089dc9a23f5eb868a6f6b8a6a901c2a29faef113ad296c8d40f6ce9de60f4b2d

Analysis

max time kernel
146s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AcroPro.msi
Size

12.6MB
MD5

532a49d9023337714c1ce4ba11f2efd2
SHA1

4c1959149f03212a5112cc4c6256b22c7455233e
SHA256

089dc9a23f5eb868a6f6b8a6a901c2a29faef113ad296c8d40f6ce9de60f4b2d
SHA512

2f43e077f25b1c9243b4ec6f7901c59c62d8caa45cca183490d62409a2ae7ca69a84dd36bbe21805ff3bdacb03aee9c4f255c5b3db50eee6a17e0cc5929eb61c
SSDEEP

98304:/iD6IPdb7aDxMoPE1Oul7NhJLMYydUEooaKI:wPt7aDxMouOeHJLiGBKI

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
976	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	4336	msiexec.exe
12	4336	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mfcm110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm110u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\atl110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcr110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110u.dll	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4336	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4336	msiexec.exe
Token: SeSecurityPrivilege	2108	msiexec.exe
Token: SeCreateTokenPrivilege	4336	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4336	msiexec.exe
Token: SeLockMemoryPrivilege	4336	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4336	msiexec.exe
Token: SeMachineAccountPrivilege	4336	msiexec.exe
Token: SeTcbPrivilege	4336	msiexec.exe
Token: SeSecurityPrivilege	4336	msiexec.exe
Token: SeTakeOwnershipPrivilege	4336	msiexec.exe
Token: SeLoadDriverPrivilege	4336	msiexec.exe
Token: SeSystemProfilePrivilege	4336	msiexec.exe
Token: SeSystemtimePrivilege	4336	msiexec.exe
Token: SeProfSingleProcessPrivilege	4336	msiexec.exe
Token: SeIncBasePriorityPrivilege	4336	msiexec.exe
Token: SeCreatePagefilePrivilege	4336	msiexec.exe
Token: SeCreatePermanentPrivilege	4336	msiexec.exe
Token: SeBackupPrivilege	4336	msiexec.exe
Token: SeRestorePrivilege	4336	msiexec.exe
Token: SeShutdownPrivilege	4336	msiexec.exe
Token: SeDebugPrivilege	4336	msiexec.exe
Token: SeAuditPrivilege	4336	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4336	msiexec.exe
Token: SeChangeNotifyPrivilege	4336	msiexec.exe
Token: SeRemoteShutdownPrivilege	4336	msiexec.exe
Token: SeUndockPrivilege	4336	msiexec.exe
Token: SeSyncAgentPrivilege	4336	msiexec.exe
Token: SeEnableDelegationPrivilege	4336	msiexec.exe
Token: SeManageVolumePrivilege	4336	msiexec.exe
Token: SeImpersonatePrivilege	4336	msiexec.exe
Token: SeCreateGlobalPrivilege	4336	msiexec.exe
Token: SeCreateTokenPrivilege	4336	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4336	msiexec.exe
Token: SeLockMemoryPrivilege	4336	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4336	msiexec.exe
Token: SeMachineAccountPrivilege	4336	msiexec.exe
Token: SeTcbPrivilege	4336	msiexec.exe
Token: SeSecurityPrivilege	4336	msiexec.exe
Token: SeTakeOwnershipPrivilege	4336	msiexec.exe
Token: SeLoadDriverPrivilege	4336	msiexec.exe
Token: SeSystemProfilePrivilege	4336	msiexec.exe
Token: SeSystemtimePrivilege	4336	msiexec.exe
Token: SeProfSingleProcessPrivilege	4336	msiexec.exe
Token: SeIncBasePriorityPrivilege	4336	msiexec.exe
Token: SeCreatePagefilePrivilege	4336	msiexec.exe
Token: SeCreatePermanentPrivilege	4336	msiexec.exe
Token: SeBackupPrivilege	4336	msiexec.exe
Token: SeRestorePrivilege	4336	msiexec.exe
Token: SeShutdownPrivilege	4336	msiexec.exe
Token: SeDebugPrivilege	4336	msiexec.exe
Token: SeAuditPrivilege	4336	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4336	msiexec.exe
Token: SeChangeNotifyPrivilege	4336	msiexec.exe
Token: SeRemoteShutdownPrivilege	4336	msiexec.exe
Token: SeUndockPrivilege	4336	msiexec.exe
Token: SeSyncAgentPrivilege	4336	msiexec.exe
Token: SeEnableDelegationPrivilege	4336	msiexec.exe
Token: SeManageVolumePrivilege	4336	msiexec.exe
Token: SeImpersonatePrivilege	4336	msiexec.exe
Token: SeCreateGlobalPrivilege	4336	msiexec.exe
Token: SeCreateTokenPrivilege	4336	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4336	msiexec.exe
Token: SeLockMemoryPrivilege	4336	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4336	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 976	2108	msiexec.exe	94
PID 2108 wrote to memory of 976	2108	msiexec.exe	94
PID 2108 wrote to memory of 976	2108	msiexec.exe	94
PID 2108 wrote to memory of 4436	2108	msiexec.exe	95
PID 2108 wrote to memory of 4436	2108	msiexec.exe	95

