fbc6f51f451f55a888a00da19873d5d564a6d2b0cfb8eeb690b5d9ae65e5f10f

Analysis

max time kernel
163s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbc6f51f451f55a888a00da19873d5d564a6d2b0cfb8eeb690b5d9ae65e5f10f.msi
Size

1.1MB
MD5

3d2aac7760ce657f81c61d21891a79f3
SHA1

b0a5d89861b5d5e646edd70e90a2762c10967383
SHA256

fbc6f51f451f55a888a00da19873d5d564a6d2b0cfb8eeb690b5d9ae65e5f10f
SHA512

ef42ce2bfc9de20d5356a5fbe0d3947888beccb591f06595bd656ba4d989ff32919f653682633d1ed5c745d39d39a24cda043fa14530ab17596496eecf43eaff
SSDEEP

24576:jXebe/IEFXsaV5C7eYVLsTPRDKeiYrztdfG8NQGakAE:jXSRaV5C77yPROeiYHfNQGrA

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
860	MsiExec.exe
860	MsiExec.exe
860	MsiExec.exe
860	MsiExec.exe
860	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACB3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD12.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC84.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD12.tmp	msiexec.exe
File created	C:\Windows\Installer\e58dda9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58dda9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE9AF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI931F.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B41661CB-C766-432E-A294-AB3C5CEF3CE5}	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1192	msiexec.exe
1192	msiexec.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5088	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5088	msiexec.exe
Token: SeSecurityPrivilege	1192	msiexec.exe
Token: SeCreateTokenPrivilege	5088	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5088	msiexec.exe
Token: SeLockMemoryPrivilege	5088	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5088	msiexec.exe
Token: SeMachineAccountPrivilege	5088	msiexec.exe
Token: SeTcbPrivilege	5088	msiexec.exe
Token: SeSecurityPrivilege	5088	msiexec.exe
Token: SeTakeOwnershipPrivilege	5088	msiexec.exe
Token: SeLoadDriverPrivilege	5088	msiexec.exe
Token: SeSystemProfilePrivilege	5088	msiexec.exe
Token: SeSystemtimePrivilege	5088	msiexec.exe
Token: SeProfSingleProcessPrivilege	5088	msiexec.exe
Token: SeIncBasePriorityPrivilege	5088	msiexec.exe
Token: SeCreatePagefilePrivilege	5088	msiexec.exe
Token: SeCreatePermanentPrivilege	5088	msiexec.exe
Token: SeBackupPrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	5088	msiexec.exe
Token: SeShutdownPrivilege	5088	msiexec.exe
Token: SeDebugPrivilege	5088	msiexec.exe
Token: SeAuditPrivilege	5088	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5088	msiexec.exe
Token: SeChangeNotifyPrivilege	5088	msiexec.exe
Token: SeRemoteShutdownPrivilege	5088	msiexec.exe
Token: SeUndockPrivilege	5088	msiexec.exe
Token: SeSyncAgentPrivilege	5088	msiexec.exe
Token: SeEnableDelegationPrivilege	5088	msiexec.exe
Token: SeManageVolumePrivilege	5088	msiexec.exe
Token: SeImpersonatePrivilege	5088	msiexec.exe
Token: SeCreateGlobalPrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5088	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 860	1192	msiexec.exe	100
PID 1192 wrote to memory of 860	1192	msiexec.exe	100
PID 1192 wrote to memory of 860	1192	msiexec.exe	100
PID 860 wrote to memory of 400	860	MsiExec.exe	111
PID 860 wrote to memory of 400	860	MsiExec.exe	111
PID 860 wrote to memory of 400	860	MsiExec.exe	111

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fbc6f51f451f55a888a00da19873d5d564a6d2b0cfb8eeb690b5d9ae65e5f10f.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5088

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C29C3591A5E484D2D9780295E04C3CCB
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssBE86.ps1"
    3⤵
    PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI87cbd.LOG

Filesize
21KB

MD5
57a31dbabe9935acabde975e4f7787cd

SHA1
dfa5e53708713c96c94697e0bfcb96bef61dff01

SHA256
b1b86eea9c905fc8fbc61e36e0ab6aed52909456f37db14fc51098150c9c5249

SHA512
c7ca3b1714b5b9269e955c513887d54c9b65bc6a086d528676c55034b0180b52026780fcf04128bec5f5f9d1dee76698e714ee37ba0f797f2354a395d46189a6

Download Submit
C:\Windows\Installer\MSI931F.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSI931F.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSIACB3.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSIACB3.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSIACB3.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSIAD12.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSIAD12.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSIBD12.tmp

Filesize
616KB

MD5
06e0529fe6867f9c70539152c7b9ca20

SHA1
9ca5f00f72ff4526494aa7a9ef9078f635cddbc5

SHA256
d2bd81b0d5d0e1b24f941b36c76ace67008abe13a9f3f28515efe9f110a0dc93

SHA512
39c779595dfe9b368c41d1e86686cec1cf90a65d118f3553a56e4434aa6b5a6ed9aec17cd2b7b5065ff93d67609d4ec4e89b6135fc3998ba1423788f869cf081

Download Submit
C:\Windows\Installer\MSIBD12.tmp

Filesize
616KB

MD5
06e0529fe6867f9c70539152c7b9ca20

SHA1
9ca5f00f72ff4526494aa7a9ef9078f635cddbc5

SHA256
d2bd81b0d5d0e1b24f941b36c76ace67008abe13a9f3f28515efe9f110a0dc93

SHA512
39c779595dfe9b368c41d1e86686cec1cf90a65d118f3553a56e4434aa6b5a6ed9aec17cd2b7b5065ff93d67609d4ec4e89b6135fc3998ba1423788f869cf081

Download Submit
C:\Windows\Installer\MSIE9AF.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSIE9AF.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
memory/400-29-0x0000000073CF0000-0x00000000744A0000-memory.dmp

Filesize
7.7MB

Download