Analysis
-
max time kernel
71s -
max time network
88s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:55
Static task
static1
Behavioral task
behavioral1
Sample
MAXQDA24_Setup (1).msi
Resource
win7-20231215-en
General
-
Target
MAXQDA24_Setup (1).msi
-
Size
375.0MB
-
MD5
11d8956afe36cefadfdeace4cc17326a
-
SHA1
5b0505b3d371710867bad82e12f6add9169303a6
-
SHA256
7b248e7cb7eda9cb1639260a4d8a83e32c9f398c80d64d71922ccaf730a3dddd
-
SHA512
f72293a22f831154f1591f779a2de6432af45d9368c70fb92b7758c4431e0e3d7e30a039f87d1fe1ce05710993b40aa07facc57cf8a9f7d516b05182de743f39
-
SSDEEP
6291456:OSC5MXpntxbeRwAQiRME+iEYl/P3co+HC2dfezUKirtsYSrJeZfvf+k3O/u89kvU:pC5M5nLb9AOrUVco+zdHKcts/rcfvfbg
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exeMsiExec.exepid process 4720 MsiExec.exe 3656 MsiExec.exe 3656 MsiExec.exe 3656 MsiExec.exe -
Blocklisted process makes network request 3 IoCs
Processes:
msiexec.exeflow pid process 5 5100 msiexec.exe 8 5100 msiexec.exe 10 5100 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MsiExec.exepid process 3656 MsiExec.exe 3656 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 5100 msiexec.exe Token: SeIncreaseQuotaPrivilege 5100 msiexec.exe Token: SeSecurityPrivilege 1080 msiexec.exe Token: SeCreateTokenPrivilege 5100 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5100 msiexec.exe Token: SeLockMemoryPrivilege 5100 msiexec.exe Token: SeIncreaseQuotaPrivilege 5100 msiexec.exe Token: SeMachineAccountPrivilege 5100 msiexec.exe Token: SeTcbPrivilege 5100 msiexec.exe Token: SeSecurityPrivilege 5100 msiexec.exe Token: SeTakeOwnershipPrivilege 5100 msiexec.exe Token: SeLoadDriverPrivilege 5100 msiexec.exe Token: SeSystemProfilePrivilege 5100 msiexec.exe Token: SeSystemtimePrivilege 5100 msiexec.exe Token: SeProfSingleProcessPrivilege 5100 msiexec.exe Token: SeIncBasePriorityPrivilege 5100 msiexec.exe Token: SeCreatePagefilePrivilege 5100 msiexec.exe Token: SeCreatePermanentPrivilege 5100 msiexec.exe Token: SeBackupPrivilege 5100 msiexec.exe Token: SeRestorePrivilege 5100 msiexec.exe Token: SeShutdownPrivilege 5100 msiexec.exe Token: SeDebugPrivilege 5100 msiexec.exe Token: SeAuditPrivilege 5100 msiexec.exe Token: SeSystemEnvironmentPrivilege 5100 msiexec.exe Token: SeChangeNotifyPrivilege 5100 msiexec.exe Token: SeRemoteShutdownPrivilege 5100 msiexec.exe Token: SeUndockPrivilege 5100 msiexec.exe Token: SeSyncAgentPrivilege 5100 msiexec.exe Token: SeEnableDelegationPrivilege 5100 msiexec.exe Token: SeManageVolumePrivilege 5100 msiexec.exe Token: SeImpersonatePrivilege 5100 msiexec.exe Token: SeCreateGlobalPrivilege 5100 msiexec.exe Token: SeCreateTokenPrivilege 5100 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5100 msiexec.exe Token: SeLockMemoryPrivilege 5100 msiexec.exe Token: SeIncreaseQuotaPrivilege 5100 msiexec.exe Token: SeMachineAccountPrivilege 5100 msiexec.exe Token: SeTcbPrivilege 5100 msiexec.exe Token: SeSecurityPrivilege 5100 msiexec.exe Token: SeTakeOwnershipPrivilege 5100 msiexec.exe Token: SeLoadDriverPrivilege 5100 msiexec.exe Token: SeSystemProfilePrivilege 5100 msiexec.exe Token: SeSystemtimePrivilege 5100 