b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22/08/2023, 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bcf03b31489b63436d4216249bbf246.msi
Size

4.0MB
MD5

1bcf03b31489b63436d4216249bbf246
SHA1

e330e5b7f62ca55cb6e6c97406e0b56878806960
SHA256

b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959
SHA512

5d6141eaac00be3349606c40a1a63bfa3e7bb39ccbff3805ffb7de52c5ee68a9b013dc45f6e0eda6bcd5f89b17e91a62e8297796f196906d28e9916bbfc47462
SSDEEP

98304:SQCt+uKTFy+XHBflMPzidUtyWmk60KAOmG:DCh0BfMEWt66DG

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2192	msiexec.exe
5	2192	msiexec.exe
6	2616	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
2672	MSI9346.tmp
2156	MpCopyAccelerator.exe

Loads dropped DLL 4 IoCs

pid	Process
528	MsiExec.exe
528	MsiExec.exe
528	MsiExec.exe
528	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI88F4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A2D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7681e0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9346.tmp	msiexec.exe
File created	C:\Windows\Installer\f7681dd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7681dd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI853B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87CB.tmp	msiexec.exe
File created	C:\Windows\Installer\f7681e0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9249.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2616	msiexec.exe
2616	msiexec.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2192	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2192	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeSecurityPrivilege	2616	msiexec.exe
Token: SeCreateTokenPrivilege	2192	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2192	msiexec.exe
Token: SeLockMemoryPrivilege	2192	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2192	msiexec.exe
Token: SeMachineAccountPrivilege	2192	msiexec.exe
Token: SeTcbPrivilege	2192	msiexec.exe
Token: SeSecurityPrivilege	2192	msiexec.exe
Token: SeTakeOwnershipPrivilege	2192	msiexec.exe
Token: SeLoadDriverPrivilege	2192	msiexec.exe
Token: SeSystemProfilePrivilege	2192	msiexec.exe
Token: SeSystemtimePrivilege	2192	msiexec.exe
Token: SeProfSingleProcessPrivilege	2192	msiexec.exe
Token: SeIncBasePriorityPrivilege	2192	msiexec.exe
Token: SeCreatePagefilePrivilege	2192	msiexec.exe
Token: SeCreatePermanentPrivilege	2192	msiexec.exe
Token: SeBackupPrivilege	2192	msiexec.exe
Token: SeRestorePrivilege	2192	msiexec.exe
Token: SeShutdownPrivilege	2192	msiexec.exe
Token: SeDebugPrivilege	2192	msiexec.exe
Token: SeAuditPrivilege	2192	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2192	msiexec.exe
Token: SeChangeNotifyPrivilege	2192	msiexec.exe
Token: SeRemoteShutdownPrivilege	2192	msiexec.exe
Token: SeUndockPrivilege	2192	msiexec.exe
Token: SeSyncAgentPrivilege	2192	msiexec.exe
Token: SeEnableDelegationPrivilege	2192	msiexec.exe
Token: SeManageVolumePrivilege	2192	msiexec.exe
Token: SeImpersonatePrivilege	2192	msiexec.exe
Token: SeCreateGlobalPrivilege	2192	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2192	msiexec.exe
2192	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 528	2616	msiexec.exe	29
PID 2616 wrote to memory of 528	2616	msiexec.exe	29
PID 2616 wrote to memory of 528	2616	msiexec.exe	29
PID 2616 wrote to memory of 528	2616	msiexec.exe	29
PID 2616 wrote to memory of 528	2616	msiexec.exe	29
PID 2616 wrote to memory of 528	2616	msiexec.exe	29
PID 2616 wrote to memory of 528	2616	msiexec.exe	29
PID 2616 wrote to memory of 2672	2616	msiexec.exe	30
PID 2616 wrote to memory of 2672	2616	msiexec.exe	30
PID 2616 wrote to memory of 2672	2616	msiexec.exe	30
PID 2616 wrote to memory of 2672	2616	msiexec.exe	30
PID 2616 wrote to memory of 2672	2616	msiexec.exe	30
PID 2616 wrote to memory of 2672	2616	msiexec.exe	30
PID 2616 wrote to memory of 2672	2616	msiexec.exe	30

