6acfeb696a7f901c733dbcd003af99252390844eecbc30aa42a6ac47e32c5fae

Analysis

max time kernel
154s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2023, 20:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d6a0ec474c1a9be4762a34e045e12327301b0b1c70b25a0475572b138dfbee2e.msi
Size

309KB
MD5

c9d54906e576c720fda1e23871435615
SHA1

b5ecb6f22678599320b29c67e3517981ee991634
SHA256

d6a0ec474c1a9be4762a34e045e12327301b0b1c70b25a0475572b138dfbee2e
SHA512

cf6a1d155429f48cdb8f5aaf23b086c5ac48588ada49184941b00fe9a7fad8f3f1413c48c74dc9ee39fcced57a1becfe7a02abd2ce09f48e5e67e9c3b4676935
SSDEEP

3072:1kxU0X04E6DG963DjY5AFwgz88ereWn/7w05g0ZCHbfIdn7k9uGkEp29wybtE7r2:1AIK3DjY5AQ8er1nzTubfIoZJ

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pwa_helper.lnk	MsiExec.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pwa_helper.lnk	MsiExec.exe

Executes dropped EXE 1 IoCs

pid	Process
692	pwa_helper.exe

Loads dropped DLL 3 IoCs

pid	Process
1676	MsiExec.exe
1676	MsiExec.exe
692	pwa_helper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\lan3evzÆî.exe C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\ C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\msedge_elf.dll"	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
18	1676	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57aba1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI56A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI26DE.tmp	msiexec.exe
File created	C:\Windows\Installer\e57aba5.msi	msiexec.exe
File created	C:\Windows\Installer\e57aba1.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C8.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{394247BF-B9B9-4A3E-B4C3-0A872DFF4926}	msiexec.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1832	msiexec.exe
1832	msiexec.exe
692	pwa_helper.exe
692	pwa_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
692	pwa_helper.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4472	msiexec.exe
Token: SeSecurityPrivilege	1832	msiexec.exe
Token: SeCreateTokenPrivilege	4472	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4472	msiexec.exe
Token: SeLockMemoryPrivilege	4472	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4472	msiexec.exe
Token: SeMachineAccountPrivilege	4472	msiexec.exe
Token: SeTcbPrivilege	4472	msiexec.exe
Token: SeSecurityPrivilege	4472	msiexec.exe
Token: SeTakeOwnershipPrivilege	4472	msiexec.exe
Token: SeLoadDriverPrivilege	4472	msiexec.exe
Token: SeSystemProfilePrivilege	4472	msiexec.exe
Token: SeSystemtimePrivilege	4472	msiexec.exe
Token: SeProfSingleProcessPrivilege	4472	msiexec.exe
Token: SeIncBasePriorityPrivilege	4472	msiexec.exe
Token: SeCreatePagefilePrivilege	4472	msiexec.exe
Token: SeCreatePermanentPrivilege	4472	msiexec.exe
Token: SeBackupPrivilege	4472	msiexec.exe
Token: SeRestorePrivilege	4472	msiexec.exe
Token: SeShutdownPrivilege	4472	msiexec.exe
Token: SeDebugPrivilege	4472	msiexec.exe
Token: SeAuditPrivilege	4472	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4472	msiexec.exe
Token: SeChangeNotifyPrivilege	4472	msiexec.exe
Token: SeRemoteShutdownPrivilege	4472	msiexec.exe
Token: SeUndockPrivilege	4472	msiexec.exe
Token: SeSyncAgentPrivilege	4472	msiexec.exe
Token: SeEnableDelegationPrivilege	4472	msiexec.exe
Token: SeManageVolumePrivilege	4472	msiexec.exe
Token: SeImpersonatePrivilege	4472	msiexec.exe
Token: SeCreateGlobalPrivilege	4472	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4472	msiexec.exe
1676	MsiExec.exe
4472	msiexec.exe
692	pwa_helper.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1676	1832	msiexec.exe	88
PID 1832 wrote to memory of 1676	1832	msiexec.exe	88
PID 1832 wrote to memory of 1676	1832	msiexec.exe	88
PID 1676 wrote to memory of 692	1676	MsiExec.exe	97
PID 1676 wrote to memory of 692	1676	MsiExec.exe	97
PID 1676 wrote to memory of 692	1676	MsiExec.exe	97
PID 692 wrote to memory of 4276	692	pwa_helper.exe	99
PID 692 wrote to memory of 4276	692	pwa_helper.exe	99
PID 692 wrote to memory of 4276	692	pwa_helper.exe	99
PID 4276 wrote to memory of 3932	4276	cmd.exe	101
PID 4276 wrote to memory of 3932	4276	cmd.exe	101
PID 4276 wrote to memory of 3932	4276	cmd.exe	101

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d6a0ec474c1a9be4762a34e045e12327301b0b1c70b25a0475572b138dfbee2e.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4472

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C77A6270576A12CA1A59585BDE0B377C
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Blocklisted process makes network request
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Admin" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Microsoft\lan3evzÆî.exe C:\Users\Admin\AppData\Roaming\Microsoft\ C:\Users\Admin\AppData\Roaming\Microsoft\msedge_elf.dll"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4276
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Admin" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Microsoft\lan3evzÆî.exe C:\Users\Admin\AppData\Roaming\Microsoft\ C:\Users\Admin\AppData\Roaming\Microsoft\msedge_elf.dll"
        5⤵
        Adds Run key to start application
        
        PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57aba4.rbs

Filesize
8KB

MD5
1472ce86adb705715d4ba2bdbb0cc633

SHA1
86b75046f11c219051489c54ac602ccb7528711b

SHA256
1c087caea18f28620d76475c5cfcb860f3ea9733f972d00b3202b846be14440b

SHA512
d9bb1a1be12507154f4b8ccbccfe74046bca8b0d41f9a49fea99e691dc2a8c7e66730541a1ada7cc2bfe25b17c309de3cd353b304a1f9eba61e7cd6aa4d1a3ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\GENpVC.zip

Filesize
12.4MB

MD5
c1ad4f8e1f8c14da4b3b22cd187c9704

SHA1
1201117ab8990c5d79ac9d3f2ca6d9f0b957819f

SHA256
00795d2dc7e3d6e7ff750cba12f6c7d88b5f1c49ee40c667872c9f02a5639a66

SHA512
cf581060d9a224c13e61dd4758a61dd19d6f47bc2c22686fc00712e6258a3e51f43f4baf4f104936e13b4a92082dfae69fd364e060a2ef46a5197b1220f84db9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\msedge_elf.dll

Filesize
12.3MB

MD5
b053388436b2d35b80e8537c7b4d001d

SHA1
97454140927cd2b90be7eabd8985f6e7513e021f

SHA256
015ffb119b8b8a7817530aebca60de86af553b40639d67de6962bd658e586429

SHA512
053c0d42a73fe081d9f40a227ec30f82e6e4cd082a9cffbbbc90049c73cfed61c5143083e6fa0d4ede6d54ae2b3b7df34d0fe09d3b501ab0962f872500096c52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\msedge_elf.dll

Filesize
12.3MB

MD5
b053388436b2d35b80e8537c7b4d001d

SHA1
97454140927cd2b90be7eabd8985f6e7513e021f

SHA256
015ffb119b8b8a7817530aebca60de86af553b40639d67de6962bd658e586429

SHA512
053c0d42a73fe081d9f40a227ec30f82e6e4cd082a9cffbbbc90049c73cfed61c5143083e6fa0d4ede6d54ae2b3b7df34d0fe09d3b501ab0962f872500096c52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe

Filesize
602KB

MD5
d5124f98199f99af52ab19b23d8e8971

SHA1
25311bb0f9a8e8ad23c691ae2118866091d56867

SHA256
aa7400bd5bc2b21169b34f61b678be7162061e68031ccbf80321db119977f078

SHA512
c9899f978c25f807240999eb1ab77130b5c22ab32ed53beab16701aaf2de2951805c30729fef7b1770be5fc2a642efc66ad3922e5588acda3d22a2e2df151625

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe

Filesize
602KB

MD5
d5124f98199f99af52ab19b23d8e8971

SHA1
25311bb0f9a8e8ad23c691ae2118866091d56867

SHA256
aa7400bd5bc2b21169b34f61b678be7162061e68031ccbf80321db119977f078

SHA512
c9899f978c25f807240999eb1ab77130b5c22ab32ed53beab16701aaf2de2951805c30729fef7b1770be5fc2a642efc66ad3922e5588acda3d22a2e2df151625

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\pwa_helper.exe

Filesize
602KB

MD5
d5124f98199f99af52ab19b23d8e8971

SHA1
25311bb0f9a8e8ad23c691ae2118866091d56867

SHA256
aa7400bd5bc2b21169b34f61b678be7162061e68031ccbf80321db119977f078

SHA512
c9899f978c25f807240999eb1ab77130b5c22ab32ed53beab16701aaf2de2951805c30729fef7b1770be5fc2a642efc66ad3922e5588acda3d22a2e2df151625

Download Submit
C:\Windows\Installer\MSI56A.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSI56A.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSI5C8.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSI5C8.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
memory/692-87-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download
memory/692-85-0x00000000017D0000-0x00000000017D1000-memory.dmp

Filesize
4KB

Download
memory/692-84-0x00000000017C0000-0x00000000017C1000-memory.dmp

Filesize
4KB

Download
memory/692-83-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/692-89-0x0000000070F30000-0x000000007255A000-memory.dmp

Filesize
22.2MB

Download
memory/692-86-0x0000000001810000-0x0000000001811000-memory.dmp

Filesize
4KB

Download
memory/692-88-0x0000000001830000-0x0000000001831000-memory.dmp

Filesize
4KB

Download
memory/692-90-0x0000000001840000-0x0000000001841000-memory.dmp

Filesize
4KB

Download
memory/692-91-0x0000000070F30000-0x000000007255A000-memory.dmp

Filesize
22.2MB

Download
memory/692-93-0x0000000003020000-0x0000000003021000-memory.dmp

Filesize
4KB

Download
memory/692-97-0x0000000070F30000-0x000000007255A000-memory.dmp

Filesize
22.2MB

Download