2184 msiexec.exe Token: SeSecurityPrivilege 2184 msiexec.exe Token: SeCreateTokenPrivilege 1520 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1520 msiexec.exe Token: SeLockMemoryPrivilege 1520 msiexec.exe Token: SeIncreaseQuotaPrivilege 1520 msiexec.exe Token: SeMachineAccountPrivilege 1520 msiexec.exe Token: SeTcbPrivilege 1520 msiexec.exe Token: SeSecurityPrivilege 1520 msiexec.exe Token: SeTakeOwnershipPrivilege 1520 msiexec.exe Token: SeLoadDriverPrivilege 1520 msiexec.exe Token: SeSystemProfilePrivilege 1520 msiexec.exe Token: SeSystemtimePrivilege 1520 msiexec.exe Token: SeProfSingleProcessPrivilege 1520 msiexec.exe Token: SeIncBasePriorityPrivilege 1520 msiexec.exe Token: SeCreatePagefilePrivilege 1520 msiexec.exe Token: SeCreatePermanentPrivilege 1520 msiexec.exe Token: SeBackupPrivilege 1520 msiexec.exe Token: SeRestorePrivilege 1520 msiexec.exe Token: SeShutdownPrivilege 1520 msiexec.exe Token: SeDebugPrivilege 1520 msiexec.exe Token: SeAuditPrivilege 1520 msiexec.exe Token: SeSystemEnvironmentPrivilege 1520 msiexec.exe Token: SeChangeNotifyPrivilege 1520 msiexec.exe Token: SeRemoteShutdownPrivilege 1520 msiexec.exe Token: SeUndockPrivilege 1520 msiexec.exe Token: SeSyncAgentPrivilege 1520 msiexec.exe Token: SeEnableDelegationPrivilege 1520 msiexec.exe Token: SeManageVolumePrivilege 1520 msiexec.exe Token: SeImpersonatePrivilege 1520 msiexec.exe Token: SeCreateGlobalPrivilege 1520 msiexec.exe Token: SeRestorePrivilege 2184 msiexec.exe Token: SeTakeOwnershipPrivilege 2184 msiexec.exe Token: SeRestorePrivilege 2184 msiexec.exe Token: SeTakeOwnershipPrivilege 2184 msiexec.exe Token: SeRestorePrivilege 2184 msiexec.exe Token: SeTakeOwnershipPrivilege 2184 msiexec.exe Token: SeRestorePrivilege 2184 msiexec.exe Token: SeTakeOwnershipPrivilege 2184 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1520 msiexec.exe 1520 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2228 2184 msiexec.exe 29 PID 2184 wrote to memory of 2228 2184 msiexec.exe 29 PID 2184 wrote to memory of 2228 2184 msiexec.exe 29 PID 2184 wrote to memory of 2228 2184 msiexec.exe 29 PID 2184 wrote to memory of 2228 2184 msiexec.exe 29 PID 2184 wrote to memory of 2228 2184 msiexec.exe 29 PID 2184 wrote to memory of 2228 2184 msiexec.exe 29
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ReF_SaT589.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1520
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1CDFC1F115C9E985CE514D4E12420E152⤵
- Loads dropped DLL
PID:2228
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
557KB
MD5e1423fc5ddaedc0152a09f4796243e31
SHA1c92cec1fb6093d6922fe64719e583048fca12153
SHA2563042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de
SHA512fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39
-
Filesize
557KB
MD5e1423fc5ddaedc0152a09f4796243e31
SHA1c92cec1fb6093d6922fe64719e583048fca12153
SHA2563042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de
SHA512fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39
-
Filesize
1.0MB
MD55566149fc623f29d55ca72018369c780
SHA18ae947ab0ae9182f1c09bd266ff360c0e8b88326
SHA256a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608
SHA512f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5
-
Filesize
557KB
MD5e1423fc5ddaedc0152a09f4796243e31
SHA1c92cec1fb6093d6922fe64719e583048fca12153
SHA2563042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de
SHA512fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39
-
Filesize
557KB
MD5e1423fc5ddaedc0152a09f4796243e31
SHA1c92cec1fb6093d6922fe64719e583048fca12153
SHA2563042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de
SHA512fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39
-
Filesize
1.0MB
MD55566149fc623f29d55ca72018369c780
SHA18ae947ab0ae9182f1c09bd266ff360c0e8b88326
SHA256a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608
SHA512f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5