83b8a52adde102c118a5c8a47fc9e83155601e0ab423b1887fa68a5e34cce1e6

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BakerBoostApp.msi
Size

5.9MB
MD5

9a05e7497c5a2baee4b4c314e832092e
SHA1

cbd8cdae6c39e1febcd52302d217e9cfec85ce6a
SHA256

0983c7e6d076e8006fa88d51e1363f275e009d6aa104eeab75cb6d228d708f38
SHA512

d837c08d8f38925bd8056e3a70d62299a84c0eba01e272a7ff5239f83e889c72f7e3e1e9be400cebf66d2c66fc4210f037aa69d89d51a8c33323d9400bb76f79
SSDEEP

49152:zJrYicL5MDwBMmImZTWsQcqh1fdG1CYlhazcpA3W6O4Ho9vH:1Yic5M/kTjAdGngimOx/

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1980	MsiExec.exe
1980	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1752	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1752	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	3016	msiexec.exe
Token: SeTakeOwnershipPrivilege	3016	msiexec.exe
Token: SeSecurityPrivilege	3016	msiexec.exe
Token: SeCreateTokenPrivilege	1752	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1752	msiexec.exe
Token: SeLockMemoryPrivilege	1752	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1752	msiexec.exe
Token: SeMachineAccountPrivilege	1752	msiexec.exe
Token: SeTcbPrivilege	1752	msiexec.exe
Token: SeSecurityPrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeLoadDriverPrivilege	1752	msiexec.exe
Token: SeSystemProfilePrivilege	1752	msiexec.exe
Token: SeSystemtimePrivilege	1752	msiexec.exe
Token: SeProfSingleProcessPrivilege	1752	msiexec.exe
Token: SeIncBasePriorityPrivilege	1752	msiexec.exe
Token: SeCreatePagefilePrivilege	1752	msiexec.exe
Token: SeCreatePermanentPrivilege	1752	msiexec.exe
Token: SeBackupPrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeShutdownPrivilege	1752	msiexec.exe
Token: SeDebugPrivilege	1752	msiexec.exe
Token: SeAuditPrivilege	1752	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1752	msiexec.exe
Token: SeChangeNotifyPrivilege	1752	msiexec.exe
Token: SeRemoteShutdownPrivilege	1752	msiexec.exe
Token: SeUndockPrivilege	1752	msiexec.exe
Token: SeSyncAgentPrivilege	1752	msiexec.exe
Token: SeEnableDelegationPrivilege	1752	msiexec.exe
Token: SeManageVolumePrivilege	1752	msiexec.exe
Token: SeImpersonatePrivilege	1752	msiexec.exe
Token: SeCreateGlobalPrivilege	1752	msiexec.exe
Token: SeCreateTokenPrivilege	1752	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1752	msiexec.exe
Token: SeLockMemoryPrivilege	1752	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1752	msiexec.exe
Token: SeMachineAccountPrivilege	1752	msiexec.exe
Token: SeTcbPrivilege	1752	msiexec.exe
Token: SeSecurityPrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeLoadDriverPrivilege	1752	msiexec.exe
Token: SeSystemProfilePrivilege	1752	msiexec.exe
Token: SeSystemtimePrivilege	1752	msiexec.exe
Token: SeProfSingleProcessPrivilege	1752	msiexec.exe
Token: SeIncBasePriorityPrivilege	1752	msiexec.exe
Token: SeCreatePagefilePrivilege	1752	msiexec.exe
Token: SeCreatePermanentPrivilege	1752	msiexec.exe
Token: SeBackupPrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeShutdownPrivilege	1752	msiexec.exe
Token: SeDebugPrivilege	1752	msiexec.exe
Token: SeAuditPrivilege	1752	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1752	msiexec.exe
Token: SeChangeNotifyPrivilege	1752	msiexec.exe
Token: SeRemoteShutdownPrivilege	1752	msiexec.exe
Token: SeUndockPrivilege	1752	msiexec.exe
Token: SeSyncAgentPrivilege	1752	msiexec.exe
Token: SeEnableDelegationPrivilege	1752	msiexec.exe
Token: SeManageVolumePrivilege	1752	msiexec.exe
Token: SeImpersonatePrivilege	1752	msiexec.exe
Token: SeCreateGlobalPrivilege	1752	msiexec.exe
Token: SeCreateTokenPrivilege	1752	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1752	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 1980	3016	msiexec.exe	29
PID 3016 wrote to memory of 1980	3016	msiexec.exe	29
PID 3016 wrote to memory of 1980	3016	msiexec.exe	29
PID 3016 wrote to memory of 1980	3016	msiexec.exe	29
PID 3016 wrote to memory of 1980	3016	msiexec.exe	29
PID 3016 wrote to memory of 1980	3016	msiexec.exe	29
PID 3016 wrote to memory of 1980	3016	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\BakerBoostApp.msi
1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1752

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F352F4030E575E29762003C25CC956A0 C
  2⤵
  - Loads dropped DLL
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI1842.tmp

Filesize
298KB

MD5
684f2d21637cb5835172edad55b6a8d9

SHA1
5eac3b8d0733aa11543248b769d7c30d2c53fcdb

SHA256
da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

SHA512
7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI18BF.tmp

Filesize
128KB

MD5
e7130356ea53496ddece977e9ba65f8d

SHA1
304cffc716bb076df33a19c5704efbf4e4d4b261

SHA256
58f3eb99af59d604882036ade8c1322e7bad372f54f51dc06ce8d4f38ed32e2f

SHA512
dee8eb360073801deb705523417763e2a16dc33d6c586fed32891cf327e521f2670bbe9419aeaa9065e90ac9fa76e258242e65fd7c3c981a2a6906d87c514142

Download Submit
\Users\Admin\AppData\Local\Temp\MSI18BF.tmp

Filesize
192KB

MD5
60e67248c2bbebdd7a5d5d08dbd0a558

SHA1
eaf4fa8717ceb45d1a1efe1e47590bdd1a314a39

SHA256
9195d846a0107df9a90a1ea6912a0da8addbd6cb6d7c4f2ace6736d597a09938

SHA512
11739ea89f4e33cea0d067b0911f62d0f1ad884b4c5fd6008676bb6d779b624171c151fbd786ac517e8e7fc02ede8d822d32baedc6318c951059bad8f6fc8bd5

Download Submit