6927c384377b1dd9a746489f41cc1177101c5ca678ba1bb28c2e2496d8806acf

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
23/09/2023, 05:44 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FootSwitch V7.1.0.msi
Size

10.0MB
MD5

58ac97c5432546daea70335476123726
SHA1

654a875e5e4671052eb4c67ac53fbc0876241b04
SHA256

6927c384377b1dd9a746489f41cc1177101c5ca678ba1bb28c2e2496d8806acf
SHA512

1bf3cd99c375ef3b7c9078b13ce940f47219b2b290625e05e3032aa2ceebba8179a4699b3eb2f330f67238ba793e1e9e2fe60e1e8cbe1410e55d4601d4357c03
SSDEEP

196608:VKx7z/fq/fz0ZcEiYavmddz9NhLMuGvMbNMnNIhEFCTe5ezLfJwC:47z6D3E3FwuGQ4GEsTe5g

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2728	MsiExec.exe
2728	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3040	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3040	msiexec.exe
Token: SeRestorePrivilege	1376	msiexec.exe
Token: SeTakeOwnershipPrivilege	1376	msiexec.exe
Token: SeSecurityPrivilege	1376	msiexec.exe
Token: SeCreateTokenPrivilege	3040	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3040	msiexec.exe
Token: SeLockMemoryPrivilege	3040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3040	msiexec.exe
Token: SeMachineAccountPrivilege	3040	msiexec.exe
Token: SeTcbPrivilege	3040	msiexec.exe
Token: SeSecurityPrivilege	3040	msiexec.exe
Token: SeTakeOwnershipPrivilege	3040	msiexec.exe
Token: SeLoadDriverPrivilege	3040	msiexec.exe
Token: SeSystemProfilePrivilege	3040	msiexec.exe
Token: SeSystemtimePrivilege	3040	msiexec.exe
Token: SeProfSingleProcessPrivilege	3040	msiexec.exe
Token: SeIncBasePriorityPrivilege	3040	msiexec.exe
Token: SeCreatePagefilePrivilege	3040	msiexec.exe
Token: SeCreatePermanentPrivilege	3040	msiexec.exe
Token: SeBackupPrivilege	3040	msiexec.exe
Token: SeRestorePrivilege	3040	msiexec.exe
Token: SeShutdownPrivilege	3040	msiexec.exe
Token: SeDebugPrivilege	3040	msiexec.exe
Token: SeAuditPrivilege	3040	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3040	msiexec.exe
Token: SeChangeNotifyPrivilege	3040	msiexec.exe
Token: SeRemoteShutdownPrivilege	3040	msiexec.exe
Token: SeUndockPrivilege	3040	msiexec.exe
Token: SeSyncAgentPrivilege	3040	msiexec.exe
Token: SeEnableDelegationPrivilege	3040	msiexec.exe
Token: SeManageVolumePrivilege	3040	msiexec.exe
Token: SeImpersonatePrivilege	3040	msiexec.exe
Token: SeCreateGlobalPrivilege	3040	msiexec.exe
Token: SeCreateTokenPrivilege	3040	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3040	msiexec.exe
Token: SeLockMemoryPrivilege	3040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3040	msiexec.exe
Token: SeMachineAccountPrivilege	3040	msiexec.exe
Token: SeTcbPrivilege	3040	msiexec.exe
Token: SeSecurityPrivilege	3040	msiexec.exe
Token: SeTakeOwnershipPrivilege	3040	msiexec.exe
Token: SeLoadDriverPrivilege	3040	msiexec.exe
Token: SeSystemProfilePrivilege	3040	msiexec.exe
Token: SeSystemtimePrivilege	3040	msiexec.exe
Token: SeProfSingleProcessPrivilege	3040	msiexec.exe
Token: SeIncBasePriorityPrivilege	3040	msiexec.exe
Token: SeCreatePagefilePrivilege	3040	msiexec.exe
Token: SeCreatePermanentPrivilege	3040	msiexec.exe
Token: SeBackupPrivilege	3040	msiexec.exe
Token: SeRestorePrivilege	3040	msiexec.exe
Token: SeShutdownPrivilege	3040	msiexec.exe
Token: SeDebugPrivilege	3040	msiexec.exe
Token: SeAuditPrivilege	3040	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3040	msiexec.exe
Token: SeChangeNotifyPrivilege	3040	msiexec.exe
Token: SeRemoteShutdownPrivilege	3040	msiexec.exe
Token: SeUndockPrivilege	3040	msiexec.exe
Token: SeSyncAgentPrivilege	3040	msiexec.exe
Token: SeEnableDelegationPrivilege	3040	msiexec.exe
Token: SeManageVolumePrivilege	3040	msiexec.exe
Token: SeImpersonatePrivilege	3040	msiexec.exe
Token: SeCreateGlobalPrivilege	3040	msiexec.exe
Token: SeCreateTokenPrivilege	3040	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3040	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 2728	1376	msiexec.exe	29
PID 1376 wrote to memory of 2728	1376	msiexec.exe	29
PID 1376 wrote to memory of 2728	1376	msiexec.exe	29
PID 1376 wrote to memory of 2728	1376	msiexec.exe	29
PID 1376 wrote to memory of 2728	1376	msiexec.exe	29
PID 1376 wrote to memory of 2728	1376	msiexec.exe	29
PID 1376 wrote to memory of 2728	1376	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\FootSwitch V7.1.0.msi"
1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1CA05FF3F846810357C08CA71786A94B C
  2⤵
  - Loads dropped DLL
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI4846.tmp

Filesize
298KB

MD5
373e46a1e858b6a10432d589de09732f

SHA1
26e71b5373999a23eb6e2a282de3683dd9d698b5

SHA256
0357b1185454d1a7d0c72de5af8e82a2185c0f1e52fb2d21b53e149d0a688041

SHA512
9b83f10f5e1cbe8ff97a5ead0ca02fce5f58e6e573077d2293f5c34e8d894836dd8e2a6b1dcdfa6c98f156704208f85e8595046527adab3fbe831236c71aaef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4A0C.tmp

Filesize
298KB

MD5
373e46a1e858b6a10432d589de09732f

SHA1
26e71b5373999a23eb6e2a282de3683dd9d698b5

SHA256
0357b1185454d1a7d0c72de5af8e82a2185c0f1e52fb2d21b53e149d0a688041

SHA512
9b83f10f5e1cbe8ff97a5ead0ca02fce5f58e6e573077d2293f5c34e8d894836dd8e2a6b1dcdfa6c98f156704208f85e8595046527adab3fbe831236c71aaef8

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4846.tmp

Filesize
298KB

MD5
373e46a1e858b6a10432d589de09732f

SHA1
26e71b5373999a23eb6e2a282de3683dd9d698b5

SHA256
0357b1185454d1a7d0c72de5af8e82a2185c0f1e52fb2d21b53e149d0a688041

SHA512
9b83f10f5e1cbe8ff97a5ead0ca02fce5f58e6e573077d2293f5c34e8d894836dd8e2a6b1dcdfa6c98f156704208f85e8595046527adab3fbe831236c71aaef8

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4A0C.tmp

Filesize
298KB

MD5
373e46a1e858b6a10432d589de09732f

SHA1
26e71b5373999a23eb6e2a282de3683dd9d698b5

SHA256
0357b1185454d1a7d0c72de5af8e82a2185c0f1e52fb2d21b53e149d0a688041

SHA512
9b83f10f5e1cbe8ff97a5ead0ca02fce5f58e6e573077d2293f5c34e8d894836dd8e2a6b1dcdfa6c98f156704208f85e8595046527adab3fbe831236c71aaef8

Download Submit