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AcroPro.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4336

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2A8AA9B34677FE6443CA6729D7CA4FA8 C
  2⤵
  - Loads dropped DLL
  PID:976
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 30D04CCB9817E832F46AFD7CBDF9946B C
  2⤵
  - Loads dropped DLL
  PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI57E4.tmp

Filesize
141KB

MD5
edb88affffd67bca3523b41d3e2e4810

SHA1
0055b93907665fed56d22a7614a581a87d060ead

SHA256
4c3d85e7c49928af0f43623dcbed474a157ef50af3cba40b7fd7ac3fe3df2f15

SHA512
2b9d99c57bfa9ab00d8582d55b18c5bf155a4ac83cf4c92247be23c35be818b082b3d6fe38fa905d304d2d8b957f3db73428da88e46acc3a7e3fee99d05e4daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI58C0.tmp

Filesize
139KB

MD5
5a5b544fc413d0eb2de803608e19e545

SHA1
08db67f479a430a05907f2a3641d3664b37f0367

SHA256
8e9fb98042491ab2f1c2a6460bd1c0ed0e43f63ebb10e140914e3c652ca32750

SHA512
09f3dcc3d3b88f79bd2e2e6e31ac46f0fddbea6f0758f6124709929698417d4020cefc5b1b923683db02644e8e035d7fdd8c9b7f89893803fe0f5001efb5c89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI591E.tmp

Filesize
592KB

MD5
1e16a683c485122abb502de1156be953

SHA1
e060b72d764eb499aa978fd6762077d5a45158a7

SHA256
3a6f087f4f8075622f588b52035a36c98f2cf13827d47e9565d3f50c10668b2b

SHA512
d4acd5a6b97a5eb180e3066d69de715e1bf0ae4dbd6e4a13a5cb216e892ec43fccba7b081186f3ddfec9efebc25d5269df92d792c8d2939e3d6b65df488ef4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI591E.tmp

Filesize
381KB

MD5
2f115322cf8a6591a2c6ccb760c736b3

SHA1
fea7ae797d4969e39eadf81336a81b58ad41cba1

SHA256
85bc48955dd7b2c8692a9a204938a4f98d677c817711b7958e1278a1b7ecc738

SHA512
5c54196571c84e062c896def01bd06dda5dc81439ef16c2108cdf55b28fa4ca739c1f0ce3c3bc4632960f3876ef405610a5b4bfad1cecb22141766ce0ff2f6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI592F.tmp

Filesize
92KB

MD5
4f4b53e0aab6c0fa828d79b73eff61fe

SHA1
6a4d4a3eae683437de2552f9b241234c7cdd2abf

SHA256
8d7c95c7df699c5575a866670d7b728786cef490a3cd64f7018b49dff718f0eb

SHA512
aea4ee6ec96e7cc477b188243c129d3ec5651efa5fa09ac92c1a2988195868171a8a97d82f0bb0b44ea1a6805cf17c24b9e1c0995ca9ae5581cc30b3d5d52c6d

Download Submit