74e6ff5a3e188edecc8620e3a88cf7b0ba24424a42e2ab66ab7522849621e0e3

Analysis

max time kernel
122s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup123.msi
Size

1.8MB
MD5

b23de5f6a3f2c269c8d828fc0dcaa6cf
SHA1

ebed5f4eaac2437bc47e2502c41082ac1c3e9460
SHA256

74e6ff5a3e188edecc8620e3a88cf7b0ba24424a42e2ab66ab7522849621e0e3
SHA512

dfc077484bad5e9a79c24e6e998d5b05277fb865078a7dcfe0a99e6cee5ab08fc2918462992cffa6f7b7c8e8897dc7d0df751178f4688282232071fd0d667027
SSDEEP

24576:3vAJxFNBGa6G6kth0lhSMXlN0Y53rNI1H4ZeJ5MiIf9oNYe9pUdtTWbQ:3o7ckEv53rGl4O5JIf9ofXyS

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
1528	MsiExec.exe
1528	MsiExec.exe
1528	MsiExec.exe
1528	MsiExec.exe
1528	MsiExec.exe
1528	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4168	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4168	msiexec.exe
Token: SeSecurityPrivilege	564	msiexec.exe
Token: SeCreateTokenPrivilege	4168	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4168	msiexec.exe
Token: SeLockMemoryPrivilege	4168	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4168	msiexec.exe
Token: SeMachineAccountPrivilege	4168	msiexec.exe
Token: SeTcbPrivilege	4168	msiexec.exe
Token: SeSecurityPrivilege	4168	msiexec.exe
Token: SeTakeOwnershipPrivilege	4168	msiexec.exe
Token: SeLoadDriverPrivilege	4168	msiexec.exe
Token: SeSystemProfilePrivilege	4168	msiexec.exe
Token: SeSystemtimePrivilege	4168	msiexec.exe
Token: SeProfSingleProcessPrivilege	4168	msiexec.exe
Token: SeIncBasePriorityPrivilege	4168	msiexec.exe
Token: SeCreatePagefilePrivilege	4168	msiexec.exe
Token: SeCreatePermanentPrivilege	4168	msiexec.exe
Token: SeBackupPrivilege	4168	msiexec.exe
Token: SeRestorePrivilege	4168	msiexec.exe
Token: SeShutdownPrivilege	4168	msiexec.exe
Token: SeDebugPrivilege	4168	msiexec.exe
Token: SeAuditPrivilege	4168	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4168	msiexec.exe
Token: SeChangeNotifyPrivilege	4168	msiexec.exe
Token: SeRemoteShutdownPrivilege	4168	msiexec.exe
Token: SeUndockPrivilege	4168	msiexec.exe
Token: SeSyncAgentPrivilege	4168	msiexec.exe
Token: SeEnableDelegationPrivilege	4168	msiexec.exe
Token: SeManageVolumePrivilege	4168	msiexec.exe
Token: SeImpersonatePrivilege	4168	msiexec.exe
Token: SeCreateGlobalPrivilege	4168	msiexec.exe
Token: SeCreateTokenPrivilege	4168	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4168	msiexec.exe
Token: SeLockMemoryPrivilege	4168	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4168	msiexec.exe
Token: SeMachineAccountPrivilege	4168	msiexec.exe
Token: SeTcbPrivilege	4168	msiexec.exe
Token: SeSecurityPrivilege	4168	msiexec.exe
Token: SeTakeOwnershipPrivilege	4168	msiexec.exe
Token: SeLoadDriverPrivilege	4168	msiexec.exe
Token: SeSystemProfilePrivilege	4168	msiexec.exe
Token: SeSystemtimePrivilege	4168	msiexec.exe
Token: SeProfSingleProcessPrivilege	4168	msiexec.exe
Token: SeIncBasePriorityPrivilege	4168	msiexec.exe
Token: SeCreatePagefilePrivilege	4168	msiexec.exe
Token: SeCreatePermanentPrivilege	4168	msiexec.exe
Token: SeBackupPrivilege	4168	msiexec.exe
Token: SeRestorePrivilege	4168	msiexec.exe
Token: SeShutdownPrivilege	4168	msiexec.exe
Token: SeDebugPrivilege	4168	msiexec.exe
Token: SeAuditPrivilege	4168	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4168	msiexec.exe
Token: SeChangeNotifyPrivilege	4168	msiexec.exe
Token: SeRemoteShutdownPrivilege	4168	msiexec.exe
Token: SeUndockPrivilege	4168	msiexec.exe
Token: SeSyncAgentPrivilege	4168	msiexec.exe
Token: SeEnableDelegationPrivilege	4168	msiexec.exe
Token: SeManageVolumePrivilege	4168	msiexec.exe
Token: SeImpersonatePrivilege	4168	msiexec.exe
Token: SeCreateGlobalPrivilege	4168	msiexec.exe
Token: SeCreateTokenPrivilege	4168	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4168	msiexec.exe
Token: SeLockMemoryPrivilege	4168	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4168	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 1528	564	msiexec.exe	84
PID 564 wrote to memory of 1528	564	msiexec.exe	84
PID 564 wrote to memory of 1528	564	msiexec.exe	84

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup123.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4168

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F7090CF83548728F689283AAEB3C6B82 C
  2⤵
  - Loads dropped DLL
  PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIE4A3.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE4A3.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE754.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE754.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE85E.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE85E.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE85E.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE88E.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE88E.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE8AE.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE8AE.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEA74.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEA74.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit