6275b51454ddddba706e761430bba9f756503bdc34d63649451a9f020a2afc1e

Analysis

max time kernel
118s
max time network
129s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

postgresql-8.3-int.msi
Size

23.8MB
MD5

ec78c9a48eb0f1a5d645b26c8cb73c7c
SHA1

af7e55be5345a002d497946e86c5f1067124e1ef
SHA256

498fc55a80f590b6eea38492cee53cb71d5e652ea8c0f4cb45a85e5b20e615eb
SHA512

cda5797cb0d0bd57188194ca89dab073989f14f23faaf779f59922dc9198275a0159beaed9ad979b35a1de7c0fc7cb16c668139cc1c1b32711a4d14d1b19657e
SSDEEP

393216:+X9bU4kUZeCeOwmiZn4xXaHddwZW+MpGThFiaff/J4WZtde9Skc3+ARhNEkasOEe:+XloSejOwbZnWaHbvCiaXtZtdesv3nRg

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2636	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1916	msiexec.exe
Token: SeRestorePrivilege	2924	msiexec.exe
Token: SeTakeOwnershipPrivilege	2924	msiexec.exe
Token: SeSecurityPrivilege	2924	msiexec.exe
Token: SeCreateTokenPrivilege	1916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1916	msiexec.exe
Token: SeLockMemoryPrivilege	1916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1916	msiexec.exe
Token: SeMachineAccountPrivilege	1916	msiexec.exe
Token: SeTcbPrivilege	1916	msiexec.exe
Token: SeSecurityPrivilege	1916	msiexec.exe
Token: SeTakeOwnershipPrivilege	1916	msiexec.exe
Token: SeLoadDriverPrivilege	1916	msiexec.exe
Token: SeSystemProfilePrivilege	1916	msiexec.exe
Token: SeSystemtimePrivilege	1916	msiexec.exe
Token: SeProfSingleProcessPrivilege	1916	msiexec.exe
Token: SeIncBasePriorityPrivilege	1916	msiexec.exe
Token: SeCreatePagefilePrivilege	1916	msiexec.exe
Token: SeCreatePermanentPrivilege	1916	msiexec.exe
Token: SeBackupPrivilege	1916	msiexec.exe
Token: SeRestorePrivilege	1916	msiexec.exe
Token: SeShutdownPrivilege	1916	msiexec.exe
Token: SeDebugPrivilege	1916	msiexec.exe
Token: SeAuditPrivilege	1916	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1916	msiexec.exe
Token: SeChangeNotifyPrivilege	1916	msiexec.exe
Token: SeRemoteShutdownPrivilege	1916	msiexec.exe
Token: SeUndockPrivilege	1916	msiexec.exe
Token: SeSyncAgentPrivilege	1916	msiexec.exe
Token: SeEnableDelegationPrivilege	1916	msiexec.exe
Token: SeManageVolumePrivilege	1916	msiexec.exe
Token: SeImpersonatePrivilege	1916	msiexec.exe
Token: SeCreateGlobalPrivilege	1916	msiexec.exe
Token: SeCreateTokenPrivilege	1916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1916	msiexec.exe
Token: SeLockMemoryPrivilege	1916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1916	msiexec.exe
Token: SeMachineAccountPrivilege	1916	msiexec.exe
Token: SeTcbPrivilege	1916	msiexec.exe
Token: SeSecurityPrivilege	1916	msiexec.exe
Token: SeTakeOwnershipPrivilege	1916	msiexec.exe
Token: SeLoadDriverPrivilege	1916	msiexec.exe
Token: SeSystemProfilePrivilege	1916	msiexec.exe
Token: SeSystemtimePrivilege	1916	msiexec.exe
Token: SeProfSingleProcessPrivilege	1916	msiexec.exe
Token: SeIncBasePriorityPrivilege	1916	msiexec.exe
Token: SeCreatePagefilePrivilege	1916	msiexec.exe
Token: SeCreatePermanentPrivilege	1916	msiexec.exe
Token: SeBackupPrivilege	1916	msiexec.exe
Token: SeRestorePrivilege	1916	msiexec.exe
Token: SeShutdownPrivilege	1916	msiexec.exe
Token: SeDebugPrivilege	1916	msiexec.exe
Token: SeAuditPrivilege	1916	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1916	msiexec.exe
Token: SeChangeNotifyPrivilege	1916	msiexec.exe
Token: SeRemoteShutdownPrivilege	1916	msiexec.exe
Token: SeUndockPrivilege	1916	msiexec.exe
Token: SeSyncAgentPrivilege	1916	msiexec.exe
Token: SeEnableDelegationPrivilege	1916	msiexec.exe
Token: SeManageVolumePrivilege	1916	msiexec.exe
Token: SeImpersonatePrivilege	1916	msiexec.exe
Token: SeCreateGlobalPrivilege	1916	msiexec.exe
Token: SeCreateTokenPrivilege	1916	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1916	msiexec.exe
1916	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2636	2924	msiexec.exe	29
PID 2924 wrote to memory of 2636	2924	msiexec.exe	29
PID 2924 wrote to memory of 2636	2924	msiexec.exe	29
PID 2924 wrote to memory of 2636	2924	msiexec.exe	29
PID 2924 wrote to memory of 2636	2924	msiexec.exe	29
PID 2924 wrote to memory of 2636	2924	msiexec.exe	29
PID 2924 wrote to memory of 2636	2924	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\postgresql-8.3-int.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1916

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADA8A386BAA5851715C7E9965C81D7FD C
  2⤵
  - Loads dropped DLL
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI5A7F.tmp

Filesize
348KB

MD5
477d70db001b8994f6c03fc863150537

SHA1
edd79dbab310a1f94e0d83526647b4456835843e

SHA256
da41c1abc8528f9b32ce9df854acd3527a89dd85134392cd42bbc9bf71289958

SHA512
7ab0ddd70e4188465548e1834a159d88ee71005985810acd8c8f3bc77526a8cb2f8bec17de0cd8338d81629dbed3fc900f13c90d5019bfd3034e23065f5ff4b7

Download Submit
\Users\Admin\AppData\Local\Temp\MSI5A7F.tmp

Filesize
348KB

MD5
477d70db001b8994f6c03fc863150537

SHA1
edd79dbab310a1f94e0d83526647b4456835843e

SHA256
da41c1abc8528f9b32ce9df854acd3527a89dd85134392cd42bbc9bf71289958

SHA512
7ab0ddd70e4188465548e1834a159d88ee71005985810acd8c8f3bc77526a8cb2f8bec17de0cd8338d81629dbed3fc900f13c90d5019bfd3034e23065f5ff4b7

Download Submit