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1bcf03b31489b63436d4216249bbf246.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2192

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C1BD9FCF57120126E0FDD46635FD000
  2⤵
  - Loads dropped DLL
  PID:528
- C:\Windows\Installer\MSI9346.tmp
  "C:\Windows\Installer\MSI9346.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\Installation Assistant S54FCF1E7-E6A4-478B-96E7-D5B285925B00\MpCopyAccelerator.exe"
  2⤵
  - Executes dropped EXE
  PID:2672

C:\Users\Admin\AppData\Roaming\Installation Assistant S54FCF1E7-E6A4-478B-96E7-D5B285925B00\MpCopyAccelerator.exe
"C:\Users\Admin\AppData\Roaming\Installation Assistant S54FCF1E7-E6A4-478B-96E7-D5B285925B00\MpCopyAccelerator.exe"
1⤵
- Executes dropped EXE
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7681e1.rbs

Filesize
1KB

MD5
9f67f5333eaeb00649001bf89f3ec4fb

SHA1
0a64f0aa05981822275f9f2109f2c63361c9070a

SHA256
147bb87fe07504c70e27f7c72c92373dfc3dfb13fc0baddd29103b8909db85ee

SHA512
184d2104aba32d68f5154538f5102c89d19f60e0870b66b2d2bb5e19ba14c59e9fde85acae401f0bc481208e34713f40919882180ace888e257cae9dbae27189

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
547a40610470f76559a68324447e297f

SHA1
fc9d3a1c8166559af59832b9ece21854569c6fb0

SHA256
950b4b31a3cc778fe1b112259ff0a75d5ecba0d4a9a600803f450af9a4e232f7

SHA512
a8e8176b9ab5a2db4dd043aec85c0add44db7c19e917649bd8f2144ca1c0ff1b9897d736c2443e04fb10029c33c67dd121586cde6effca3c0d2c06f37d205469

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7D8B.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7DBD.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Installation Assistant S54FCF1E7-E6A4-478B-96E7-D5B285925B00\MpCopyAccelerator.exe

Filesize
178KB

MD5
5f0176a8731f9a8edd2b17af9741b864

SHA1
d2e7904607abd0dce4febddaddee3cb88c999a7c

SHA256
314f3b3cb9c6bf3e0d76e1fbe54700da3f3f65c3d82592aaee6b4d1f3905e0da

SHA512
a9fc190032ec8a84c0081161172249946a2f92b43b5d755362f3024b366dbba6c06bf6924396cbfa081182bc35abb4a795af1338f6a3605a018c502ff224c001

Download Submit
C:\Windows\Installer\MSI853B.tmp

Filesize
588KB

MD5
b7a6a99cbe6e762c0a61a8621ad41706

SHA1
92f45dd3ed3aaeaac8b488a84e160292ff86281e

SHA256
39fd8d36f8e5d915ad571ea429db3c3de6e9c160dbea7c3e137c9ba4b7fd301d

SHA512
a17e4512d906599b7f004ebb2f19ee2566ee93c2c18114ac05b0a0115a8c481592788f6b97da008795d5c31fb8d819ac82a5097b1792248319139c3face45642

Download Submit
C:\Windows\Installer\MSI87CB.tmp

Filesize
588KB

MD5
b7a6a99cbe6e762c0a61a8621ad41706

SHA1
92f45dd3ed3aaeaac8b488a84e160292ff86281e

SHA256
39fd8d36f8e5d915ad571ea429db3c3de6e9c160dbea7c3e137c9ba4b7fd301d

SHA512
a17e4512d906599b7f004ebb2f19ee2566ee93c2c18114ac05b0a0115a8c481592788f6b97da008795d5c31fb8d819ac82a5097b1792248319139c3face45642

Download Submit
C:\Windows\Installer\MSI88F4.tmp

Filesize
1.1MB

MD5
8e3862ecc7a591df93cb916906eae863

SHA1
1c9f1f80be421f8c87662b5ab11749dd7604fcf2

SHA256
b980c67b11cc39f006535303151273749e4ca69dd370cf45b6110a0b5af77b68

SHA512
5d58c26f1f4ed448578e118c526a67159284e68b58062a0ff74492a38785fc94608ca09aadb5473f66dd0161fccdbad3ea4a2ed5c65396bef5e3d6572ac607ce

