7549d4a121e1e7b5dc056cebe025d1af3d8c03440cad9bb23697c3f9bc6d07a9

Analysis

max time kernel
241s
max time network
232s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f.msi
Size

3.4MB
MD5

5d9e72d1e3a99bec71fad561fa95037c
SHA1

fbc94c649ba3d8bb6c7e1d98e7fdeea40cd395b2
SHA256

b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f
SHA512

8d0311d94a0de8646ec2733530a2db7d2c6e2b03f54e54ac0bc84538a636fe8211e6a582530d9ea8cd02ba08e259d778498d6f29e6744ba45f434d2a87874c97
SSDEEP

49152:E6rGohlj9szAlopTyWD57kEv53rw6cvOlM3w99xYF/gr/QaTdxKJWNYCILZ:qoSTyqk7vvO8Q9xU/w/QPOI9

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
4364	MsiExec.exe
4364	MsiExec.exe
4364	MsiExec.exe
4364	MsiExec.exe
4364	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{F345E384-B24F-4B23-A9A8-CF9B1BB5EFAE}	msiexec.exe
File opened for modification	C:\Windows\Installer\e59ef77.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7300.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF0C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e59ef77.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C0C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE2E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI39AF.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2448	msiexec.exe
2448	msiexec.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2640	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2640	msiexec.exe
Token: SeSecurityPrivilege	2448	msiexec.exe
Token: SeCreateTokenPrivilege	2640	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2640	msiexec.exe
Token: SeLockMemoryPrivilege	2640	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2640	msiexec.exe
Token: SeMachineAccountPrivilege	2640	msiexec.exe
Token: SeTcbPrivilege	2640	msiexec.exe
Token: SeSecurityPrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeLoadDriverPrivilege	2640	msiexec.exe
Token: SeSystemProfilePrivilege	2640	msiexec.exe
Token: SeSystemtimePrivilege	2640	msiexec.exe
Token: SeProfSingleProcessPrivilege	2640	msiexec.exe
Token: SeIncBasePriorityPrivilege	2640	msiexec.exe
Token: SeCreatePagefilePrivilege	2640	msiexec.exe
Token: SeCreatePermanentPrivilege	2640	msiexec.exe
Token: SeBackupPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeShutdownPrivilege	2640	msiexec.exe
Token: SeDebugPrivilege	2640	msiexec.exe
Token: SeAuditPrivilege	2640	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2640	msiexec.exe
Token: SeChangeNotifyPrivilege	2640	msiexec.exe
Token: SeRemoteShutdownPrivilege	2640	msiexec.exe
Token: SeUndockPrivilege	2640	msiexec.exe
Token: SeSyncAgentPrivilege	2640	msiexec.exe
Token: SeEnableDelegationPrivilege	2640	msiexec.exe
Token: SeManageVolumePrivilege	2640	msiexec.exe
Token: SeImpersonatePrivilege	2640	msiexec.exe
Token: SeCreateGlobalPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2640	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 4364	2448	msiexec.exe	90
PID 2448 wrote to memory of 4364	2448	msiexec.exe	90
PID 2448 wrote to memory of 4364	2448	msiexec.exe	90

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2640

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B268BDEE2DF27DDF5DEFE3B137BF50C3
  2⤵
  - Loads dropped DLL
  PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59ef7a.rbs

Filesize
1KB

MD5
75a409b14dc4ab5ca768e25a98777664

SHA1
8d0199c37d85aac5a641687b182162dc2dbc6ea6

SHA256
8140fbe4fa0e3b075569a8c33a1eaab5e59ed529f716d9b98c435fdd4cbd4028

SHA512
28dc08c64f40deebcec05a4524d1d744707e9975ca796096e5dcd199daa43d0ce7f7800947ebb3144f7d365f9190045237c39e4e6e78f8c775aa482b5f79fa2f

Download Submit
C:\Windows\Installer\MSI5C0C.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSI5C0C.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSI7300.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSI7300.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIB5A7.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIB5A7.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIB5A7.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSICF0C.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSICF0C.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIEE2E.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Windows\Installer\MSIEE2E.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit