346a053dcd7508f1e5fbb2da0e34cbb3da206ab2439c4bab5a219c3b75e62475

Analysis

max time kernel
153s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

node-v14.15.4-x64.msi
Size

28.9MB
MD5

e34c5147dda4d4c4960e7f3471281093
SHA1

3d448390f2179b332f35dd13ffcee7541f496cbf
SHA256

346a053dcd7508f1e5fbb2da0e34cbb3da206ab2439c4bab5a219c3b75e62475
SHA512

5d6e9c0dea877c23e054bee2461cf5286ec304ae449d0c4c2fbb7d6fcd2e37da6bd3ea886e6aedde985d077dcfa1f3a65ff0d322d97724cd844fd03c983763f7
SSDEEP

786432:ZpTBIQk8nk9jDdozbJuYwNZnbnxfv18X:ZpTNk8ktdoztwNZna

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3160	MsiExec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	3416	msiexec.exe
8	3416	msiexec.exe
10	3416	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3416	msiexec.exe
Token: SeSecurityPrivilege	1992	msiexec.exe
Token: SeCreateTokenPrivilege	3416	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3416	msiexec.exe
Token: SeLockMemoryPrivilege	3416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3416	msiexec.exe
Token: SeMachineAccountPrivilege	3416	msiexec.exe
Token: SeTcbPrivilege	3416	msiexec.exe
Token: SeSecurityPrivilege	3416	msiexec.exe
Token: SeTakeOwnershipPrivilege	3416	msiexec.exe
Token: SeLoadDriverPrivilege	3416	msiexec.exe
Token: SeSystemProfilePrivilege	3416	msiexec.exe
Token: SeSystemtimePrivilege	3416	msiexec.exe
Token: SeProfSingleProcessPrivilege	3416	msiexec.exe
Token: SeIncBasePriorityPrivilege	3416	msiexec.exe
Token: SeCreatePagefilePrivilege	3416	msiexec.exe
Token: SeCreatePermanentPrivilege	3416	msiexec.exe
Token: SeBackupPrivilege	3416	msiexec.exe
Token: SeRestorePrivilege	3416	msiexec.exe
Token: SeShutdownPrivilege	3416	msiexec.exe
Token: SeDebugPrivilege	3416	msiexec.exe
Token: SeAuditPrivilege	3416	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3416	msiexec.exe
Token: SeChangeNotifyPrivilege	3416	msiexec.exe
Token: SeRemoteShutdownPrivilege	3416	msiexec.exe
Token: SeUndockPrivilege	3416	msiexec.exe
Token: SeSyncAgentPrivilege	3416	msiexec.exe
Token: SeEnableDelegationPrivilege	3416	msiexec.exe
Token: SeManageVolumePrivilege	3416	msiexec.exe
Token: SeImpersonatePrivilege	3416	msiexec.exe
Token: SeCreateGlobalPrivilege	3416	msiexec.exe
Token: SeCreateTokenPrivilege	3416	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3416	msiexec.exe
Token: SeLockMemoryPrivilege	3416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3416	msiexec.exe
Token: SeMachineAccountPrivilege	3416	msiexec.exe
Token: SeTcbPrivilege	3416	msiexec.exe
Token: SeSecurityPrivilege	3416	msiexec.exe
Token: SeTakeOwnershipPrivilege	3416	msiexec.exe
Token: SeLoadDriverPrivilege	3416	msiexec.exe
Token: SeSystemProfilePrivilege	3416	msiexec.exe
Token: SeSystemtimePrivilege	3416	msiexec.exe
Token: SeProfSingleProcessPrivilege	3416	msiexec.exe
Token: SeIncBasePriorityPrivilege	3416	msiexec.exe
Token: SeCreatePagefilePrivilege	3416	msiexec.exe
Token: SeCreatePermanentPrivilege	3416	msiexec.exe
Token: SeBackupPrivilege	3416	msiexec.exe
Token: SeRestorePrivilege	3416	msiexec.exe
Token: SeShutdownPrivilege	3416	msiexec.exe
Token: SeDebugPrivilege	3416	msiexec.exe
Token: SeAuditPrivilege	3416	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3416	msiexec.exe
Token: SeChangeNotifyPrivilege	3416	msiexec.exe
Token: SeRemoteShutdownPrivilege	3416	msiexec.exe
Token: SeUndockPrivilege	3416	msiexec.exe
Token: SeSyncAgentPrivilege	3416	msiexec.exe
Token: SeEnableDelegationPrivilege	3416	msiexec.exe
Token: SeManageVolumePrivilege	3416	msiexec.exe
Token: SeImpersonatePrivilege	3416	msiexec.exe
Token: SeCreateGlobalPrivilege	3416	msiexec.exe
Token: SeCreateTokenPrivilege	3416	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3416	msiexec.exe
Token: SeLockMemoryPrivilege	3416	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3416	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 3160	1992	msiexec.exe	85
PID 1992 wrote to memory of 3160	1992	msiexec.exe	85

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\node-v14.15.4-x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3416

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 9F3F55CFBA2732384901C242E9129C09 C
  2⤵
  - Loads dropped DLL
  PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIF443.tmp

Filesize
120KB

MD5
a32e4b24b124903f092b62171fce4cc1

SHA1
ff6f4c3fa9418f0c209ef273fd2a7a9906f4bf84

SHA256
4d85ae0972ce01d4d975030ad0eb489c9f118f1067f077c16b59402fc65adf20

SHA512
366ee6097d7c4d197b92adbc8feb2e5c59cebaa63fd4559f30458f8c55ad400c0a5fcf43bab42a2baee8b2dbf0e4e8687996f09f10349da9f2babd243698bee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF443.tmp

Filesize
120KB

MD5
a32e4b24b124903f092b62171fce4cc1

SHA1
ff6f4c3fa9418f0c209ef273fd2a7a9906f4bf84

SHA256
4d85ae0972ce01d4d975030ad0eb489c9f118f1067f077c16b59402fc65adf20

SHA512
366ee6097d7c4d197b92adbc8feb2e5c59cebaa63fd4559f30458f8c55ad400c0a5fcf43bab42a2baee8b2dbf0e4e8687996f09f10349da9f2babd243698bee7

Download Submit