83b8a52adde102c118a5c8a47fc9e83155601e0ab423b1887fa68a5e34cce1e6

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BakerBoostApp.msi
Size

5.9MB
MD5

9a05e7497c5a2baee4b4c314e832092e
SHA1

cbd8cdae6c39e1febcd52302d217e9cfec85ce6a
SHA256

0983c7e6d076e8006fa88d51e1363f275e009d6aa104eeab75cb6d228d708f38
SHA512

d837c08d8f38925bd8056e3a70d62299a84c0eba01e272a7ff5239f83e889c72f7e3e1e9be400cebf66d2c66fc4210f037aa69d89d51a8c33323d9400bb76f79
SSDEEP

49152:zJrYicL5MDwBMmImZTWsQcqh1fdG1CYlhazcpA3W6O4Ho9vH:1Yic5M/kTjAdGngimOx/

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2240	MsiExec.exe
2240	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4456	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4456	msiexec.exe
Token: SeSecurityPrivilege	4692	msiexec.exe
Token: SeCreateTokenPrivilege	4456	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4456	msiexec.exe
Token: SeLockMemoryPrivilege	4456	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4456	msiexec.exe
Token: SeMachineAccountPrivilege	4456	msiexec.exe
Token: SeTcbPrivilege	4456	msiexec.exe
Token: SeSecurityPrivilege	4456	msiexec.exe
Token: SeTakeOwnershipPrivilege	4456	msiexec.exe
Token: SeLoadDriverPrivilege	4456	msiexec.exe
Token: SeSystemProfilePrivilege	4456	msiexec.exe
Token: SeSystemtimePrivilege	4456	msiexec.exe
Token: SeProfSingleProcessPrivilege	4456	msiexec.exe
Token: SeIncBasePriorityPrivilege	4456	msiexec.exe
Token: SeCreatePagefilePrivilege	4456	msiexec.exe
Token: SeCreatePermanentPrivilege	4456	msiexec.exe
Token: SeBackupPrivilege	4456	msiexec.exe
Token: SeRestorePrivilege	4456	msiexec.exe
Token: SeShutdownPrivilege	4456	msiexec.exe
Token: SeDebugPrivilege	4456	msiexec.exe
Token: SeAuditPrivilege	4456	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4456	msiexec.exe
Token: SeChangeNotifyPrivilege	4456	msiexec.exe
Token: SeRemoteShutdownPrivilege	4456	msiexec.exe
Token: SeUndockPrivilege	4456	msiexec.exe
Token: SeSyncAgentPrivilege	4456	msiexec.exe
Token: SeEnableDelegationPrivilege	4456	msiexec.exe
Token: SeManageVolumePrivilege	4456	msiexec.exe
Token: SeImpersonatePrivilege	4456	msiexec.exe
Token: SeCreateGlobalPrivilege	4456	msiexec.exe
Token: SeCreateTokenPrivilege	4456	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4456	msiexec.exe
Token: SeLockMemoryPrivilege	4456	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4456	msiexec.exe
Token: SeMachineAccountPrivilege	4456	msiexec.exe
Token: SeTcbPrivilege	4456	msiexec.exe
Token: SeSecurityPrivilege	4456	msiexec.exe
Token: SeTakeOwnershipPrivilege	4456	msiexec.exe
Token: SeLoadDriverPrivilege	4456	msiexec.exe
Token: SeSystemProfilePrivilege	4456	msiexec.exe
Token: SeSystemtimePrivilege	4456	msiexec.exe
Token: SeProfSingleProcessPrivilege	4456	msiexec.exe
Token: SeIncBasePriorityPrivilege	4456	msiexec.exe
Token: SeCreatePagefilePrivilege	4456	msiexec.exe
Token: SeCreatePermanentPrivilege	4456	msiexec.exe
Token: SeBackupPrivilege	4456	msiexec.exe
Token: SeRestorePrivilege	4456	msiexec.exe
Token: SeShutdownPrivilege	4456	msiexec.exe
Token: SeDebugPrivilege	4456	msiexec.exe
Token: SeAuditPrivilege	4456	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4456	msiexec.exe
Token: SeChangeNotifyPrivilege	4456	msiexec.exe
Token: SeRemoteShutdownPrivilege	4456	msiexec.exe
Token: SeUndockPrivilege	4456	msiexec.exe
Token: SeSyncAgentPrivilege	4456	msiexec.exe
Token: SeEnableDelegationPrivilege	4456	msiexec.exe
Token: SeManageVolumePrivilege	4456	msiexec.exe
Token: SeImpersonatePrivilege	4456	msiexec.exe
Token: SeCreateGlobalPrivilege	4456	msiexec.exe
Token: SeCreateTokenPrivilege	4456	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4456	msiexec.exe
Token: SeLockMemoryPrivilege	4456	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4456	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 2240	4692	msiexec.exe	93
PID 4692 wrote to memory of 2240	4692	msiexec.exe	93
PID 4692 wrote to memory of 2240	4692	msiexec.exe	93

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\BakerBoostApp.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4456

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 07CA91C3130B18F8C907F1AD391A0206 C
  2⤵
  - Loads dropped DLL
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI952B.tmp

Filesize
298KB

MD5
684f2d21637cb5835172edad55b6a8d9

SHA1
5eac3b8d0733aa11543248b769d7c30d2c53fcdb

SHA256
da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

SHA512
7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

Download Submit