dd82983745440fd59fc88663a3f576ffd3b1fabeb3dacc34838b28d7d8ee9e16

General

Target

4dcbde0df9422c255efe15bbe94b0588796639cf74cb7ccefe8eb35aec4d52ea.exe
Size

113.9MB
MD5

9db9ee16e120656a12cd39ec9f0dcf71
SHA1

cb7fe813cd8a7a0f2d631464ce079e69ed743460
SHA256

4dcbde0df9422c255efe15bbe94b0588796639cf74cb7ccefe8eb35aec4d52ea
SHA512

6fb2c1d81f16bae6660fdc415c77cef2eb04b85079960303444805d53aeb2af64b0dee6a6092d7ba914c76aaea177384ca974a582116d2c8cda11adb0ba95c89
SSDEEP

1572864:SCWeqsA8ebd/DC6IvNHmxyYyRluHpr/ZScTOa8AEv67TY5iyJ9IS/Y/MCCKD+:jBGd/D1Ouy3LuJUcyRAk5Ay/IS/QoQ+

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2520	msiexec.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2520	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2520	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeSecurityPrivilege	2632	msiexec.exe
Token: SeCreateTokenPrivilege	2520	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2520	msiexec.exe
Token: SeLockMemoryPrivilege	2520	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2520	msiexec.exe
Token: SeMachineAccountPrivilege	2520	msiexec.exe
Token: SeTcbPrivilege	2520	msiexec.exe
Token: SeSecurityPrivilege	2520	msiexec.exe
Token: SeTakeOwnershipPrivilege	2520	msiexec.exe
Token: SeLoadDriverPrivilege	2520	msiexec.exe
Token: SeSystemProfilePrivilege	2520	msiexec.exe
Token: SeSystemtimePrivilege	2520	msiexec.exe
Token: SeProfSingleProcessPrivilege	2520	msiexec.exe
Token: SeIncBasePriorityPrivilege	2520	msiexec.exe
Token: SeCreatePagefilePrivilege	2520	msiexec.exe
Token: SeCreatePermanentPrivilege	2520	msiexec.exe
Token: SeBackupPrivilege	2520	msiexec.exe
Token: SeRestorePrivilege	2520	msiexec.exe
Token: SeShutdownPrivilege	2520	msiexec.exe
Token: SeDebugPrivilege	2520	msiexec.exe
Token: SeAuditPrivilege	2520	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2520	msiexec.exe
Token: SeChangeNotifyPrivilege	2520	msiexec.exe
Token: SeRemoteShutdownPrivilege	2520	msiexec.exe
Token: SeUndockPrivilege	2520	msiexec.exe
Token: SeSyncAgentPrivilege	2520	msiexec.exe
Token: SeEnableDelegationPrivilege	2520	msiexec.exe
Token: SeManageVolumePrivilege	2520	msiexec.exe
Token: SeImpersonatePrivilege	2520	msiexec.exe
Token: SeCreateGlobalPrivilege	2520	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2520	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3068	4dcbde0df9422c255efe15bbe94b0588796639cf74cb7ccefe8eb35aec4d52ea.exe
3068	4dcbde0df9422c255efe15bbe94b0588796639cf74cb7ccefe8eb35aec4d52ea.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2520	3068	4dcbde0df9422c255efe15bbe94b0588796639cf74cb7ccefe8eb35aec4d52ea.exe	28
PID 3068 wrote to memory of 2520	3068	4dcbde0df9422c255efe15bbe94b0588796639cf74cb7ccefe8eb35aec4d52ea.exe	28
PID 3068 wrote to memory of 2520	3068	4dcbde0df9422c255efe15bbe94b0588796639cf74cb7ccefe8eb35aec4d52ea.exe	28
PID 3068 wrote to memory of 2520	3068	4dcbde0df9422c255efe15bbe94b0588796639cf74cb7ccefe8eb35aec4d52ea.exe	28
PID 3068 wrote to memory of 2520	3068	4dcbde0df9422c255efe15bbe94b0588796639cf74cb7ccefe8eb35aec4d52ea.exe	28
PID 3068 wrote to memory of 2520	3068	4dcbde0df9422c255efe15bbe94b0588796639cf74cb7ccefe8eb35aec4d52ea.exe	28
PID 3068 wrote to memory of 2520	3068	4dcbde0df9422c255efe15bbe94b0588796639cf74cb7ccefe8eb35aec4d52ea.exe	28

C:\Users\Admin\AppData\Local\Temp\4dcbde0df9422c255efe15bbe94b0588796639cf74cb7ccefe8eb35aec4d52ea.exe
"C:\Users\Admin\AppData\Local\Temp\4dcbde0df9422c255efe15bbe94b0588796639cf74cb7ccefe8eb35aec4d52ea.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\msi63A5.tmp"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2520

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msi63A5.tmp

Filesize
113.0MB

MD5
2585f0f53016c4241f1aa18f6eefdabe

SHA1
6e642ead1e7ea1bc6d282ba45dcfb4ea57b70a5c

SHA256
0ee7d656f81eb1174d16cc218873f7d84e7961d4dc45dded8d0afa1959f579f7

SHA512
9d59f20a069b846ec944284239575507d7295a10698047de16756d6b3e5b471ef2b7345ed839e101d0ad227ca027623233a4fe1e54ec73ff0781ab2e53e169a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\res6355.tmp

Filesize
7KB

MD5
08702b1f0eae916aa42d81f913aabaff

SHA1
c4a147e72d448e9f206b14375b7df49eb6647eb3

SHA256
09b908387b8740d7a0b17e9d4b241f629f8252e6ed1d4f766e9f4508c2ebaf37

SHA512
89df9ecad8c8de29c1223700492bf57b06c686d4c8c3ba50ab09654bf8f8b43478ca2d84872ec596a3d7c6ccd6bbb9d20bd9df0ed6fce399ced6adf35e5ff1be

Download Submit

Analysis

Sharing