70f15c2f18c4ebbeac4dd6267c20c46a355ada4701b15fc4818c5be376869074

Analysis

max time kernel
15s
max time network
20s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
23-08-2023 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CL9F210637Q21Factura22837QMOON97106LTZVJuptoa.msi
Size

8.3MB
MD5

bc4cc3b1821b89a517b9ba4ca3827d49
SHA1

037509e33fde2e2eb65365d2c8a30f095b82dec8
SHA256

70f15c2f18c4ebbeac4dd6267c20c46a355ada4701b15fc4818c5be376869074
SHA512

0e9a7b8631386d6e9c0ad9294619470bd94b5fe1a4d8e508f25cb9fc56474ec198d1e2678d4fb10515df176d622e3d3e22bbd60da7bcae38521dcedeaa3c71ba
SSDEEP

49152:LMfxupAyxI3QJUQr5Go2cCy27pnS5PWW7rjgdtchuQgd4jTe9i3Pu2JgB/s7jizG:LAyxf7igtf/e+0

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
352	MsiExec.exe
352	MsiExec.exe
352	MsiExec.exe
352	MsiExec.exe
1388	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI9C31.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D4B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0F7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA157.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5794ae.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI95C8.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2SBC9J9P-8L5Y-VNLK-TPHU-CFLEU7JMW4GK}	msiexec.exe
File created	C:\Windows\Installer\e5794ae.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9DF8.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4424	msiexec.exe
4424	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5068	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5068	msiexec.exe
Token: SeSecurityPrivilege	4424	msiexec.exe
Token: SeCreateTokenPrivilege	5068	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5068	msiexec.exe
Token: SeLockMemoryPrivilege	5068	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5068	msiexec.exe
Token: SeMachineAccountPrivilege	5068	msiexec.exe
Token: SeTcbPrivilege	5068	msiexec.exe
Token: SeSecurityPrivilege	5068	msiexec.exe
Token: SeTakeOwnershipPrivilege	5068	msiexec.exe
Token: SeLoadDriverPrivilege	5068	msiexec.exe
Token: SeSystemProfilePrivilege	5068	msiexec.exe
Token: SeSystemtimePrivilege	5068	msiexec.exe
Token: SeProfSingleProcessPrivilege	5068	msiexec.exe
Token: SeIncBasePriorityPrivilege	5068	msiexec.exe
Token: SeCreatePagefilePrivilege	5068	msiexec.exe
Token: SeCreatePermanentPrivilege	5068	msiexec.exe
Token: SeBackupPrivilege	5068	msiexec.exe
Token: SeRestorePrivilege	5068	msiexec.exe
Token: SeShutdownPrivilege	5068	msiexec.exe
Token: SeDebugPrivilege	5068	msiexec.exe
Token: SeAuditPrivilege	5068	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5068	msiexec.exe
Token: SeChangeNotifyPrivilege	5068	msiexec.exe
Token: SeRemoteShutdownPrivilege	5068	msiexec.exe
Token: SeUndockPrivilege	5068	msiexec.exe
Token: SeSyncAgentPrivilege	5068	msiexec.exe
Token: SeEnableDelegationPrivilege	5068	msiexec.exe
Token: SeManageVolumePrivilege	5068	msiexec.exe
Token: SeImpersonatePrivilege	5068	msiexec.exe
Token: SeCreateGlobalPrivilege	5068	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe
Token: SeRestorePrivilege	4424	msiexec.exe
Token: SeTakeOwnershipPrivilege	4424	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5068	msiexec.exe
5068	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 352	4424	msiexec.exe	71
PID 4424 wrote to memory of 352	4424	msiexec.exe	71
PID 4424 wrote to memory of 352	4424	msiexec.exe	71
PID 4424 wrote to memory of 1388	4424	msiexec.exe	72
PID 4424 wrote to memory of 1388	4424	msiexec.exe	72

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CL9F210637Q21Factura22837QMOON97106LTZVJuptoa.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5068

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3EA71A14C4D314225873EB2ED54EE295
  2⤵
  - Loads dropped DLL
  PID:352
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 73E45507C9D3BB36896875F78D45D8D5
  2⤵
  - Loads dropped DLL
  PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5794b1.rbs

Filesize
567B

MD5
cdb68c1f9c3b1c4a3fb0fa19416188ad

SHA1
c760d4e8872a2085f95dbd1c1dd044c1b183ce1a

SHA256
295a8a998861c213a318484daef27f0deec95abca45e5eb3e0cb9bc1e1715a0c

SHA512
f296044a2b2d6458b2c76a07019f36911865eaa82fe9d80043c526a82dabb76b55355e2ede4213dbac94e432b433cd51f93f11fbe07f038501f21b2dce418678

Download Submit
C:\Windows\Installer\MSI95C8.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI9C31.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI9D4B.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI9D4B.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI9DF8.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSIA157.tmp

Filesize
7.2MB

MD5
d018fabbe377092eb4f406b8356403c9

SHA1
e547c9c4f21c85d339dfe5abe93bd0ef87259293

SHA256
bf9976cf4ab1ab13d484ab8bd9bd6562c66c015094aa5a8d9f541f69913603ae

SHA512
7c551fec10eb4693504a5475966991fcca3a7219f1a31e3ef731794deecd95095229c3e215efc8b098df031a838d734a186bb4508063a61de617fcca7a8c79d3

Download Submit
\Windows\Installer\MSI95C8.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSI9C31.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSI9D4B.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSI9DF8.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSIA157.tmp

Filesize
7.2MB

MD5
d018fabbe377092eb4f406b8356403c9

SHA1
e547c9c4f21c85d339dfe5abe93bd0ef87259293

SHA256
bf9976cf4ab1ab13d484ab8bd9bd6562c66c015094aa5a8d9f541f69913603ae

SHA512
7c551fec10eb4693504a5475966991fcca3a7219f1a31e3ef731794deecd95095229c3e215efc8b098df031a838d734a186bb4508063a61de617fcca7a8c79d3

Download Submit
memory/1388-34-0x000001DFE3A60000-0x000001DFE3A61000-memory.dmp

Filesize
4KB

Download
memory/1388-35-0x0000000068560000-0x0000000068CA8000-memory.dmp

Filesize
7.3MB

Download