fdd43450dd4fbb4401851aa82f46b392e2e6d721a456db2eedafe566de6d7c7f

General

Target

fdd43450dd4fbb4401851aa82f46b392e2e6d721a456db2eedafe566de6d7c7f.msi
Size

119.6MB
MD5

762693a76e48c511441139a32e1b0afe
SHA1

3d8bac6a67b71d52f4a2bf547e7140297fa61dc9
SHA256

fdd43450dd4fbb4401851aa82f46b392e2e6d721a456db2eedafe566de6d7c7f
SHA512

48d4a6c039392534f021d45e6fdca287270599ef985555add06a8b3e12cd6279d9a01b33355e87bf794561741dca585302ef70fa5ebca0a9cdfbf2bb76ada4a4
SSDEEP

3145728:n57bFe0N9sOVo+N+/k++ODv87wtE1ODuaoIZ4DwiuJou:n15yOVoiyk9Qv8MtIQuaL4Dwz

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

5024 MsiExec.exe
5024 MsiExec.exe

pid	process
5024	MsiExec.exe
5024	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4488	msiexec.exe
Token: SeSecurityPrivilege	2712	msiexec.exe
Token: SeCreateTokenPrivilege	4488	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4488	msiexec.exe
Token: SeLockMemoryPrivilege	4488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4488	msiexec.exe
Token: SeMachineAccountPrivilege	4488	msiexec.exe
Token: SeTcbPrivilege	4488	msiexec.exe
Token: SeSecurityPrivilege	4488	msiexec.exe
Token: SeTakeOwnershipPrivilege	4488	msiexec.exe
Token: SeLoadDriverPrivilege	4488	msiexec.exe
Token: SeSystemProfilePrivilege	4488	msiexec.exe
Token: SeSystemtimePrivilege	4488	msiexec.exe
Token: SeProfSingleProcessPrivilege	4488	msiexec.exe
Token: SeIncBasePriorityPrivilege	4488	msiexec.exe
Token: SeCreatePagefilePrivilege	4488	msiexec.exe
Token: SeCreatePermanentPrivilege	4488	msiexec.exe
Token: SeBackupPrivilege	4488	msiexec.exe
Token: SeRestorePrivilege	4488	msiexec.exe
Token: SeShutdownPrivilege	4488	msiexec.exe
Token: SeDebugPrivilege	4488	msiexec.exe
Token: SeAuditPrivilege	4488	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4488	msiexec.exe
Token: SeChangeNotifyPrivilege	4488	msiexec.exe
Token: SeRemoteShutdownPrivilege	4488	msiexec.exe
Token: SeUndockPrivilege	4488	msiexec.exe
Token: SeSyncAgentPrivilege	4488	msiexec.exe
Token: SeEnableDelegationPrivilege	4488	msiexec.exe
Token: SeManageVolumePrivilege	4488	msiexec.exe
Token: SeImpersonatePrivilege	4488	msiexec.exe
Token: SeCreateGlobalPrivilege	4488	msiexec.exe
Token: SeCreateTokenPrivilege	4488	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4488	msiexec.exe
Token: SeLockMemoryPrivilege	4488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4488	msiexec.exe
Token: SeMachineAccountPrivilege	4488	msiexec.exe
Token: SeTcbPrivilege	4488	msiexec.exe
Token: SeSecurityPrivilege	4488	msiexec.exe
Token: SeTakeOwnershipPrivilege	4488	msiexec.exe
Token: SeLoadDriverPrivilege	4488	msiexec.exe
Token: SeSystemProfilePrivilege	4488	msiexec.exe
Token: SeSystemtimePrivilege	4488	msiexec.exe
Token: SeProfSingleProcessPrivilege	4488	msiexec.exe
Token: SeIncBasePriorityPrivilege	4488	msiexec.exe
Token: SeCreatePagefilePrivilege	4488	msiexec.exe
Token: SeCreatePermanentPrivilege	4488	msiexec.exe
Token: SeBackupPrivilege	4488	msiexec.exe
Token: SeRestorePrivilege	4488	msiexec.exe
Token: SeShutdownPrivilege	4488	msiexec.exe
Token: SeDebugPrivilege	4488	msiexec.exe
Token: SeAuditPrivilege	4488	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4488	msiexec.exe
Token: SeChangeNotifyPrivilege	4488	msiexec.exe
Token: SeRemoteShutdownPrivilege	4488	msiexec.exe
Token: SeUndockPrivilege	4488	msiexec.exe
Token: SeSyncAgentPrivilege	4488	msiexec.exe
Token: SeEnableDelegationPrivilege	4488	msiexec.exe
Token: SeManageVolumePrivilege	4488	msiexec.exe
Token: SeImpersonatePrivilege	4488	msiexec.exe
Token: SeCreateGlobalPrivilege	4488	msiexec.exe
Token: SeCreateTokenPrivilege	4488	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4488	msiexec.exe
Token: SeLockMemoryPrivilege	4488	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

4488 msiexec.exe

pid	process
4488	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2712 wrote to memory of 5024	2712	msiexec.exe	MsiExec.exe
PID 2712 wrote to memory of 5024	2712	msiexec.exe	MsiExec.exe
PID 2712 wrote to memory of 5024	2712	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fdd43450dd4fbb4401851aa82f46b392e2e6d721a456db2eedafe566de6d7c7f.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4488

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DCF830786BD015699217AA3416FA4079 C
2⤵
- Loads dropped DLL
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI4258.tmp

Filesize
325KB

MD5
f048cf239cc583f8433634acf23cae55

SHA1
7d3a296a05267855cc637c5bf95fe687b7a765a2

SHA256
4d6efad25f62f4c34998385819e46569869b09de4d8b3f1e22dc9e8f032ed3bb

SHA512
a021d559150338ef823b8749d95ac262ec13d9c9ed80d2d0d67e0d7690ae61713219a5edf88d83832ad673f0d7a1d306b49af4f07020c98bac2cfb006bcf0c53

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads