a6497690559864142194a3691b6a383a8c252639db4dbf8842ddf3de6b81ca8e

Analysis

max time kernel
121s
max time network
150s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
07-11-2023 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc-2000389304890.msi
Size

9.1MB
MD5

20c8c327456905bbf28b5dbe7a65132b
SHA1

bca7f72fc3da476a5b782410d1672cfa847c2673
SHA256

6896563d6291b53c02d4434bfc81f99c3aa946924875a72415251bc7fef7c57f
SHA512

75104a14e2309a7896ab59579404b8821c125d107bb588b51c86f6da6096d232909aa5cacf8a62782fa91a85f7b3f4f69f138cf4e667d5ee2e34132ec97ef90c
SSDEEP

49152:FKfdGQFiAlB3H6rmp7U4a8XWb3HSeI/Tl5KW4i8Fx48gJAL1Faj+7B9efkeaqLFu:WTlAPnTsJkKfkFgC0

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2992	MsiExec.exe
2992	MsiExec.exe
2992	MsiExec.exe
2904	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC959.tmp	msiexec.exe
File created	C:\Windows\Installer\f76c526.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c526.ipi	msiexec.exe
File created	C:\Windows\Installer\f76c523.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c523.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC6C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC8FB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICFFF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID04F.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2328	msiexec.exe
2328	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	820	msiexec.exe
Token: SeIncreaseQuotaPrivilege	820	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeSecurityPrivilege	2328	msiexec.exe
Token: SeCreateTokenPrivilege	820	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	820	msiexec.exe
Token: SeLockMemoryPrivilege	820	msiexec.exe
Token: SeIncreaseQuotaPrivilege	820	msiexec.exe
Token: SeMachineAccountPrivilege	820	msiexec.exe
Token: SeTcbPrivilege	820	msiexec.exe
Token: SeSecurityPrivilege	820	msiexec.exe
Token: SeTakeOwnershipPrivilege	820	msiexec.exe
Token: SeLoadDriverPrivilege	820	msiexec.exe
Token: SeSystemProfilePrivilege	820	msiexec.exe
Token: SeSystemtimePrivilege	820	msiexec.exe
Token: SeProfSingleProcessPrivilege	820	msiexec.exe
Token: SeIncBasePriorityPrivilege	820	msiexec.exe
Token: SeCreatePagefilePrivilege	820	msiexec.exe
Token: SeCreatePermanentPrivilege	820	msiexec.exe
Token: SeBackupPrivilege	820	msiexec.exe
Token: SeRestorePrivilege	820	msiexec.exe
Token: SeShutdownPrivilege	820	msiexec.exe
Token: SeDebugPrivilege	820	msiexec.exe
Token: SeAuditPrivilege	820	msiexec.exe
Token: SeSystemEnvironmentPrivilege	820	msiexec.exe
Token: SeChangeNotifyPrivilege	820	msiexec.exe
Token: SeRemoteShutdownPrivilege	820	msiexec.exe
Token: SeUndockPrivilege	820	msiexec.exe
Token: SeSyncAgentPrivilege	820	msiexec.exe
Token: SeEnableDelegationPrivilege	820	msiexec.exe
Token: SeManageVolumePrivilege	820	msiexec.exe
Token: SeImpersonatePrivilege	820	msiexec.exe
Token: SeCreateGlobalPrivilege	820	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
820	msiexec.exe
820	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2992	2328	msiexec.exe	28
PID 2328 wrote to memory of 2992	2328	msiexec.exe	28
PID 2328 wrote to memory of 2992	2328	msiexec.exe	28
PID 2328 wrote to memory of 2992	2328	msiexec.exe	28
PID 2328 wrote to memory of 2992	2328	msiexec.exe	28
PID 2328 wrote to memory of 2992	2328	msiexec.exe	28
PID 2328 wrote to memory of 2992	2328	msiexec.exe	28
PID 2328 wrote to memory of 2904	2328	msiexec.exe	29
PID 2328 wrote to memory of 2904	2328	msiexec.exe	29
PID 2328 wrote to memory of 2904	2328	msiexec.exe	29
PID 2328 wrote to memory of 2904	2328	msiexec.exe	29
PID 2328 wrote to memory of 2904	2328	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\doc-2000389304890.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:820

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E9D7DCD971865603511B853424F8C45F
  2⤵
  - Loads dropped DLL
  PID:2992
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding ADC024277D63C1A831DCA018CF99730E
  2⤵
  - Loads dropped DLL
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76c527.rbs

Filesize
571B

MD5
4d80701d2c17820c11813157a268a44a

SHA1
519ad189cea2fe6c9622d661cf52d8c1c96b103d

SHA256
4e6dd71937283a2987d69795e13644a669430d096fbffab2c84a0d8650df6050

SHA512
2fd95446d0943380051ac88b24cd812aa5fd036b59823d9cc2eb13b8e24bec30af701671a726340a8ba5ac7d32121f65d7c47475ef4df91133fb06d9a0026ee5

Download Submit
C:\Windows\Installer\MSIC6C8.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSIC8FB.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSIC959.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSIC959.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSID04F.tmp

Filesize
8.0MB

MD5
6efa7f140bcdff414bb65b135dedc546

SHA1
bd2c10e0d8ddbda9c994c4012d1e1ba6d9712883

SHA256
c75b095cf05d79e8d4c3f6cff63300c5fb5f32c9bfa0aca82f8ca3db02af6e43

SHA512
9c33bb43f8696467b294a30893d3c9611154b6806c089e1cf8dfa2613b93ec30d25bf70ffa99290097891ee0015bc72baa813d8bfcb747c3016c81075b2cbd9a

Download Submit
\Windows\Installer\MSIC6C8.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSIC8FB.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSIC959.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSID04F.tmp

Filesize
8.0MB

MD5
6efa7f140bcdff414bb65b135dedc546

SHA1
bd2c10e0d8ddbda9c994c4012d1e1ba6d9712883

SHA256
c75b095cf05d79e8d4c3f6cff63300c5fb5f32c9bfa0aca82f8ca3db02af6e43

SHA512
9c33bb43f8696467b294a30893d3c9611154b6806c089e1cf8dfa2613b93ec30d25bf70ffa99290097891ee0015bc72baa813d8bfcb747c3016c81075b2cbd9a

Download Submit
memory/2904-21-0x0000000073250000-0x0000000073A6E000-memory.dmp

Filesize
8.1MB

Download