089dc9a23f5eb868a6f6b8a6a901c2a29faef113ad296c8d40f6ce9de60f4b2d

Analysis

max time kernel
22s
max time network
23s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AcroPro.msi
Size

12.6MB
MD5

532a49d9023337714c1ce4ba11f2efd2
SHA1

4c1959149f03212a5112cc4c6256b22c7455233e
SHA256

089dc9a23f5eb868a6f6b8a6a901c2a29faef113ad296c8d40f6ce9de60f4b2d
SHA512

2f43e077f25b1c9243b4ec6f7901c59c62d8caa45cca183490d62409a2ae7ca69a84dd36bbe21805ff3bdacb03aee9c4f255c5b3db50eee6a17e0cc5929eb61c
SSDEEP

98304:/iD6IPdb7aDxMoPE1Oul7NhJLMYydUEooaKI:wPt7aDxMouOeHJLiGBKI

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2616	MsiExec.exe
2244	MsiExec.exe
2244	MsiExec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2632	msiexec.exe
5	2632	msiexec.exe
7	2632	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2632	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2724	msiexec.exe
Token: SeTakeOwnershipPrivilege	2724	msiexec.exe
Token: SeSecurityPrivilege	2724	msiexec.exe
Token: SeCreateTokenPrivilege	2632	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2632	msiexec.exe
Token: SeLockMemoryPrivilege	2632	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2632	msiexec.exe
Token: SeMachineAccountPrivilege	2632	msiexec.exe
Token: SeTcbPrivilege	2632	msiexec.exe
Token: SeSecurityPrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeLoadDriverPrivilege	2632	msiexec.exe
Token: SeSystemProfilePrivilege	2632	msiexec.exe
Token: SeSystemtimePrivilege	2632	msiexec.exe
Token: SeProfSingleProcessPrivilege	2632	msiexec.exe
Token: SeIncBasePriorityPrivilege	2632	msiexec.exe
Token: SeCreatePagefilePrivilege	2632	msiexec.exe
Token: SeCreatePermanentPrivilege	2632	msiexec.exe
Token: SeBackupPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeShutdownPrivilege	2632	msiexec.exe
Token: SeDebugPrivilege	2632	msiexec.exe
Token: SeAuditPrivilege	2632	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2632	msiexec.exe
Token: SeChangeNotifyPrivilege	2632	msiexec.exe
Token: SeRemoteShutdownPrivilege	2632	msiexec.exe
Token: SeUndockPrivilege	2632	msiexec.exe
Token: SeSyncAgentPrivilege	2632	msiexec.exe
Token: SeEnableDelegationPrivilege	2632	msiexec.exe
Token: SeManageVolumePrivilege	2632	msiexec.exe
Token: SeImpersonatePrivilege	2632	msiexec.exe
Token: SeCreateGlobalPrivilege	2632	msiexec.exe
Token: SeCreateTokenPrivilege	2632	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2632	msiexec.exe
Token: SeLockMemoryPrivilege	2632	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2632	msiexec.exe
Token: SeMachineAccountPrivilege	2632	msiexec.exe
Token: SeTcbPrivilege	2632	msiexec.exe
Token: SeSecurityPrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeLoadDriverPrivilege	2632	msiexec.exe
Token: SeSystemProfilePrivilege	2632	msiexec.exe
Token: SeSystemtimePrivilege	2632	msiexec.exe
Token: SeProfSingleProcessPrivilege	2632	msiexec.exe
Token: SeIncBasePriorityPrivilege	2632	msiexec.exe
Token: SeCreatePagefilePrivilege	2632	msiexec.exe
Token: SeCreatePermanentPrivilege	2632	msiexec.exe
Token: SeBackupPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeShutdownPrivilege	2632	msiexec.exe
Token: SeDebugPrivilege	2632	msiexec.exe
Token: SeAuditPrivilege	2632	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2632	msiexec.exe
Token: SeChangeNotifyPrivilege	2632	msiexec.exe
Token: SeRemoteShutdownPrivilege	2632	msiexec.exe
Token: SeUndockPrivilege	2632	msiexec.exe
Token: SeSyncAgentPrivilege	2632	msiexec.exe
Token: SeEnableDelegationPrivilege	2632	msiexec.exe
Token: SeManageVolumePrivilege	2632	msiexec.exe
Token: SeImpersonatePrivilege	2632	msiexec.exe
Token: SeCreateGlobalPrivilege	2632	msiexec.exe
Token: SeCreateTokenPrivilege	2632	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2632	msiexec.exe
2632	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2616	2724	msiexec.exe	29
PID 2724 wrote to memory of 2616	2724	msiexec.exe	29
PID 2724 wrote to memory of 2616	2724	msiexec.exe	29
PID 2724 wrote to memory of 2616	2724	msiexec.exe	29
PID 2724 wrote to memory of 2616	2724	msiexec.exe	29
PID 2724 wrote to memory of 2616	2724	msiexec.exe	29
PID 2724 wrote to memory of 2616	2724	msiexec.exe	29
PID 2724 wrote to memory of 2244	2724	msiexec.exe	30
PID 2724 wrote to memory of 2244	2724	msiexec.exe	30
PID 2724 wrote to memory of 2244	2724	msiexec.exe	30
PID 2724 wrote to memory of 2244	2724	msiexec.exe	30
PID 2724 wrote to memory of 2244	2724	msiexec.exe	30

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AcroPro.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5C9FC022CFB6D008521CA824DF27FCC3 C
  2⤵
  - Loads dropped DLL
  PID:2616
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding B1CCC100175F466C3CF386515412A527 C
  2⤵
  - Loads dropped DLL
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab1576.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3715.tmp

Filesize
113KB

MD5
47b6f784519367df60e8912278b7b07c

SHA1
43f6e2cbf56c1bd749fa74679d50202ad98ae576

SHA256
6bba4005136f4681fd81d200762b6c81ab26a160ec9205facf5878d407ae0c39

SHA512
5b0b0f93ddd73da7778f99b7ce998ed954191c596dbd2a14f93a1c1f28a992772871bea734b304b9a4e15676fe262722d045497be4cdad5acea8fcd5bb382b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3162.tmp

Filesize
163KB

MD5
4e0ab63fb7ed0c7d5519b2cc7eaaac35

SHA1
9b12dd71bbf4d681e8db4d42176386bfe169b150

SHA256
264feed635a3349c9bbcef891cfdbf85c88cc5ac2ec854f7d3c019c11f957a0d

SHA512
0f3c1a083fb12f2512467513dbf7352917695f588fe11d854610dccb15bb4797d8e4623e2c238eb555c710c2ecce8acc4b18cb73fb9f721c53fa62ce875b9899

Download Submit
\Users\Admin\AppData\Local\Temp\MSI35CC.tmp

Filesize
141KB

MD5
edb88affffd67bca3523b41d3e2e4810

SHA1
0055b93907665fed56d22a7614a581a87d060ead

SHA256
4c3d85e7c49928af0f43623dcbed474a157ef50af3cba40b7fd7ac3fe3df2f15

SHA512
2b9d99c57bfa9ab00d8582d55b18c5bf155a4ac83cf4c92247be23c35be818b082b3d6fe38fa905d304d2d8b957f3db73428da88e46acc3a7e3fee99d05e4daf

Download Submit