Analysis
-
max time kernel
145s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 02:32
Static task
static1
Behavioral task
behavioral1
Sample
nlm11.14.1.3_ipv4_ipv6_win64.msi
Resource
win7-20230831-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
nlm11.14.1.3_ipv4_ipv6_win64.msi
Resource
win10v2004-20230915-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
nlm11.14.1.3_ipv4_ipv6_win64.msi
-
Size
8.1MB
-
MD5
ef812d21c5a53f3828ae9c66d347f6c2
-
SHA1
36c7caea6dac0c8545d85adaa47fe6311a37e685
-
SHA256
2055f55d9eba9c2212984725317533b0d8fbe80ab3934dc0b611125f3fee4f60
-
SHA512
5e796c894102e662dc9c6a8ae0a15de6284bfe94db9eb5f42bcefcfca4dc2a16169959b42d932614d67ba3fd2f3f5e1d252d4d564d805f329cd7eeddb97075ab
-
SSDEEP
98304:cT0zprH7T+Oml9pcfXGWxYeQiDVGaJzlNDKLOZ/g8HLYbA09u4sIb2vzDX3Z/i7m:blH7Ko1QeVGC4OZ/VIAku4sK2vz
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2244 MsiExec.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 24 4748 msiexec.exe 29 4748 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4748 msiexec.exe Token: SeIncreaseQuotaPrivilege 4748 msiexec.exe Token: SeSecurityPrivilege 5008 msiexec.exe Token: SeCreateTokenPrivilege 4748 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4748 msiexec.exe Token: SeLockMemoryPrivilege 4748 msiexec.exe Token: SeIncreaseQuotaPrivilege 4748 msiexec.exe Token: SeMachineAccountPrivilege 4748 msiexec.exe Token: SeTcbPrivilege 4748 msiexec.exe Token: SeSecurityPrivilege 4748 msiexec.exe Token: SeTakeOwnershipPrivilege 4748 msiexec.exe Token: SeLoadDriverPrivilege 4748 msiexec.exe Token: SeSystemProfilePrivilege 4748 msiexec.exe Token: SeSystemtimePrivilege 4748 msiexec.exe Token: SeProfSingleProcessPrivilege 4748 msiexec.exe Token: SeIncBasePriorityPrivilege 4748 msiexec.exe Token: SeCreatePagefilePrivilege 4748 msiexec.exe Token: SeCreatePermanentPrivilege 4748 msiexec.exe Token: SeBackupPrivilege 4748 msiexec.exe Token: SeRestorePrivilege 4748 msiexec.exe Token: SeShutdownPrivilege 4748 msiexec.exe Token: SeDebugPrivilege 4748 msiexec.exe Token: SeAuditPrivilege 4748 msiexec.exe Token: SeSystemEnvironmentPrivilege 4748 msiexec.exe Token: SeChangeNotifyPrivilege 4748 msiexec.exe Token: SeRemoteShutdownPrivilege 4748 msiexec.exe Token: SeUndockPrivilege 4748 msiexec.exe Token: SeSyncAgentPrivilege 4748 msiexec.exe Token: SeEnableDelegationPrivilege 4748 msiexec.exe Token: SeManageVolumePrivilege 4748 msiexec.exe Token: SeImpersonatePrivilege 4748 msiexec.exe Token: SeCreateGlobalPrivilege 4748 msiexec.exe Token: SeCreateTokenPrivilege 4748 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4748 msiexec.exe Token: SeLockMemoryPrivilege 4748 msiexec.exe Token: SeIncreaseQuotaPrivilege 4748 msiexec.exe Token: SeMachineAccountPrivilege 4748 msiexec.exe Token: SeTcbPrivilege 4748 msiexec.exe Token: SeSecurityPrivilege 4748 msiexec.exe Token: SeTakeOwnershipPrivilege 4748 msiexec.exe Token: SeLoadDriverPrivilege 4748 msiexec.exe Token: SeSystemProfilePrivilege 4748 msiexec.exe Token: SeSystemtimePrivilege 4748 msiexec.exe Token: SeProfSingleProcessPrivilege 4748 msiexec.exe Token: SeIncBasePriorityPrivilege 4748 msiexec.exe Token: SeCreatePagefilePrivilege 4748 msiexec.exe Token: SeCreatePermanentPrivilege 4748 msiexec.exe Token: SeBackupPrivilege 4748 msiexec.exe Token: SeRestorePrivilege 4748 msiexec.exe Token: SeShutdownPrivilege 4748 msiexec.exe Token: SeDebugPrivilege 4748 msiexec.exe Token: SeAuditPrivilege 4748 msiexec.exe Token: SeSystemEnvironmentPrivilege 4748 msiexec.exe Token: SeChangeNotifyPrivilege 4748 msiexec.exe Token: SeRemoteShutdownPrivilege 4748 msiexec.exe Token: SeUndockPrivilege 4748 msiexec.exe Token: SeSyncAgentPrivilege 4748 msiexec.exe Token: SeEnableDelegationPrivilege 4748 msiexec.exe Token: SeManageVolumePrivilege 4748 msiexec.exe Token: SeImpersonatePrivilege 4748 msiexec.exe Token: SeCreateGlobalPrivilege 4748 msiexec.exe Token: SeCreateTokenPrivilege 4748 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4748 msiexec.exe Token: SeLockMemoryPrivilege 4748 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4748 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5008 wrote to memory of 2244 5008 msiexec.exe 91 PID 5008 wrote to memory of 2244 5008 msiexec.exe 91 PID 5008 wrote to memory of 2244 5008 msiexec.exe 91
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\nlm11.14.1.3_ipv4_ipv6_win64.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4748
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F0FC33B800606F26602335B15F5EE177 C2⤵
- Loads dropped DLL
PID:2244
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5ba84dd4e0c1408828ccc1de09f585eda
SHA1e8e10065d479f8f591b9885ea8487bc673301298
SHA2563cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA5127a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290
-
Filesize
202KB
MD5ba84dd4e0c1408828ccc1de09f585eda
SHA1e8e10065d479f8f591b9885ea8487bc673301298
SHA2563cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA5127a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290