Download Submit
C:\Windows\Installer\MSI8A2D.tmp

Filesize
588KB

MD5
b7a6a99cbe6e762c0a61a8621ad41706

SHA1
92f45dd3ed3aaeaac8b488a84e160292ff86281e

SHA256
39fd8d36f8e5d915ad571ea429db3c3de6e9c160dbea7c3e137c9ba4b7fd301d

SHA512
a17e4512d906599b7f004ebb2f19ee2566ee93c2c18114ac05b0a0115a8c481592788f6b97da008795d5c31fb8d819ac82a5097b1792248319139c3face45642

Download Submit
C:\Windows\Installer\MSI8A2D.tmp

Filesize
588KB

MD5
b7a6a99cbe6e762c0a61a8621ad41706

SHA1
92f45dd3ed3aaeaac8b488a84e160292ff86281e

SHA256
39fd8d36f8e5d915ad571ea429db3c3de6e9c160dbea7c3e137c9ba4b7fd301d

SHA512
a17e4512d906599b7f004ebb2f19ee2566ee93c2c18114ac05b0a0115a8c481592788f6b97da008795d5c31fb8d819ac82a5097b1792248319139c3face45642

Download Submit
C:\Windows\Installer\MSI9346.tmp

Filesize
425KB

MD5
e4e9792c52398cf9a945155d31ec032f

SHA1
5963bb4bf015c4685261aa58d97d48483166d00a

SHA256
bbf816a8251d20d4359ed8ed6c05271f6d06649ed42152e29e8c6239dc8ba390

SHA512
bdfe5f48309906f894e50a1fa2db157cf5860fb32afde37473bd0485cee2ca078c82ebd487a4fca89480632df7ba2ea947cc11b01410d2ea2c3caf0a0c2b194b

Download Submit
\Windows\Installer\MSI853B.tmp

Filesize
588KB

MD5
b7a6a99cbe6e762c0a61a8621ad41706

SHA1
92f45dd3ed3aaeaac8b488a84e160292ff86281e

SHA256
39fd8d36f8e5d915ad571ea429db3c3de6e9c160dbea7c3e137c9ba4b7fd301d

SHA512
a17e4512d906599b7f004ebb2f19ee2566ee93c2c18114ac05b0a0115a8c481592788f6b97da008795d5c31fb8d819ac82a5097b1792248319139c3face45642

Download Submit
\Windows\Installer\MSI87CB.tmp

Filesize
588KB

MD5
b7a6a99cbe6e762c0a61a8621ad41706

SHA1
92f45dd3ed3aaeaac8b488a84e160292ff86281e

SHA256
39fd8d36f8e5d915ad571ea429db3c3de6e9c160dbea7c3e137c9ba4b7fd301d

SHA512
a17e4512d906599b7f004ebb2f19ee2566ee93c2c18114ac05b0a0115a8c481592788f6b97da008795d5c31fb8d819ac82a5097b1792248319139c3face45642

Download Submit
\Windows\Installer\MSI88F4.tmp

Filesize
1.1MB

MD5
8e3862ecc7a591df93cb916906eae863

SHA1
1c9f1f80be421f8c87662b5ab11749dd7604fcf2

SHA256
b980c67b11cc39f006535303151273749e4ca69dd370cf45b6110a0b5af77b68

SHA512
5d58c26f1f4ed448578e118c526a67159284e68b58062a0ff74492a38785fc94608ca09aadb5473f66dd0161fccdbad3ea4a2ed5c65396bef5e3d6572ac607ce

Download Submit
\Windows\Installer\MSI8A2D.tmp

Filesize
588KB

MD5
b7a6a99cbe6e762c0a61a8621ad41706

SHA1
92f45dd3ed3aaeaac8b488a84e160292ff86281e

SHA256
39fd8d36f8e5d915ad571ea429db3c3de6e9c160dbea7c3e137c9ba4b7fd301d

SHA512
a17e4512d906599b7f004ebb2f19ee2566ee93c2c18114ac05b0a0115a8c481592788f6b97da008795d5c31fb8d819ac82a5097b1792248319139c3face45642

Download Submit
memory/2672-173-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download