0c836552f304c32dfba906f82e23247fab5f2935c27faaa494e8ece308aeda85

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cbf0d1736fe6059eadd329cfec5c7dc72f646fdeba65631d471488016a58bbe.msi
Size

3.6MB
MD5

531c347accd7a17a513d403fedf173f0
SHA1

6ecb00ba05eda37a23e4355364616fb779eca538
SHA256

1cbf0d1736fe6059eadd329cfec5c7dc72f646fdeba65631d471488016a58bbe
SHA512

2c4827e421add64f82c57c568ab6e4895d44a5db499540c9cb53d7dc96d159b4b61cf453d47ecb03fd91c364927d1c123f44092b373969ccb11e2cbb8cd99ada
SSDEEP

49152:tUvUESYyZ3GgD+7/WXbB6oIJgACo8tfkMjpmW:aSYyZ3vD+7AUoIJgACAMp

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
3972	MsiExec.exe
3972	MsiExec.exe
3972	MsiExec.exe
3972	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3900	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3900	msiexec.exe
Token: SeSecurityPrivilege	524	msiexec.exe
Token: SeCreateTokenPrivilege	3900	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3900	msiexec.exe
Token: SeLockMemoryPrivilege	3900	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3900	msiexec.exe
Token: SeMachineAccountPrivilege	3900	msiexec.exe
Token: SeTcbPrivilege	3900	msiexec.exe
Token: SeSecurityPrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeLoadDriverPrivilege	3900	msiexec.exe
Token: SeSystemProfilePrivilege	3900	msiexec.exe
Token: SeSystemtimePrivilege	3900	msiexec.exe
Token: SeProfSingleProcessPrivilege	3900	msiexec.exe
Token: SeIncBasePriorityPrivilege	3900	msiexec.exe
Token: SeCreatePagefilePrivilege	3900	msiexec.exe
Token: SeCreatePermanentPrivilege	3900	msiexec.exe
Token: SeBackupPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeShutdownPrivilege	3900	msiexec.exe
Token: SeDebugPrivilege	3900	msiexec.exe
Token: SeAuditPrivilege	3900	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3900	msiexec.exe
Token: SeChangeNotifyPrivilege	3900	msiexec.exe
Token: SeRemoteShutdownPrivilege	3900	msiexec.exe
Token: SeUndockPrivilege	3900	msiexec.exe
Token: SeSyncAgentPrivilege	3900	msiexec.exe
Token: SeEnableDelegationPrivilege	3900	msiexec.exe
Token: SeManageVolumePrivilege	3900	msiexec.exe
Token: SeImpersonatePrivilege	3900	msiexec.exe
Token: SeCreateGlobalPrivilege	3900	msiexec.exe
Token: SeCreateTokenPrivilege	3900	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3900	msiexec.exe
Token: SeLockMemoryPrivilege	3900	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3900	msiexec.exe
Token: SeMachineAccountPrivilege	3900	msiexec.exe
Token: SeTcbPrivilege	3900	msiexec.exe
Token: SeSecurityPrivilege	3900	msiexec.exe
Token: SeTakeOwnershipPrivilege	3900	msiexec.exe
Token: SeLoadDriverPrivilege	3900	msiexec.exe
Token: SeSystemProfilePrivilege	3900	msiexec.exe
Token: SeSystemtimePrivilege	3900	msiexec.exe
Token: SeProfSingleProcessPrivilege	3900	msiexec.exe
Token: SeIncBasePriorityPrivilege	3900	msiexec.exe
Token: SeCreatePagefilePrivilege	3900	msiexec.exe
Token: SeCreatePermanentPrivilege	3900	msiexec.exe
Token: SeBackupPrivilege	3900	msiexec.exe
Token: SeRestorePrivilege	3900	msiexec.exe
Token: SeShutdownPrivilege	3900	msiexec.exe
Token: SeDebugPrivilege	3900	msiexec.exe
Token: SeAuditPrivilege	3900	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3900	msiexec.exe
Token: SeChangeNotifyPrivilege	3900	msiexec.exe
Token: SeRemoteShutdownPrivilege	3900	msiexec.exe
Token: SeUndockPrivilege	3900	msiexec.exe
Token: SeSyncAgentPrivilege	3900	msiexec.exe
Token: SeEnableDelegationPrivilege	3900	msiexec.exe
Token: SeManageVolumePrivilege	3900	msiexec.exe
Token: SeImpersonatePrivilege	3900	msiexec.exe
Token: SeCreateGlobalPrivilege	3900	msiexec.exe
Token: SeCreateTokenPrivilege	3900	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3900	msiexec.exe
Token: SeLockMemoryPrivilege	3900	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3900	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 1364	3900	msiexec.exe	87
PID 3900 wrote to memory of 1364	3900	msiexec.exe	87
PID 524 wrote to memory of 3972	524	msiexec.exe	90
PID 524 wrote to memory of 3972	524	msiexec.exe	90
PID 524 wrote to memory of 3972	524	msiexec.exe	90

