51f3a488b74568fa94f3636eeb8ba94474680b964c9c201a531299eb5eb556e8

Analysis

max time kernel
138s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2023 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1633005552202_SmartMDM38(1).msi
Size

8.8MB
MD5

5a3e90c21eba4dc74f7c59ed80616a97
SHA1

b8d65abeb462bac871210658fe9fb4decd2313a4
SHA256

51f3a488b74568fa94f3636eeb8ba94474680b964c9c201a531299eb5eb556e8
SHA512

c82a2cbdd50bf048e77f1c064f0991fe55186c0da8b84df22a109ea42b56d3e42d64f9ab0fad44198dea706c802cf054e105ed1368c7141a278a9d143cbbd7ca
SSDEEP

196608:acYuZ5luuXswIfhP7Y8nuDt5H2v0VfhlOB:ac9Z5ouXsVp7Y8nHv0o

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
4844	MsiExec.exe
4844	MsiExec.exe
4844	MsiExec.exe
4844	MsiExec.exe
4844	MsiExec.exe
4844	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1188	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1188	msiexec.exe
Token: SeSecurityPrivilege	4832	msiexec.exe
Token: SeCreateTokenPrivilege	1188	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1188	msiexec.exe
Token: SeLockMemoryPrivilege	1188	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1188	msiexec.exe
Token: SeMachineAccountPrivilege	1188	msiexec.exe
Token: SeTcbPrivilege	1188	msiexec.exe
Token: SeSecurityPrivilege	1188	msiexec.exe
Token: SeTakeOwnershipPrivilege	1188	msiexec.exe
Token: SeLoadDriverPrivilege	1188	msiexec.exe
Token: SeSystemProfilePrivilege	1188	msiexec.exe
Token: SeSystemtimePrivilege	1188	msiexec.exe
Token: SeProfSingleProcessPrivilege	1188	msiexec.exe
Token: SeIncBasePriorityPrivilege	1188	msiexec.exe
Token: SeCreatePagefilePrivilege	1188	msiexec.exe
Token: SeCreatePermanentPrivilege	1188	msiexec.exe
Token: SeBackupPrivilege	1188	msiexec.exe
Token: SeRestorePrivilege	1188	msiexec.exe
Token: SeShutdownPrivilege	1188	msiexec.exe
Token: SeDebugPrivilege	1188	msiexec.exe
Token: SeAuditPrivilege	1188	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1188	msiexec.exe
Token: SeChangeNotifyPrivilege	1188	msiexec.exe
Token: SeRemoteShutdownPrivilege	1188	msiexec.exe
Token: SeUndockPrivilege	1188	msiexec.exe
Token: SeSyncAgentPrivilege	1188	msiexec.exe
Token: SeEnableDelegationPrivilege	1188	msiexec.exe
Token: SeManageVolumePrivilege	1188	msiexec.exe
Token: SeImpersonatePrivilege	1188	msiexec.exe
Token: SeCreateGlobalPrivilege	1188	msiexec.exe
Token: SeCreateTokenPrivilege	1188	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1188	msiexec.exe
Token: SeLockMemoryPrivilege	1188	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1188	msiexec.exe
Token: SeMachineAccountPrivilege	1188	msiexec.exe
Token: SeTcbPrivilege	1188	msiexec.exe
Token: SeSecurityPrivilege	1188	msiexec.exe
Token: SeTakeOwnershipPrivilege	1188	msiexec.exe
Token: SeLoadDriverPrivilege	1188	msiexec.exe
Token: SeSystemProfilePrivilege	1188	msiexec.exe
Token: SeSystemtimePrivilege	1188	msiexec.exe
Token: SeProfSingleProcessPrivilege	1188	msiexec.exe
Token: SeIncBasePriorityPrivilege	1188	msiexec.exe
Token: SeCreatePagefilePrivilege	1188	msiexec.exe
Token: SeCreatePermanentPrivilege	1188	msiexec.exe
Token: SeBackupPrivilege	1188	msiexec.exe
Token: SeRestorePrivilege	1188	msiexec.exe
Token: SeShutdownPrivilege	1188	msiexec.exe
Token: SeDebugPrivilege	1188	msiexec.exe
Token: SeAuditPrivilege	1188	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1188	msiexec.exe
Token: SeChangeNotifyPrivilege	1188	msiexec.exe
Token: SeRemoteShutdownPrivilege	1188	msiexec.exe
Token: SeUndockPrivilege	1188	msiexec.exe
Token: SeSyncAgentPrivilege	1188	msiexec.exe
Token: SeEnableDelegationPrivilege	1188	msiexec.exe
Token: SeManageVolumePrivilege	1188	msiexec.exe
Token: SeImpersonatePrivilege	1188	msiexec.exe
Token: SeCreateGlobalPrivilege	1188	msiexec.exe
Token: SeCreateTokenPrivilege	1188	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1188	msiexec.exe
Token: SeLockMemoryPrivilege	1188	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1188	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 4844	4832	msiexec.exe	84
PID 4832 wrote to memory of 4844	4832	msiexec.exe	84
PID 4832 wrote to memory of 4844	4832	msiexec.exe	84

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1633005552202_SmartMDM38(1).msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1188

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 795B0BBFF8F66C3E4D867DFE0933C9CD C
  2⤵
  - Loads dropped DLL
  PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIC7F.tmp

Filesize
378KB

MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC7F.tmp

Filesize
378KB

MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICDE.tmp

Filesize
378KB

MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICDE.tmp

Filesize
378KB

MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICDE.tmp

Filesize
378KB

MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID0E.tmp

Filesize
378KB

MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID0E.tmp

Filesize
378KB

MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF80.tmp

Filesize
857KB

MD5
d51a7e3bce34c74638e89366deee2aab

SHA1
0e68022b52c288e8cdffe85739de1194253a7ef0

SHA256
7c6bdf16a0992db092b7f94c374b21de5d53e3043f5717a6eecae614432e0df5

SHA512
8ed246747cdd05cac352919d7ded3f14b1e523ccc1f7f172db85eed800b0c5d24475c270b34a7c25e7934467ace7e363542a586cdeb156bfc484f7417c3a4ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF80.tmp

Filesize
857KB

MD5
d51a7e3bce34c74638e89366deee2aab

SHA1
0e68022b52c288e8cdffe85739de1194253a7ef0

SHA256
7c6bdf16a0992db092b7f94c374b21de5d53e3043f5717a6eecae614432e0df5

SHA512
8ed246747cdd05cac352919d7ded3f14b1e523ccc1f7f172db85eed800b0c5d24475c270b34a7c25e7934467ace7e363542a586cdeb156bfc484f7417c3a4ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFC42.tmp

Filesize
378KB

MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFC42.tmp

Filesize
378KB

MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFEE.tmp

Filesize
378KB

MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFEE.tmp

Filesize
378KB

MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit