39a921b42c964e3a381bc613f3bde5b324b070e629a415e35f9f84c6818f2eca

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2023, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6be34df727fcb79123e4e8f472ad24b698d83395fb17d4db019e9976f485cd83.msi
Size

26.8MB
MD5

628e6068c4cb1be86b489574452fc9ab
SHA1

b0e4e9bb6ef8aa7a9fcb9c9e571d8162b1b2443a
SHA256

6be34df727fcb79123e4e8f472ad24b698d83395fb17d4db019e9976f485cd83
SHA512

f0f79ed20dbbebecfe80f419c4fb454743c723c249b84d61cb0d1026133ff401b0221932e762b104a8f4d64b2dd22156c00d548b85344e9bf6fd4e99a8926459
SSDEEP

786432:EZwgU6F7ALHnL2+xlyBwXobj4qzMvmcBF0jb:cE6F7Azn1xMV34OMvan

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
4132	MsiExec.exe
4132	MsiExec.exe
4132	MsiExec.exe
4132	MsiExec.exe
4132	MsiExec.exe
4132	MsiExec.exe
4132	MsiExec.exe
4132	MsiExec.exe
4132	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
13	4672	msiexec.exe
15	4672	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\A4278059BC3746E69A0B27353110D471.TMP\WiseCustomCall.dll	MsiExec.exe
File created	C:\Windows\A4278059BC3746E69A0B27353110D471.TMP\WiseCustomCall.CEB85044_2EEF_484A_8907_2EAF870F92ED.dll	MsiExec.exe
File created	C:\Windows\A4278059BC3746E69A0B27353110D471.TMP\WiseCustomCalla.CEB85044_2EEF_484A_8907_2EAF870F92ED.dll	MsiExec.exe
File created	C:\Windows\A4278059BC3746E69A0B27353110D471.TMP\WiseCustomCalla1.CEB85044_2EEF_484A_8907_2EAF870F92ED.dll	MsiExec.exe
File created	C:\Windows\A4278059BC3746E69A0B27353110D471.TMP\WiseCustomCalla.92A04A00_8854_4FDB_8A3A_F7F61D547DD6.dll	MsiExec.exe
File created	C:\Windows\A4278059BC3746E69A0B27353110D471.TMP\WiseCustomCall.92A04A00_8854_4FDB_8A3A_F7F61D547DD6.dll	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4672	msiexec.exe
Token: SeSecurityPrivilege	4088	msiexec.exe
Token: SeCreateTokenPrivilege	4672	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4672	msiexec.exe
Token: SeLockMemoryPrivilege	4672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4672	msiexec.exe
Token: SeMachineAccountPrivilege	4672	msiexec.exe
Token: SeTcbPrivilege	4672	msiexec.exe
Token: SeSecurityPrivilege	4672	msiexec.exe
Token: SeTakeOwnershipPrivilege	4672	msiexec.exe
Token: SeLoadDriverPrivilege	4672	msiexec.exe
Token: SeSystemProfilePrivilege	4672	msiexec.exe
Token: SeSystemtimePrivilege	4672	msiexec.exe
Token: SeProfSingleProcessPrivilege	4672	msiexec.exe
Token: SeIncBasePriorityPrivilege	4672	msiexec.exe
Token: SeCreatePagefilePrivilege	4672	msiexec.exe
Token: SeCreatePermanentPrivilege	4672	msiexec.exe
Token: SeBackupPrivilege	4672	msiexec.exe
Token: SeRestorePrivilege	4672	msiexec.exe
Token: SeShutdownPrivilege	4672	msiexec.exe
Token: SeDebugPrivilege	4672	msiexec.exe
Token: SeAuditPrivilege	4672	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4672	msiexec.exe
Token: SeChangeNotifyPrivilege	4672	msiexec.exe
Token: SeRemoteShutdownPrivilege	4672	msiexec.exe
Token: SeUndockPrivilege	4672	msiexec.exe
Token: SeSyncAgentPrivilege	4672	msiexec.exe
Token: SeEnableDelegationPrivilege	4672	msiexec.exe
Token: SeManageVolumePrivilege	4672	msiexec.exe
Token: SeImpersonatePrivilege	4672	msiexec.exe
Token: SeCreateGlobalPrivilege	4672	msiexec.exe
Token: SeCreateTokenPrivilege	4672	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4672	msiexec.exe
Token: SeLockMemoryPrivilege	4672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4672	msiexec.exe
Token: SeMachineAccountPrivilege	4672	msiexec.exe
Token: SeTcbPrivilege	4672	msiexec.exe
Token: SeSecurityPrivilege	4672	msiexec.exe
Token: SeTakeOwnershipPrivilege	4672	msiexec.exe
Token: SeLoadDriverPrivilege	4672	msiexec.exe
Token: SeSystemProfilePrivilege	4672	msiexec.exe
Token: SeSystemtimePrivilege	4672	msiexec.exe
Token: SeProfSingleProcessPrivilege	4672	msiexec.exe
Token: SeIncBasePriorityPrivilege	4672	msiexec.exe
Token: SeCreatePagefilePrivilege	4672	msiexec.exe
Token: SeCreatePermanentPrivilege	4672	msiexec.exe
Token: SeBackupPrivilege	4672	msiexec.exe
Token: SeRestorePrivilege	4672	msiexec.exe
Token: SeShutdownPrivilege	4672	msiexec.exe
Token: SeDebugPrivilege	4672	msiexec.exe
Token: SeAuditPrivilege	4672	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4672	msiexec.exe
Token: SeChangeNotifyPrivilege	4672	msiexec.exe
Token: SeRemoteShutdownPrivilege	4672	msiexec.exe
Token: SeUndockPrivilege	4672	msiexec.exe
Token: SeSyncAgentPrivilege	4672	msiexec.exe
Token: SeEnableDelegationPrivilege	4672	msiexec.exe
Token: SeManageVolumePrivilege	4672	msiexec.exe
Token: SeImpersonatePrivilege	4672	msiexec.exe
Token: SeCreateGlobalPrivilege	4672	msiexec.exe
Token: SeCreateTokenPrivilege	4672	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4672	msiexec.exe
Token: SeLockMemoryPrivilege	4672	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4672	msiexec.exe
4672	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 4132	4088	msiexec.exe	89
PID 4088 wrote to memory of 4132	4088	msiexec.exe	89
PID 4088 wrote to memory of 4132	4088	msiexec.exe	89

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6be34df727fcb79123e4e8f472ad24b698d83395fb17d4db019e9976f485cd83.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4672

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8F2C2A12249F71586E78F6C98544ACEE C
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI9693.tmp

Filesize
64KB

MD5
ff7446c8c951e30fdb1b8bf2998ff457

SHA1
96eb950ae2b3c108da101c64267713d26711c9e2

SHA256
96d0323b72f317b9c0be1e8bc9b922258b6bb6520a032fd240bbf0c086826abd

SHA512
d20e6a672293a1ae1b280413d824e205098ee480d6f69d024fc4f643083f4970f388ef3c8247f0b387b9ddf1128d2442cbd8a982f9a09ddf9d2fc27e9f0c9154

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9693.tmp

Filesize
64KB

MD5
ff7446c8c951e30fdb1b8bf2998ff457

SHA1
96eb950ae2b3c108da101c64267713d26711c9e2

SHA256
96d0323b72f317b9c0be1e8bc9b922258b6bb6520a032fd240bbf0c086826abd

SHA512
d20e6a672293a1ae1b280413d824e205098ee480d6f69d024fc4f643083f4970f388ef3c8247f0b387b9ddf1128d2442cbd8a982f9a09ddf9d2fc27e9f0c9154

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9934.tmp

Filesize
238KB

MD5
792953a279efde80e70561e5fa2fe5d2

SHA1
c91b6612145f96cc3fd1c7b12736427d4ea7df00

SHA256
bb67895f98f5dedd9090ec8f5476b998e353b8ed444c225dfd6fc06e6939cb89

SHA512
9fad635f819aad740bb6b72e5e2c293ffe217e3e54ca43c864139e3e83d272dfffbf8ebe9fa02ee00e690a04aa6728180ae89e15a599aa3f310a53bb1c34e149

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9934.tmp

Filesize
238KB

MD5
792953a279efde80e70561e5fa2fe5d2

SHA1
c91b6612145f96cc3fd1c7b12736427d4ea7df00

SHA256
bb67895f98f5dedd9090ec8f5476b998e353b8ed444c225dfd6fc06e6939cb89

SHA512
9fad635f819aad740bb6b72e5e2c293ffe217e3e54ca43c864139e3e83d272dfffbf8ebe9fa02ee00e690a04aa6728180ae89e15a599aa3f310a53bb1c34e149

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9963.tmp

Filesize
238KB

MD5
792953a279efde80e70561e5fa2fe5d2

SHA1
c91b6612145f96cc3fd1c7b12736427d4ea7df00

SHA256
bb67895f98f5dedd9090ec8f5476b998e353b8ed444c225dfd6fc06e6939cb89

SHA512
9fad635f819aad740bb6b72e5e2c293ffe217e3e54ca43c864139e3e83d272dfffbf8ebe9fa02ee00e690a04aa6728180ae89e15a599aa3f310a53bb1c34e149

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9963.tmp

Filesize
238KB

MD5
792953a279efde80e70561e5fa2fe5d2

SHA1
c91b6612145f96cc3fd1c7b12736427d4ea7df00

SHA256
bb67895f98f5dedd9090ec8f5476b998e353b8ed444c225dfd6fc06e6939cb89

SHA512
9fad635f819aad740bb6b72e5e2c293ffe217e3e54ca43c864139e3e83d272dfffbf8ebe9fa02ee00e690a04aa6728180ae89e15a599aa3f310a53bb1c34e149

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI99A3.tmp

Filesize
67KB

MD5
9edde986ce80b8486fe45d0d271d6360

SHA1
c76091790b1153ab02ca7d8c4dfe23a8bd5c7a06

SHA256
af23351ed60666b21ebca19d4e69dd19e7ba09226714384d84493e25cf5501d0

SHA512
a8c646ac34af0069860eef0a906ef8e3d14e8a687cdfcb71cab254f90686b2d69ae6161c779a590bb81c4b9da83fd9af83d6d434cdc6fefc9f965c3a7c6eecf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI99A3.tmp

Filesize
67KB

MD5
9edde986ce80b8486fe45d0d271d6360

SHA1
c76091790b1153ab02ca7d8c4dfe23a8bd5c7a06

SHA256
af23351ed60666b21ebca19d4e69dd19e7ba09226714384d84493e25cf5501d0

SHA512
a8c646ac34af0069860eef0a906ef8e3d14e8a687cdfcb71cab254f90686b2d69ae6161c779a590bb81c4b9da83fd9af83d6d434cdc6fefc9f965c3a7c6eecf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9AFC.tmp

Filesize
67KB

MD5
9edde986ce80b8486fe45d0d271d6360

SHA1
c76091790b1153ab02ca7d8c4dfe23a8bd5c7a06

SHA256
af23351ed60666b21ebca19d4e69dd19e7ba09226714384d84493e25cf5501d0

SHA512
a8c646ac34af0069860eef0a906ef8e3d14e8a687cdfcb71cab254f90686b2d69ae6161c779a590bb81c4b9da83fd9af83d6d434cdc6fefc9f965c3a7c6eecf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9AFC.tmp

Filesize
67KB

MD5
9edde986ce80b8486fe45d0d271d6360

SHA1
c76091790b1153ab02ca7d8c4dfe23a8bd5c7a06

SHA256
af23351ed60666b21ebca19d4e69dd19e7ba09226714384d84493e25cf5501d0

SHA512
a8c646ac34af0069860eef0a906ef8e3d14e8a687cdfcb71cab254f90686b2d69ae6161c779a590bb81c4b9da83fd9af83d6d434cdc6fefc9f965c3a7c6eecf5

Download Submit
C:\Windows\A4278059BC3746E69A0B27353110D471.TMP\WiseCustomCall.92A04A00_8854_4FDB_8A3A_F7F61D547DD6.dll

Filesize
65KB

MD5
aa5fca54191c81348e466c2ff8a8bd9c

SHA1
1c0911969a26a93e8feeead18df97cc4cdd75f34

SHA256
6b36b0b5457dc6fe232c8535cf21532d6a44213405d202bfa4d1c4471dfc1983

SHA512
16a4deea052b9b599280759405e1cf3ad04904073dece8b48c79671dfb3f15f9dd32e453dbf65b54a114164022b6bda4f9f305a0ac3f802d7291f8fb9d195623

Download Submit
C:\Windows\A4278059BC3746E69A0B27353110D471.TMP\WiseCustomCalla.CEB85044_2EEF_484A_8907_2EAF870F92ED.dll

Filesize
946KB

MD5
0000579bbad080c89bce243ecdd981a2

SHA1
87c62f6a8201d9535ccaaa9cf9f6b4d891610f52

SHA256
9e1df95d52320a93288bc62243186869a9eec1a0df5af4b3dc98e0fa649a78bb

SHA512
62614c26df1826ba7fe0ef3a481949075cd173ed2857a3a78179f8eb76eaf7df052135a976fb4661616ebbd71595c2dcc266b2066160108238d51a69bd49c27f

Download Submit
C:\Windows\A4278059BC3746E69A0B27353110D471.TMP\WiseCustomCalla.CEB85044_2EEF_484A_8907_2EAF870F92ED.dll

Filesize
946KB

MD5
0000579bbad080c89bce243ecdd981a2

SHA1
87c62f6a8201d9535ccaaa9cf9f6b4d891610f52

SHA256
9e1df95d52320a93288bc62243186869a9eec1a0df5af4b3dc98e0fa649a78bb

SHA512
62614c26df1826ba7fe0ef3a481949075cd173ed2857a3a78179f8eb76eaf7df052135a976fb4661616ebbd71595c2dcc266b2066160108238d51a69bd49c27f

Download Submit
C:\Windows\A4278059BC3746E69A0B27353110D471.TMP\WiseCustomCalla.CEB85044_2EEF_484A_8907_2EAF870F92ED.dll

Filesize
946KB

MD5
0000579bbad080c89bce243ecdd981a2

SHA1
87c62f6a8201d9535ccaaa9cf9f6b4d891610f52

SHA256
9e1df95d52320a93288bc62243186869a9eec1a0df5af4b3dc98e0fa649a78bb

SHA512
62614c26df1826ba7fe0ef3a481949075cd173ed2857a3a78179f8eb76eaf7df052135a976fb4661616ebbd71595c2dcc266b2066160108238d51a69bd49c27f

Download Submit
C:\Windows\A4278059BC3746E69A0B27353110D471.TMP\WiseCustomCalla.CEB85044_2EEF_484A_8907_2EAF870F92ED.dll

Filesize
946KB

MD5
0000579bbad080c89bce243ecdd981a2

SHA1
87c62f6a8201d9535ccaaa9cf9f6b4d891610f52

SHA256
9e1df95d52320a93288bc62243186869a9eec1a0df5af4b3dc98e0fa649a78bb

SHA512
62614c26df1826ba7fe0ef3a481949075cd173ed2857a3a78179f8eb76eaf7df052135a976fb4661616ebbd71595c2dcc266b2066160108238d51a69bd49c27f

Download Submit
C:\Windows\A4278059BC3746E69A0B27353110D471.TMP\WiseCustomCalla.CEB85044_2EEF_484A_8907_2EAF870F92ED.dll

Filesize
946KB

MD5
0000579bbad080c89bce243ecdd981a2

SHA1
87c62f6a8201d9535ccaaa9cf9f6b4d891610f52

SHA256
9e1df95d52320a93288bc62243186869a9eec1a0df5af4b3dc98e0fa649a78bb

SHA512
62614c26df1826ba7fe0ef3a481949075cd173ed2857a3a78179f8eb76eaf7df052135a976fb4661616ebbd71595c2dcc266b2066160108238d51a69bd49c27f

Download Submit
memory/4132-30-0x0000000002A90000-0x0000000002B9D000-memory.dmp

Filesize
1.1MB

Download
memory/4132-42-0x0000000002C20000-0x0000000002D2D000-memory.dmp

Filesize
1.1MB

Download