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1cbf0d1736fe6059eadd329cfec5c7dc72f646fdeba65631d471488016a58bbe.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\system32\pcaui.exe
  "C:\Windows\system32\pcaui.exe" -g {d8ff6d16-6a3a-468a-8b44-01714ddc49ea} -x {5d343d82-8bb4-4a5f-a17b-78abf57b73a5} -a "Acrobat Professional/Standard 6" -v "Adobe" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 1 -f 0 -k 0
  2⤵
  PID:1364

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BCCF30EA9830C9F181AC411B7E4F225B C
  2⤵
  - Loads dropped DLL
  PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIA8A4.tmp

Filesize
48KB

MD5
c209dd150a489095a8045713bac02e79

SHA1
8a52231cf700b5bd510a983247d14000ebb46db3

SHA256
9abfb56f541ab153997cf4d99a7ec2be237c1a753e9b0a4b319fd262508b5211

SHA512
73ee4b617a7dcb6f616ac115eb5037c16e462ef3dbe178c9ed3fa9091938b31c1c98606f659f882bae9eae53bdbe83298e4f4ec3f58b7a080d9b51ff52f41cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA8A4.tmp

Filesize
48KB

MD5
c209dd150a489095a8045713bac02e79

SHA1
8a52231cf700b5bd510a983247d14000ebb46db3

SHA256
9abfb56f541ab153997cf4d99a7ec2be237c1a753e9b0a4b319fd262508b5211

SHA512
73ee4b617a7dcb6f616ac115eb5037c16e462ef3dbe178c9ed3fa9091938b31c1c98606f659f882bae9eae53bdbe83298e4f4ec3f58b7a080d9b51ff52f41cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB2E6.tmp

Filesize
60KB

MD5
da7d840224aa5de956ad2ef043229096

SHA1
62b26a15411b2de89388ba8db110f48c69838d98

SHA256
7ec4b55f864a8744b647003853562c16897bc5a9a15cb6e271c7e425aba846d3

SHA512
d0e9c38a3f623db824d9309dc927d9822000dc54f623683fa7bcbd4fa32596f1f2a53dcdd85d76b57198c0c9dcd442a610d7b46eef51c25b82e8615e44c6b5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB2E6.tmp

Filesize
60KB

MD5
da7d840224aa5de956ad2ef043229096

SHA1
62b26a15411b2de89388ba8db110f48c69838d98

SHA256
7ec4b55f864a8744b647003853562c16897bc5a9a15cb6e271c7e425aba846d3

SHA512
d0e9c38a3f623db824d9309dc927d9822000dc54f623683fa7bcbd4fa32596f1f2a53dcdd85d76b57198c0c9dcd442a610d7b46eef51c25b82e8615e44c6b5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB2F6.tmp

Filesize
32KB

MD5
d323a3ebb3bce01f663e70c4c16c30da

SHA1
8b78b76f5acaceeb30b0621ed1111d96e55f2426

SHA256
d37a7755b215e915991963165da0e8afb80d78e39b3f7853de856ac52810a3be

SHA512
f67f7d4d9a3f9f7b5b2bd76d6c59e2f0ee70e4d096d02f4ca6377637958030ce9dadef80551e7df90822775f733f14d10686b3db8841c33d0a24518302a2ad8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB2F6.tmp

Filesize
32KB

MD5
d323a3ebb3bce01f663e70c4c16c30da

SHA1
8b78b76f5acaceeb30b0621ed1111d96e55f2426

SHA256
d37a7755b215e915991963165da0e8afb80d78e39b3f7853de856ac52810a3be

SHA512
f67f7d4d9a3f9f7b5b2bd76d6c59e2f0ee70e4d096d02f4ca6377637958030ce9dadef80551e7df90822775f733f14d10686b3db8841c33d0a24518302a2ad8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB355.tmp

Filesize
52KB

MD5
07ce4da97166beb04eada923671ba59a

SHA1
c85475f7179f4f2d1087cef5f8684342811d0885

SHA256
92248c85cb30417c9a1fe03f59f6de9c38211a78e156cd67cd593a5e11b5467c

SHA512
46e18195fa50a990f218066517c043d1ac7a525017e47c2bc3f436fa2586d68683bbfbe5963dbb6cc0dd22a9bb67df9c9baf351fb1327ebc47913297378f59e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB355.tmp

Filesize
52KB

MD5
07ce4da97166beb04eada923671ba59a

SHA1
c85475f7179f4f2d1087cef5f8684342811d0885

SHA256
92248c85cb30417c9a1fe03f59f6de9c38211a78e156cd67cd593a5e11b5467c

SHA512
46e18195fa50a990f218066517c043d1ac7a525017e47c2bc3f436fa2586d68683bbfbe5963dbb6cc0dd22a9bb67df9c9baf351fb1327ebc47913297378f59e9

Download Submit