ebb825664642befb034e02fdac2c2ed618f2832e563f1380f8f02e738e477345

Resubmissions

11/01/2024, 04:17

240111-ewj4tsfcf9 7

11/01/2024, 04:09

10/01/2024, 02:48

10/01/2024, 02:33

10/01/2024, 02:10

10/01/2024, 01:31

Analysis

max time kernel
598s
max time network
600s
platform
windows10-2004_x64
resource
win10v2004-20231215-es
resource tags

arch:x64arch:x86image:win10v2004-20231215-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
11/01/2024, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mal.zip
Size

4.5MB
MD5

15a36183a2d2c4a43f7f203548fbcb04
SHA1

3ce2a3904eeef714abec465b55a0c20f6e47b079
SHA256

ebb825664642befb034e02fdac2c2ed618f2832e563f1380f8f02e738e477345
SHA512

67325d485999e25cbe1c31162af5f3f081de3a22b15cd7b79470c20276a4fb299762835d94e7a4ffa4756b41df9eba7d692d84d455d7645e5e09386a09b18e4f
SSDEEP

98304:pOA4lR+FGuh9N2fQdB9ySsivCYOxSeWs10MS9UVmpLhVGQvnUQqy5H+:pSR+FGugfQdB9vlvChWmdS9U2LHFZF+

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
1200	MsiExec.exe
1200	MsiExec.exe
1200	MsiExec.exe
1200	MsiExec.exe
1200	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
145	1200	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDDC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE2B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e599dbd.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB79.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB2A.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7DYJWJJG-5WYX-D1PV-Y0NY-AXWN09PCNPKD}	msiexec.exe
File created	C:\Windows\Installer\e599dbd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9EA7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA281.tmp	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1836	msiexec.exe
1836	msiexec.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1976	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1976	msiexec.exe
Token: SeSecurityPrivilege	1836	msiexec.exe
Token: SeCreateTokenPrivilege	1976	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1976	msiexec.exe
Token: SeLockMemoryPrivilege	1976	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1976	msiexec.exe
Token: SeMachineAccountPrivilege	1976	msiexec.exe
Token: SeTcbPrivilege	1976	msiexec.exe
Token: SeSecurityPrivilege	1976	msiexec.exe
Token: SeTakeOwnershipPrivilege	1976	msiexec.exe
Token: SeLoadDriverPrivilege	1976	msiexec.exe
Token: SeSystemProfilePrivilege	1976	msiexec.exe
Token: SeSystemtimePrivilege	1976	msiexec.exe
Token: SeProfSingleProcessPrivilege	1976	msiexec.exe
Token: SeIncBasePriorityPrivilege	1976	msiexec.exe
Token: SeCreatePagefilePrivilege	1976	msiexec.exe
Token: SeCreatePermanentPrivilege	1976	msiexec.exe
Token: SeBackupPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1976	msiexec.exe
Token: SeShutdownPrivilege	1976	msiexec.exe
Token: SeDebugPrivilege	1976	msiexec.exe
Token: SeAuditPrivilege	1976	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1976	msiexec.exe
Token: SeChangeNotifyPrivilege	1976	msiexec.exe
Token: SeRemoteShutdownPrivilege	1976	msiexec.exe
Token: SeUndockPrivilege	1976	msiexec.exe
Token: SeSyncAgentPrivilege	1976	msiexec.exe
Token: SeEnableDelegationPrivilege	1976	msiexec.exe
Token: SeManageVolumePrivilege	1976	msiexec.exe
Token: SeImpersonatePrivilege	1976	msiexec.exe
Token: SeCreateGlobalPrivilege	1976	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1976	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1200	MsiExec.exe
1200	MsiExec.exe
1200	MsiExec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1200	1836	msiexec.exe	119
PID 1836 wrote to memory of 1200	1836	msiexec.exe	119
PID 1836 wrote to memory of 1200	1836	msiexec.exe	119

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\mal.zip
1⤵
PID:228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4756

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\mal\DHGVD67JH-7DVCJ7HF-E7CLJHE7YH-E67FBHCH-7992643.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1976

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A5940C783D1D6785DAB21049DEB284A2
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - Suspicious use of SetWindowsHookEx
  PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI9EA7.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI9EA7.tmp

Filesize
536KB

MD5
08443f649877d8684ca72368d820b46c

SHA1
ebd252bd5cfb4b798853a4d072b30a0a3aa2d825

SHA256
36612ff8cb2387af23f9a2c15a7031ade068e6eda38a503774b4d8a534cdafb9

SHA512
f2ec4bb1692de0e5e30c5b9cf484d2364b4be9ccafda6ced5d6e804660b13444523dfc9d4f06146217ef024dfe2820e92112cf8bf4826c86bdfbed7d4c6461f4

Download Submit
C:\Windows\Installer\MSIBE2B.tmp

Filesize
501KB

MD5
2c91bd371254bbdee30d9b90eff1d9c0

SHA1
94899a8f8e80ad55fa19473eb0ffc603b04ecdf0

SHA256
36dc916472365331171bfcb6b0c520c831813f12c5d8fd7be29e099ca3223b69

SHA512
04e0682be2bd3a326d6e4ad3f2f93d010766bd02b18686fee8198e5ee8183d9566e7c8ffcbad7127958e2fad0807e57e5423dda0bf24c42974cb91c1a49e9e61

Download Submit
C:\Windows\Installer\MSIBE2B.tmp

Filesize
757KB

MD5
681ca7f522141b2c2fa8df2588153275

SHA1
4ed98cd37c99e5562199b85c9c41f1b2406950b5

SHA256
43086eb5f7bec64159bcded5d4370dd20bf29cd06c1cafd36e9eccbe302d99d6

SHA512
d99b01a9552e0ce755d3ce13bc619949508f220468bc169d6fa2693cdb3ddb59191e7cc7438bb00c63e817f9a3e51506a599f23345f31edb72496396cf02b1ab

Download Submit
memory/1200-26-0x0000000073E30000-0x0000000074987000-memory.dmp

Filesize
11.3MB

Download