8988dba76517b90f79057a5c2468b43e6d0d77c152772a898ff100b23e658672

Analysis

max time kernel
120s
max time network
131s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-01-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed531801b5b3b9d9acf36c8a26b184cea8d6eb639efb7b8d95a4c3c15bef0f02.msi
Size

5.9MB
MD5

0d447d480c60b9a215a27274452e0cef
SHA1

a8b374a55c3733a18208df26fb084ae7ca578337
SHA256

ed531801b5b3b9d9acf36c8a26b184cea8d6eb639efb7b8d95a4c3c15bef0f02
SHA512

91a9d640a68dcf210682011d5dba3fd948670577bce50eb1502819e2115d6a74475ce671c3c56bce74be1eab7860989c3d135dd9a73b962c6b544b434fa5cf41
SSDEEP

49152:azwWZizIP+y0IZJSKcrEu/RUoVX8noNWzbh5mCv9UyrlYSlZAvmKnoX8r6F5mCmR:ddk+OoVX8noWdv3dAvko6cYvA

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2928	MsiExec.exe
2928	MsiExec.exe
2928	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIEC71.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEEC3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5266.tmp	msiexec.exe
File created	C:\Windows\Installer\f76ebe5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76ebe5.msi	msiexec.exe
File created	C:\Windows\Installer\f76ebe8.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI52E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76ebe8.ipi	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2128	msiexec.exe
2128	msiexec.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeSecurityPrivilege	2128	msiexec.exe
Token: SeCreateTokenPrivilege	2080	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2080	msiexec.exe
Token: SeLockMemoryPrivilege	2080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2080	msiexec.exe
Token: SeMachineAccountPrivilege	2080	msiexec.exe
Token: SeTcbPrivilege	2080	msiexec.exe
Token: SeSecurityPrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeLoadDriverPrivilege	2080	msiexec.exe
Token: SeSystemProfilePrivilege	2080	msiexec.exe
Token: SeSystemtimePrivilege	2080	msiexec.exe
Token: SeProfSingleProcessPrivilege	2080	msiexec.exe
Token: SeIncBasePriorityPrivilege	2080	msiexec.exe
Token: SeCreatePagefilePrivilege	2080	msiexec.exe
Token: SeCreatePermanentPrivilege	2080	msiexec.exe
Token: SeBackupPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeShutdownPrivilege	2080	msiexec.exe
Token: SeDebugPrivilege	2080	msiexec.exe
Token: SeAuditPrivilege	2080	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2080	msiexec.exe
Token: SeChangeNotifyPrivilege	2080	msiexec.exe
Token: SeRemoteShutdownPrivilege	2080	msiexec.exe
Token: SeUndockPrivilege	2080	msiexec.exe
Token: SeSyncAgentPrivilege	2080	msiexec.exe
Token: SeEnableDelegationPrivilege	2080	msiexec.exe
Token: SeManageVolumePrivilege	2080	msiexec.exe
Token: SeImpersonatePrivilege	2080	msiexec.exe
Token: SeCreateGlobalPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2080	msiexec.exe
2080	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2928	2128	msiexec.exe	30
PID 2128 wrote to memory of 2928	2128	msiexec.exe	30
PID 2128 wrote to memory of 2928	2128	msiexec.exe	30
PID 2128 wrote to memory of 2928	2128	msiexec.exe	30
PID 2128 wrote to memory of 2928	2128	msiexec.exe	30
PID 2128 wrote to memory of 2928	2128	msiexec.exe	30
PID 2128 wrote to memory of 2928	2128	msiexec.exe	30

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ed531801b5b3b9d9acf36c8a26b184cea8d6eb639efb7b8d95a4c3c15bef0f02.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A5C0F3DC00FCC1BAFC7603DEAD96C75E
  2⤵
  - Loads dropped DLL
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76ebe9.rbs

Filesize
852B

MD5
6ca4f7d50148b0fcfa0e00e8d42279d1

SHA1
24ce522e2b74c2d80d15b29d91e318f645a2f594

SHA256
46c04c9d35c9b8f871d96e127f99e4912f62b6bb42f7b16f7b482c2c2c551f7c

SHA512
a266e11656811a1c6b86eaac8706fe3451ac439c4ffed24774c4ab219de8d71d5e734806a6186b0a49c10b4473fd76011e583904ebd17aac3da26dcbe7850b00

Download Submit
C:\Windows\Installer\MSI52E5.tmp

Filesize
5.1MB

MD5
4e8fd39447ba08a6d52191044f67925b

SHA1
ca6cdc51b8c13c6bcc284481aa6fabbcb04ef6f2

SHA256
4b9ae60ef6307880eded379b7a0fa3051fd5bfceb03b50598cb8e34330140a95

SHA512
b059cf50c19e2a3124c16eb71dc5ff8ecb2396cea1d4be7f2f017a7f7917072780ab05aad732c72b7901a2fa7e8ced8718796152f0f7b9a11d6b7dab04e30b56

Download Submit
C:\Windows\Installer\MSIEC71.tmp

Filesize
557KB

MD5
2c9c51ac508570303c6d46c0571ea3a1

SHA1
e3e0fe08fa11a43c8bca533f212bdf0704c726d5

SHA256
ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

SHA512
df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

Download Submit
memory/2928-17-0x0000000073DA0000-0x00000000742CB000-memory.dmp

Filesize
5.2MB

Download