5610fa4a489bc1d5e8d3b61483404246e75651e955909dd31744c21274ada4e1

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2023 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hamachi.msi
Size

3.7MB
MD5

e687c68a3b94a5533f5efc9716421bce
SHA1

b48abc272b36a71b042310a4ad6c96c8521b2dea
SHA256

5610fa4a489bc1d5e8d3b61483404246e75651e955909dd31744c21274ada4e1
SHA512

6057051434c867c5cf64e859fbe10149c2235628c776b492ede3ab4e879a05ffb8ac2d5264e1f41d9f41512fddcde8f840a867c98461e6cc603c98b2e4003e10
SSDEEP

98304:sIUex2F/ytIuNdzLtoN396UDnrM5oC5r9GJZJpwr+mtRVC:sIUPF/PuHtoR9RnwXFwZDwrjA

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2964	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
1048	MsiExec.exe
1048	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2964	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2964	msiexec.exe
Token: SeSecurityPrivilege	1164	msiexec.exe
Token: SeCreateTokenPrivilege	2964	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2964	msiexec.exe
Token: SeLockMemoryPrivilege	2964	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2964	msiexec.exe
Token: SeMachineAccountPrivilege	2964	msiexec.exe
Token: SeTcbPrivilege	2964	msiexec.exe
Token: SeSecurityPrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeLoadDriverPrivilege	2964	msiexec.exe
Token: SeSystemProfilePrivilege	2964	msiexec.exe
Token: SeSystemtimePrivilege	2964	msiexec.exe
Token: SeProfSingleProcessPrivilege	2964	msiexec.exe
Token: SeIncBasePriorityPrivilege	2964	msiexec.exe
Token: SeCreatePagefilePrivilege	2964	msiexec.exe
Token: SeCreatePermanentPrivilege	2964	msiexec.exe
Token: SeBackupPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeShutdownPrivilege	2964	msiexec.exe
Token: SeDebugPrivilege	2964	msiexec.exe
Token: SeAuditPrivilege	2964	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2964	msiexec.exe
Token: SeChangeNotifyPrivilege	2964	msiexec.exe
Token: SeRemoteShutdownPrivilege	2964	msiexec.exe
Token: SeUndockPrivilege	2964	msiexec.exe
Token: SeSyncAgentPrivilege	2964	msiexec.exe
Token: SeEnableDelegationPrivilege	2964	msiexec.exe
Token: SeManageVolumePrivilege	2964	msiexec.exe
Token: SeImpersonatePrivilege	2964	msiexec.exe
Token: SeCreateGlobalPrivilege	2964	msiexec.exe
Token: SeCreateTokenPrivilege	2964	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2964	msiexec.exe
Token: SeLockMemoryPrivilege	2964	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2964	msiexec.exe
Token: SeMachineAccountPrivilege	2964	msiexec.exe
Token: SeTcbPrivilege	2964	msiexec.exe
Token: SeSecurityPrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeLoadDriverPrivilege	2964	msiexec.exe
Token: SeSystemProfilePrivilege	2964	msiexec.exe
Token: SeSystemtimePrivilege	2964	msiexec.exe
Token: SeProfSingleProcessPrivilege	2964	msiexec.exe
Token: SeIncBasePriorityPrivilege	2964	msiexec.exe
Token: SeCreatePagefilePrivilege	2964	msiexec.exe
Token: SeCreatePermanentPrivilege	2964	msiexec.exe
Token: SeBackupPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeShutdownPrivilege	2964	msiexec.exe
Token: SeDebugPrivilege	2964	msiexec.exe
Token: SeAuditPrivilege	2964	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2964	msiexec.exe
Token: SeChangeNotifyPrivilege	2964	msiexec.exe
Token: SeRemoteShutdownPrivilege	2964	msiexec.exe
Token: SeUndockPrivilege	2964	msiexec.exe
Token: SeSyncAgentPrivilege	2964	msiexec.exe
Token: SeEnableDelegationPrivilege	2964	msiexec.exe
Token: SeManageVolumePrivilege	2964	msiexec.exe
Token: SeImpersonatePrivilege	2964	msiexec.exe
Token: SeCreateGlobalPrivilege	2964	msiexec.exe
Token: SeCreateTokenPrivilege	2964	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2964	msiexec.exe
Token: SeLockMemoryPrivilege	2964	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2964	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1048	1164	msiexec.exe	84
PID 1164 wrote to memory of 1048	1164	msiexec.exe	84
PID 1164 wrote to memory of 1048	1164	msiexec.exe	84

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Hamachi.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2964

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 685E31E5EB10BBC20CBE8C8FE5D425A1 C
  2⤵
  - Loads dropped DLL
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HamachiSetup.log

Filesize
292B

MD5
1a1f1ca0f8740dc42eafececb5dd01f4

SHA1
62f0ae9beb5b0434a9b8aca6c77bbc3c3ec1dbe1

SHA256
a20669520e7df91189ce5941ec6445dd47d749495f59a30390b868c554e40a4d

SHA512
fe893f5a15eaa789a5f17cb120c8b83a60459db1cbc3161097bbbc73cc05e28856734bb153bbae4c8bf3762da5143e4e5df5c6ae339103b80db03ba1e75ac4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4ED.tmp

Filesize
648KB

MD5
2c36969b9a995d19309adc6db5206627

SHA1
7606950ee9178439cda4336637cc93b6dfa5c288

SHA256
d22460deb75468019855647d7f34e6f303710318ba7269762d76500d1d31bf1f

SHA512
0d29249d6528b5d3a4d7f50b45803dba725996098e526426f6cae1f1ba7afda942058f308c669179f6b179532bbbbc79a9ddfccb52ff18906b633eb0a23606fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4ED.tmp

Filesize
648KB

MD5
2c36969b9a995d19309adc6db5206627

SHA1
7606950ee9178439cda4336637cc93b6dfa5c288

SHA256
d22460deb75468019855647d7f34e6f303710318ba7269762d76500d1d31bf1f

SHA512
0d29249d6528b5d3a4d7f50b45803dba725996098e526426f6cae1f1ba7afda942058f308c669179f6b179532bbbbc79a9ddfccb52ff18906b633eb0a23606fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8D6.tmp

Filesize
648KB

MD5
2c36969b9a995d19309adc6db5206627

SHA1
7606950ee9178439cda4336637cc93b6dfa5c288

SHA256
d22460deb75468019855647d7f34e6f303710318ba7269762d76500d1d31bf1f

SHA512
0d29249d6528b5d3a4d7f50b45803dba725996098e526426f6cae1f1ba7afda942058f308c669179f6b179532bbbbc79a9ddfccb52ff18906b633eb0a23606fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8D6.tmp

Filesize
648KB

MD5
2c36969b9a995d19309adc6db5206627

SHA1
7606950ee9178439cda4336637cc93b6dfa5c288

SHA256
d22460deb75468019855647d7f34e6f303710318ba7269762d76500d1d31bf1f

SHA512
0d29249d6528b5d3a4d7f50b45803dba725996098e526426f6cae1f1ba7afda942058f308c669179f6b179532bbbbc79a9ddfccb52ff18906b633eb0a23606fd

Download Submit