msiexec.exe Token: SeProfSingleProcessPrivilege 5100 msiexec.exe Token: SeIncBasePriorityPrivilege 5100 msiexec.exe Token: SeCreatePagefilePrivilege 5100 msiexec.exe Token: SeCreatePermanentPrivilege 5100 msiexec.exe Token: SeBackupPrivilege 5100 msiexec.exe Token: SeRestorePrivilege 5100 msiexec.exe Token: SeShutdownPrivilege 5100 msiexec.exe Token: SeDebugPrivilege 5100 msiexec.exe Token: SeAuditPrivilege 5100 msiexec.exe Token: SeSystemEnvironmentPrivilege 5100 msiexec.exe Token: SeChangeNotifyPrivilege 5100 msiexec.exe Token: SeRemoteShutdownPrivilege 5100 msiexec.exe Token: SeUndockPrivilege 5100 msiexec.exe Token: SeSyncAgentPrivilege 5100 msiexec.exe Token: SeEnableDelegationPrivilege 5100 msiexec.exe Token: SeManageVolumePrivilege 5100 msiexec.exe Token: SeImpersonatePrivilege 5100 msiexec.exe Token: SeCreateGlobalPrivilege 5100 msiexec.exe Token: SeCreateTokenPrivilege 5100 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5100 msiexec.exe Token: SeLockMemoryPrivilege 5100 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 5100 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
msiexec.exedescription pid process target process PID 1080 wrote to memory of 4720 1080 msiexec.exe MsiExec.exe PID 1080 wrote to memory of 4720 1080 msiexec.exe MsiExec.exe PID 1080 wrote to memory of 4720 1080 msiexec.exe MsiExec.exe PID 1080 wrote to memory of 3656 1080 msiexec.exe MsiExec.exe PID 1080 wrote to memory of 3656 1080 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\MAXQDA24_Setup (1).msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5100
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F594AEB3FA80322BBDFD9824752E8358 C2⤵
- Loads dropped DLL
PID:4720 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 394A6353CB74714B79224B86B1FE717F C2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSIC1F8.tmpFilesize
202KB
MD5d773d9bd091e712df7560f576da53de8
SHA1165cfbdce1811883360112441f7237b287cf0691
SHA256e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7
SHA51215a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd
-
C:\Users\Admin\AppData\Local\Temp\MSIC4A9.tmpFilesize
587KB
MD5ce7ac188487e8f34523fbf41918af595
SHA133bc6b7e9593b651d7d840f78882ae214006f221
SHA256acb08ddabc50e28f0bdf9624bd69c5fdfe2586e60748758b51b217adcb3587b9
SHA5124aa2b9e0ffc75418b1783ba21cd89dc15296dc468b437265640386f4925121b34755ff79b0e36e96b3ec000d9eaa2aa0a8cf8f1a2b211da80facb240f7d9e0fd
-
C:\Users\Admin\AppData\Local\Temp\MSIC585.tmpFilesize
501KB
MD5b08325894a5ae21a826a8769d3297c79
SHA139c89db97e374f131ca1f2bb7515a138f89b350e
SHA25668c618afd0e8b238021b390832dde53c02012d5b4991f7b89bde4c5cafcc267c
SHA512e71967674f01604ff540760352b79d313746a69b96ff75ea71e11e17a39eb0f4a653c11328f7f93d1a65dec798a08ae013d5700aea5eb567928c90c2cce929f8
-
C:\Users\Admin\AppData\Local\Temp\MSIC585.tmpFilesize
574KB
MD5f0e762666e76825a4a1ce473e5c9f8a0
SHA10de9b377ef529e7fff42ea5e94887753de8b5a50
SHA256b83a357831ac3bde231263a1bdf265808e886a063a1dea61447e3d9163f04794
SHA51241ce43da073bad7c81b8427b4048d89ee51bdcdb4c2f8f6581022f55c188965e7ae1dd7d174e95e66788ebcf291917aaa8db1a17d189cba54620d7ed03121848