ebb825664642befb034e02fdac2c2ed618f2832e563f1380f8f02e738e477345

Resubmissions

11/01/2024, 04:17

240111-ewj4tsfcf9 7

11/01/2024, 04:09

10/01/2024, 02:48

10/01/2024, 02:33

10/01/2024, 02:10

10/01/2024, 01:31

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20231215-es
resource tags

arch:x64arch:x86image:win7-20231215-eslocale:es-esos:windows7-x64systemwindows
submitted
11/01/2024, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mal.zip
Size

4.5MB
MD5

15a36183a2d2c4a43f7f203548fbcb04
SHA1

3ce2a3904eeef714abec465b55a0c20f6e47b079
SHA256

ebb825664642befb034e02fdac2c2ed618f2832e563f1380f8f02e738e477345
SHA512

67325d485999e25cbe1c31162af5f3f081de3a22b15cd7b79470c20276a4fb299762835d94e7a4ffa4756b41df9eba7d692d84d455d7645e5e09386a09b18e4f
SSDEEP

98304:pOA4lR+FGuh9N2fQdB9ySsivCYOxSeWs10MS9UVmpLhVGQvnUQqy5H+:pSR+FGugfQdB9vlvChWmdS9U2LHFZF+

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1616	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI7916.tmp	msiexec.exe
File created	C:\Windows\Installer\f7778bc.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0D4.tmp	msiexec.exe
File created	C:\Windows\Installer\f7778b9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CDE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D5C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA134.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7778bc.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7778b9.msi	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2908	msiexec.exe
2908	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	784	msiexec.exe
Token: SeIncreaseQuotaPrivilege	784	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeSecurityPrivilege	2908	msiexec.exe
Token: SeCreateTokenPrivilege	784	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	784	msiexec.exe
Token: SeLockMemoryPrivilege	784	msiexec.exe
Token: SeIncreaseQuotaPrivilege	784	msiexec.exe
Token: SeMachineAccountPrivilege	784	msiexec.exe
Token: SeTcbPrivilege	784	msiexec.exe
Token: SeSecurityPrivilege	784	msiexec.exe
Token: SeTakeOwnershipPrivilege	784	msiexec.exe
Token: SeLoadDriverPrivilege	784	msiexec.exe
Token: SeSystemProfilePrivilege	784	msiexec.exe
Token: SeSystemtimePrivilege	784	msiexec.exe
Token: SeProfSingleProcessPrivilege	784	msiexec.exe
Token: SeIncBasePriorityPrivilege	784	msiexec.exe
Token: SeCreatePagefilePrivilege	784	msiexec.exe
Token: SeCreatePermanentPrivilege	784	msiexec.exe
Token: SeBackupPrivilege	784	msiexec.exe
Token: SeRestorePrivilege	784	msiexec.exe
Token: SeShutdownPrivilege	784	msiexec.exe
Token: SeDebugPrivilege	784	msiexec.exe
Token: SeAuditPrivilege	784	msiexec.exe
Token: SeSystemEnvironmentPrivilege	784	msiexec.exe
Token: SeChangeNotifyPrivilege	784	msiexec.exe
Token: SeRemoteShutdownPrivilege	784	msiexec.exe
Token: SeUndockPrivilege	784	msiexec.exe
Token: SeSyncAgentPrivilege	784	msiexec.exe
Token: SeEnableDelegationPrivilege	784	msiexec.exe
Token: SeManageVolumePrivilege	784	msiexec.exe
Token: SeImpersonatePrivilege	784	msiexec.exe
Token: SeCreateGlobalPrivilege	784	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe
Token: SeRestorePrivilege	2908	msiexec.exe
Token: SeTakeOwnershipPrivilege	2908	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
784	msiexec.exe
784	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 1616	2908	msiexec.exe	38
PID 2908 wrote to memory of 1616	2908	msiexec.exe	38
PID 2908 wrote to memory of 1616	2908	msiexec.exe	38
PID 2908 wrote to memory of 1616	2908	msiexec.exe	38
PID 2908 wrote to memory of 1616	2908	msiexec.exe	38
PID 2908 wrote to memory of 1616	2908	msiexec.exe	38
PID 2908 wrote to memory of 1616	2908	msiexec.exe	38

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mal.zip
1⤵
PID:1864

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2356

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\mal\DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:784

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C71F1C73CC2B2C0E9DB00CE3327AD51
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - Suspicious use of SetWindowsHookEx
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI7916.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSIA134.tmp

Filesize
1.3MB

MD5
6b7952f75226dbee67b821475293fcd8

SHA1
24b6101ab65b2676166aa5117eaa0aacd8c7442a

SHA256
7f5b7e6b865e4df50ee082520e0264124581f30681767b7051a168024389f53a

SHA512
678ca43275105200c127af34713569398e46853c40e4d420259d48d20ced8f11c0f183260faa1f17a8961074fab82c4ceb5a3dd1333d80f06a638683eef3009f

Download Submit
\Windows\Installer\MSIA134.tmp

Filesize
623KB

MD5
25845a7ef27d60301cfe4b74f72c3dac

SHA1
1b705544bc09da4adb2f9e78726ee6b2064c787c

SHA256
63653f890a72bd56e6f8ba9ee348db614c36f8808d15d4de7e543a1d5afa89e2

SHA512
6017850469aa0888ca6ab0fb887ec7c7e4cc5743794919069292bde845b3dc6ba5999284e93e9244fef48c9ea0d952b66fd02153615634b95f56cc8321fec753

Download Submit
memory/1616-21-0x0000000072C10000-0x0000000073767000-memory.dmp

Filesize
11.3MB

Download