346a053dcd7508f1e5fbb2da0e34cbb3da206ab2439c4bab5a219c3b75e62475

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

node-v14.15.4-x64.msi
Size

28.9MB
MD5

e34c5147dda4d4c4960e7f3471281093
SHA1

3d448390f2179b332f35dd13ffcee7541f496cbf
SHA256

346a053dcd7508f1e5fbb2da0e34cbb3da206ab2439c4bab5a219c3b75e62475
SHA512

5d6e9c0dea877c23e054bee2461cf5286ec304ae449d0c4c2fbb7d6fcd2e37da6bd3ea886e6aedde985d077dcfa1f3a65ff0d322d97724cd844fd03c983763f7
SSDEEP

786432:ZpTBIQk8nk9jDdozbJuYwNZnbnxfv18X:ZpTNk8ktdoztwNZna

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2740	MsiExec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2232	msiexec.exe
5	2232	msiexec.exe
7	2232	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2232	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2232	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2232	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe
Token: SeTakeOwnershipPrivilege	2104	msiexec.exe
Token: SeSecurityPrivilege	2104	msiexec.exe
Token: SeCreateTokenPrivilege	2232	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2232	msiexec.exe
Token: SeLockMemoryPrivilege	2232	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2232	msiexec.exe
Token: SeMachineAccountPrivilege	2232	msiexec.exe
Token: SeTcbPrivilege	2232	msiexec.exe
Token: SeSecurityPrivilege	2232	msiexec.exe
Token: SeTakeOwnershipPrivilege	2232	msiexec.exe
Token: SeLoadDriverPrivilege	2232	msiexec.exe
Token: SeSystemProfilePrivilege	2232	msiexec.exe
Token: SeSystemtimePrivilege	2232	msiexec.exe
Token: SeProfSingleProcessPrivilege	2232	msiexec.exe
Token: SeIncBasePriorityPrivilege	2232	msiexec.exe
Token: SeCreatePagefilePrivilege	2232	msiexec.exe
Token: SeCreatePermanentPrivilege	2232	msiexec.exe
Token: SeBackupPrivilege	2232	msiexec.exe
Token: SeRestorePrivilege	2232	msiexec.exe
Token: SeShutdownPrivilege	2232	msiexec.exe
Token: SeDebugPrivilege	2232	msiexec.exe
Token: SeAuditPrivilege	2232	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2232	msiexec.exe
Token: SeChangeNotifyPrivilege	2232	msiexec.exe
Token: SeRemoteShutdownPrivilege	2232	msiexec.exe
Token: SeUndockPrivilege	2232	msiexec.exe
Token: SeSyncAgentPrivilege	2232	msiexec.exe
Token: SeEnableDelegationPrivilege	2232	msiexec.exe
Token: SeManageVolumePrivilege	2232	msiexec.exe
Token: SeImpersonatePrivilege	2232	msiexec.exe
Token: SeCreateGlobalPrivilege	2232	msiexec.exe
Token: SeCreateTokenPrivilege	2232	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2232	msiexec.exe
Token: SeLockMemoryPrivilege	2232	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2232	msiexec.exe
Token: SeMachineAccountPrivilege	2232	msiexec.exe
Token: SeTcbPrivilege	2232	msiexec.exe
Token: SeSecurityPrivilege	2232	msiexec.exe
Token: SeTakeOwnershipPrivilege	2232	msiexec.exe
Token: SeLoadDriverPrivilege	2232	msiexec.exe
Token: SeSystemProfilePrivilege	2232	msiexec.exe
Token: SeSystemtimePrivilege	2232	msiexec.exe
Token: SeProfSingleProcessPrivilege	2232	msiexec.exe
Token: SeIncBasePriorityPrivilege	2232	msiexec.exe
Token: SeCreatePagefilePrivilege	2232	msiexec.exe
Token: SeCreatePermanentPrivilege	2232	msiexec.exe
Token: SeBackupPrivilege	2232	msiexec.exe
Token: SeRestorePrivilege	2232	msiexec.exe
Token: SeShutdownPrivilege	2232	msiexec.exe
Token: SeDebugPrivilege	2232	msiexec.exe
Token: SeAuditPrivilege	2232	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2232	msiexec.exe
Token: SeChangeNotifyPrivilege	2232	msiexec.exe
Token: SeRemoteShutdownPrivilege	2232	msiexec.exe
Token: SeUndockPrivilege	2232	msiexec.exe
Token: SeSyncAgentPrivilege	2232	msiexec.exe
Token: SeEnableDelegationPrivilege	2232	msiexec.exe
Token: SeManageVolumePrivilege	2232	msiexec.exe
Token: SeImpersonatePrivilege	2232	msiexec.exe
Token: SeCreateGlobalPrivilege	2232	msiexec.exe
Token: SeCreateTokenPrivilege	2232	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2232	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2740	2104	msiexec.exe	29
PID 2104 wrote to memory of 2740	2104	msiexec.exe	29
PID 2104 wrote to memory of 2740	2104	msiexec.exe	29
PID 2104 wrote to memory of 2740	2104	msiexec.exe	29
PID 2104 wrote to memory of 2740	2104	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\node-v14.15.4-x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2232

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 85E127BA5E00C081D0A40F718917CE74 C
  2⤵
  - Loads dropped DLL
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab3D70.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4080.tmp

Filesize
120KB

MD5
a32e4b24b124903f092b62171fce4cc1

SHA1
ff6f4c3fa9418f0c209ef273fd2a7a9906f4bf84

SHA256
4d85ae0972ce01d4d975030ad0eb489c9f118f1067f077c16b59402fc65adf20

SHA512
366ee6097d7c4d197b92adbc8feb2e5c59cebaa63fd4559f30458f8c55ad400c0a5fcf43bab42a2baee8b2dbf0e4e8687996f09f10349da9f2babd243698bee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3F37.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4080.tmp

Filesize
120KB

MD5
a32e4b24b124903f092b62171fce4cc1

SHA1
ff6f4c3fa9418f0c209ef273fd2a7a9906f4bf84

SHA256
4d85ae0972ce01d4d975030ad0eb489c9f118f1067f077c16b59402fc65adf20

SHA512
366ee6097d7c4d197b92adbc8feb2e5c59cebaa63fd4559f30458f8c55ad400c0a5fcf43bab42a2baee8b2dbf0e4e8687996f09f10349da9f2babd243698bee7

Download Submit