ebb825664642befb034e02fdac2c2ed618f2832e563f1380f8f02e738e477345

Resubmissions

11/01/2024, 04:17

240111-ewj4tsfcf9 7

11/01/2024, 04:09

10/01/2024, 02:48

10/01/2024, 02:33

10/01/2024, 02:10

10/01/2024, 01:31

Analysis

max time kernel
225s
max time network
221s
platform
windows7_x64
resource
win7-20231215-es
resource tags

arch:x64arch:x86image:win7-20231215-eslocale:es-esos:windows7-x64systemwindows
submitted
11/01/2024, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mal.zip
Size

4.5MB
MD5

15a36183a2d2c4a43f7f203548fbcb04
SHA1

3ce2a3904eeef714abec465b55a0c20f6e47b079
SHA256

ebb825664642befb034e02fdac2c2ed618f2832e563f1380f8f02e738e477345
SHA512

67325d485999e25cbe1c31162af5f3f081de3a22b15cd7b79470c20276a4fb299762835d94e7a4ffa4756b41df9eba7d692d84d455d7645e5e09386a09b18e4f
SSDEEP

98304:pOA4lR+FGuh9N2fQdB9ySsivCYOxSeWs10MS9UVmpLhVGQvnUQqy5H+:pSR+FGugfQdB9vlvChWmdS9U2LHFZF+

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2992	MsiExec.exe
2992	MsiExec.exe
2992	MsiExec.exe
2992	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2992	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f77aa24.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77aa24.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAEC7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD22.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD81.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAAA1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF83.tmp	msiexec.exe
File created	C:\Windows\Installer\f77aa27.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2900	msiexec.exe
2900	msiexec.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2648	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2900	msiexec.exe
Token: SeTakeOwnershipPrivilege	2900	msiexec.exe
Token: SeSecurityPrivilege	2900	msiexec.exe
Token: SeCreateTokenPrivilege	2648	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2648	msiexec.exe
Token: SeLockMemoryPrivilege	2648	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2648	msiexec.exe
Token: SeMachineAccountPrivilege	2648	msiexec.exe
Token: SeTcbPrivilege	2648	msiexec.exe
Token: SeSecurityPrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeLoadDriverPrivilege	2648	msiexec.exe
Token: SeSystemProfilePrivilege	2648	msiexec.exe
Token: SeSystemtimePrivilege	2648	msiexec.exe
Token: SeProfSingleProcessPrivilege	2648	msiexec.exe
Token: SeIncBasePriorityPrivilege	2648	msiexec.exe
Token: SeCreatePagefilePrivilege	2648	msiexec.exe
Token: SeCreatePermanentPrivilege	2648	msiexec.exe
Token: SeBackupPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeShutdownPrivilege	2648	msiexec.exe
Token: SeDebugPrivilege	2648	msiexec.exe
Token: SeAuditPrivilege	2648	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2648	msiexec.exe
Token: SeChangeNotifyPrivilege	2648	msiexec.exe
Token: SeRemoteShutdownPrivilege	2648	msiexec.exe
Token: SeUndockPrivilege	2648	msiexec.exe
Token: SeSyncAgentPrivilege	2648	msiexec.exe
Token: SeEnableDelegationPrivilege	2648	msiexec.exe
Token: SeManageVolumePrivilege	2648	msiexec.exe
Token: SeImpersonatePrivilege	2648	msiexec.exe
Token: SeCreateGlobalPrivilege	2648	msiexec.exe
Token: SeRestorePrivilege	2900	msiexec.exe
Token: SeTakeOwnershipPrivilege	2900	msiexec.exe
Token: SeRestorePrivilege	2900	msiexec.exe
Token: SeTakeOwnershipPrivilege	2900	msiexec.exe
Token: SeRestorePrivilege	2900	msiexec.exe
Token: SeTakeOwnershipPrivilege	2900	msiexec.exe
Token: SeRestorePrivilege	2900	msiexec.exe
Token: SeTakeOwnershipPrivilege	2900	msiexec.exe
Token: SeRestorePrivilege	2900	msiexec.exe
Token: SeTakeOwnershipPrivilege	2900	msiexec.exe
Token: SeRestorePrivilege	2900	msiexec.exe
Token: SeTakeOwnershipPrivilege	2900	msiexec.exe
Token: SeRestorePrivilege	2900	msiexec.exe
Token: SeTakeOwnershipPrivilege	2900	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2648	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2992	MsiExec.exe
2992	MsiExec.exe
2992	MsiExec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2992	2900	msiexec.exe	37
PID 2900 wrote to memory of 2992	2900	msiexec.exe	37
PID 2900 wrote to memory of 2992	2900	msiexec.exe	37
PID 2900 wrote to memory of 2992	2900	msiexec.exe	37
PID 2900 wrote to memory of 2992	2900	msiexec.exe	37
PID 2900 wrote to memory of 2992	2900	msiexec.exe	37
PID 2900 wrote to memory of 2992	2900	msiexec.exe	37

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mal.zip
1⤵
PID:2472

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2796

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\mal\DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C7512015DC8EE1B72498F127DE0071BA
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - Suspicious use of SetWindowsHookEx
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSIAAA1.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSICD81.tmp

Filesize
1.5MB

MD5
0fe8a187f05057815daa5b753259693d

SHA1
565ddd946b6d9a5125cc0493931aa658824652bb

SHA256
a0c545392c7498f213c0cb4eaf9fb65611aabd06f1d69e2ca9b9e4b9f466cf5a

SHA512
57bcb97dee0019191148feb8e4f8bd796e350734e3bcc47e511d79a25086d312b7bc1cb887654f31e14368308128354255b654d6bdb330a6c4af86f434ab3648

Download Submit
\Windows\Installer\MSICD81.tmp

Filesize
862KB

MD5
9a4ef4d1ad0c94a170f694426d92606f

SHA1
737b357f5e7482bb42c271dc2c20aadeb1f66294

SHA256
c1427d4ad9f5bf9a57136746125aa5c125d470181b7d8005787be1cfb6f17310

SHA512
c7a59d3f5b76eb817a567b0825e9a8447b741cca26599841417535a458c910188749d1991d7c7b26c80e4719b564f79baa09a7166c8cea536051da561e25ccca

Download Submit
memory/2992-21-0x0000000072630000-0x0000000073187000-memory.dmp

Filesize
11.3MB

Download