f1efd4e901a85cc7892dda4620376ddd65275790fcc4747cccfa1820dcb75722

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2023 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6a0ec474c1a9be4762a34e045e12327301b0b1c70b25a0475572b138dfbee2e.msi
Size

309KB
MD5

c9d54906e576c720fda1e23871435615
SHA1

b5ecb6f22678599320b29c67e3517981ee991634
SHA256

d6a0ec474c1a9be4762a34e045e12327301b0b1c70b25a0475572b138dfbee2e
SHA512

cf6a1d155429f48cdb8f5aaf23b086c5ac48588ada49184941b00fe9a7fad8f3f1413c48c74dc9ee39fcced57a1becfe7a02abd2ce09f48e5e67e9c3b4676935
SSDEEP

3072:1kxU0X04E6DG963DjY5AFwgz88ereWn/7w05g0ZCHbfIdn7k9uGkEp29wybtE7r2:1AIK3DjY5AQ8er1nzTubfIoZJ

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pwa_helper.lnk	MsiExec.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pwa_helper.lnk	MsiExec.exe

Executes dropped EXE 1 IoCs

pid	Process
1508	pwa_helper.exe

Loads dropped DLL 3 IoCs

pid	Process
1604	MsiExec.exe
1508	pwa_helper.exe
1604	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\b333hwrÆî.exe C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\ C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\msedge_elf.dll"	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
46	1604	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI815.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{394247BF-B9B9-4A3E-B4C3-0A872DFF4926}	msiexec.exe
File created	C:\Windows\Installer\e585728.msi	msiexec.exe
File created	C:\Windows\Installer\e585724.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6BD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e585724.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	46	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3424	msiexec.exe
3424	msiexec.exe
1508	pwa_helper.exe
1508	pwa_helper.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3324	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3324	msiexec.exe
Token: SeSecurityPrivilege	3424	msiexec.exe
Token: SeCreateTokenPrivilege	3324	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3324	msiexec.exe
Token: SeLockMemoryPrivilege	3324	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3324	msiexec.exe
Token: SeMachineAccountPrivilege	3324	msiexec.exe
Token: SeTcbPrivilege	3324	msiexec.exe
Token: SeSecurityPrivilege	3324	msiexec.exe
Token: SeTakeOwnershipPrivilege	3324	msiexec.exe
Token: SeLoadDriverPrivilege	3324	msiexec.exe
Token: SeSystemProfilePrivilege	3324	msiexec.exe
Token: SeSystemtimePrivilege	3324	msiexec.exe
Token: SeProfSingleProcessPrivilege	3324	msiexec.exe
Token: SeIncBasePriorityPrivilege	3324	msiexec.exe
Token: SeCreatePagefilePrivilege	3324	msiexec.exe
Token: SeCreatePermanentPrivilege	3324	msiexec.exe
Token: SeBackupPrivilege	3324	msiexec.exe
Token: SeRestorePrivilege	3324	msiexec.exe
Token: SeShutdownPrivilege	3324	msiexec.exe
Token: SeDebugPrivilege	3324	msiexec.exe
Token: SeAuditPrivilege	3324	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3324	msiexec.exe
Token: SeChangeNotifyPrivilege	3324	msiexec.exe
Token: SeRemoteShutdownPrivilege	3324	msiexec.exe
Token: SeUndockPrivilege	3324	msiexec.exe
Token: SeSyncAgentPrivilege	3324	msiexec.exe
Token: SeEnableDelegationPrivilege	3324	msiexec.exe
Token: SeManageVolumePrivilege	3324	msiexec.exe
Token: SeImpersonatePrivilege	3324	msiexec.exe
Token: SeCreateGlobalPrivilege	3324	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe
Token: SeRestorePrivilege	3424	msiexec.exe
Token: SeTakeOwnershipPrivilege	3424	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3324	msiexec.exe
1604	MsiExec.exe
3324	msiexec.exe
1508	pwa_helper.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 1604	3424	msiexec.exe	92
PID 3424 wrote to memory of 1604	3424	msiexec.exe	92
PID 3424 wrote to memory of 1604	3424	msiexec.exe	92
PID 1604 wrote to memory of 1508	1604	MsiExec.exe	107
PID 1604 wrote to memory of 1508	1604	MsiExec.exe	107
PID 1604 wrote to memory of 1508	1604	MsiExec.exe	107
PID 1508 wrote to memory of 1844	1508	pwa_helper.exe	109
PID 1508 wrote to memory of 1844	1508	pwa_helper.exe	109
PID 1508 wrote to memory of 1844	1508	pwa_helper.exe	109
PID 1844 wrote to memory of 4876	1844	cmd.exe	111
PID 1844 wrote to memory of 4876	1844	cmd.exe	111
PID 1844 wrote to memory of 4876	1844	cmd.exe	111

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d6a0ec474c1a9be4762a34e045e12327301b0b1c70b25a0475572b138dfbee2e.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3324

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DA15F33BC0CCEB85A0A88A7FC87EBC66
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Blocklisted process makes network request
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Admin" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Microsoft\b333hwrÆî.exe C:\Users\Admin\AppData\Roaming\Microsoft\ C:\Users\Admin\AppData\Roaming\Microsoft\msedge_elf.dll"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Admin" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Microsoft\b333hwrÆî.exe C:\Users\Admin\AppData\Roaming\Microsoft\ C:\Users\Admin\AppData\Roaming\Microsoft\msedge_elf.dll"
        5⤵
        Adds Run key to start application
        
        PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e585727.rbs

Filesize
8KB

MD5
8dacfb604647a64d541ed6eb80b7a0b7

SHA1
d7566a867d8981e8a81adc2fc946765a97916bd1

SHA256
28d18a26e3db77fefeb67acc87d6ee461e82a893d628b296efd7c9ca6a75dea5

SHA512
6abdfc56608980f0cea2ef910983896c4364f063910d87308c2aec62b334dd2a86d87594ae05c108591776065be3c9b376a4bf6f9fb6ace24e5e4cfc42e1e73f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MyZWyT.zip

Filesize
12.4MB

MD5
c1ad4f8e1f8c14da4b3b22cd187c9704

SHA1
1201117ab8990c5d79ac9d3f2ca6d9f0b957819f

SHA256
00795d2dc7e3d6e7ff750cba12f6c7d88b5f1c49ee40c667872c9f02a5639a66

SHA512
cf581060d9a224c13e61dd4758a61dd19d6f47bc2c22686fc00712e6258a3e51f43f4baf4f104936e13b4a92082dfae69fd364e060a2ef46a5197b1220f84db9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\msedge_elf.dll

Filesize
12.3MB

MD5
b053388436b2d35b80e8537c7b4d001d

SHA1
97454140927cd2b90be7eabd8985f6e7513e021f

SHA256
015ffb119b8b8a7817530aebca60de86af553b40639d67de6962bd658e586429

SHA512
053c0d42a73fe081d9f40a227ec30f82e6e4cd082a9cffbbbc90049c73cfed61c5143083e6fa0d4ede6d54ae2b3b7df34d0fe09d3b501ab0962f872500096c52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\msedge_elf.dll

Filesize
12.3MB

MD5
b053388436b2d35b80e8537c7b4d001d

SHA1
97454140927cd2b90be7eabd8985f6e7513e021f

SHA256
015ffb119b8b8a7817530aebca60de86af553b40639d67de6962bd658e586429

SHA512
053c0d42a73fe081d9f40a227ec30f82e6e4cd082a9cffbbbc90049c73cfed61c5143083e6fa0d4ede6d54ae2b3b7df34d0fe09d3b501ab0962f872500096c52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe

Filesize
602KB

MD5
d5124f98199f99af52ab19b23d8e8971

SHA1
25311bb0f9a8e8ad23c691ae2118866091d56867

SHA256
aa7400bd5bc2b21169b34f61b678be7162061e68031ccbf80321db119977f078

SHA512
c9899f978c25f807240999eb1ab77130b5c22ab32ed53beab16701aaf2de2951805c30729fef7b1770be5fc2a642efc66ad3922e5588acda3d22a2e2df151625

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe

Filesize
602KB

MD5
d5124f98199f99af52ab19b23d8e8971

SHA1
25311bb0f9a8e8ad23c691ae2118866091d56867

SHA256
aa7400bd5bc2b21169b34f61b678be7162061e68031ccbf80321db119977f078

SHA512
c9899f978c25f807240999eb1ab77130b5c22ab32ed53beab16701aaf2de2951805c30729fef7b1770be5fc2a642efc66ad3922e5588acda3d22a2e2df151625

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe

Filesize
602KB

MD5
d5124f98199f99af52ab19b23d8e8971

SHA1
25311bb0f9a8e8ad23c691ae2118866091d56867

SHA256
aa7400bd5bc2b21169b34f61b678be7162061e68031ccbf80321db119977f078

SHA512
c9899f978c25f807240999eb1ab77130b5c22ab32ed53beab16701aaf2de2951805c30729fef7b1770be5fc2a642efc66ad3922e5588acda3d22a2e2df151625

Download Submit
C:\Windows\Installer\MSI6BD.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSI6BD.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSI815.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSI815.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
memory/1508-85-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/1508-84-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/1508-87-0x0000000071270000-0x000000007289A000-memory.dmp

Filesize
22.2MB

Download
memory/1508-86-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/1508-83-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/1508-89-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/1508-88-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/1508-90-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/1508-91-0x0000000071270000-0x000000007289A000-memory.dmp

Filesize
22.2MB

Download
memory/1508-94-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/1508-97-0x0000000071270000-0x000000007289A000-memory.dmp

Filesize
22.2MB

Download