35cee7837f460d9e1141e375af8438e868a9e6b8d923ed2673a980fcadfd4774

Analysis

max time kernel
90s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35cee7837f460d9e1141e375af8438e868a9e6b8d923ed2673a980fcadfd4774.msi
Size

2.4MB
MD5

f97903fac84172871545926d6e553eb9
SHA1

e6e027b77df4823f4ff37656867e8f40d4ebd732
SHA256

35cee7837f460d9e1141e375af8438e868a9e6b8d923ed2673a980fcadfd4774
SHA512

5d82d62399079a10d36f5c32b091592cff640c40f593140138a1c741fbc92c579925186a2dd40820cef9bb04a5a7680486508896e6032caa4909d49a95e3fd75
SSDEEP

49152:zjfedtZKumZrEq4Fb6HXr1iWnYs4ntHurpllQ6aduxtZB6DXDNvu8S:+VKwFnWnwux567DNG8S

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Loads dropped DLL 10 IoCs

pid	Process
3832	MsiExec.exe
3832	MsiExec.exe
3832	MsiExec.exe
3832	MsiExec.exe
3832	MsiExec.exe
3832	MsiExec.exe
3832	MsiExec.exe
3832	MsiExec.exe
3832	MsiExec.exe
3832	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3832	MsiExec.exe
3832	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4112	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4112	msiexec.exe
Token: SeSecurityPrivilege	3492	msiexec.exe
Token: SeCreateTokenPrivilege	4112	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4112	msiexec.exe
Token: SeLockMemoryPrivilege	4112	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4112	msiexec.exe
Token: SeMachineAccountPrivilege	4112	msiexec.exe
Token: SeTcbPrivilege	4112	msiexec.exe
Token: SeSecurityPrivilege	4112	msiexec.exe
Token: SeTakeOwnershipPrivilege	4112	msiexec.exe
Token: SeLoadDriverPrivilege	4112	msiexec.exe
Token: SeSystemProfilePrivilege	4112	msiexec.exe
Token: SeSystemtimePrivilege	4112	msiexec.exe
Token: SeProfSingleProcessPrivilege	4112	msiexec.exe
Token: SeIncBasePriorityPrivilege	4112	msiexec.exe
Token: SeCreatePagefilePrivilege	4112	msiexec.exe
Token: SeCreatePermanentPrivilege	4112	msiexec.exe
Token: SeBackupPrivilege	4112	msiexec.exe
Token: SeRestorePrivilege	4112	msiexec.exe
Token: SeShutdownPrivilege	4112	msiexec.exe
Token: SeDebugPrivilege	4112	msiexec.exe
Token: SeAuditPrivilege	4112	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4112	msiexec.exe
Token: SeChangeNotifyPrivilege	4112	msiexec.exe
Token: SeRemoteShutdownPrivilege	4112	msiexec.exe
Token: SeUndockPrivilege	4112	msiexec.exe
Token: SeSyncAgentPrivilege	4112	msiexec.exe
Token: SeEnableDelegationPrivilege	4112	msiexec.exe
Token: SeManageVolumePrivilege	4112	msiexec.exe
Token: SeImpersonatePrivilege	4112	msiexec.exe
Token: SeCreateGlobalPrivilege	4112	msiexec.exe
Token: SeCreateTokenPrivilege	4112	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4112	msiexec.exe
Token: SeLockMemoryPrivilege	4112	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4112	msiexec.exe
Token: SeMachineAccountPrivilege	4112	msiexec.exe
Token: SeTcbPrivilege	4112	msiexec.exe
Token: SeSecurityPrivilege	4112	msiexec.exe
Token: SeTakeOwnershipPrivilege	4112	msiexec.exe
Token: SeLoadDriverPrivilege	4112	msiexec.exe
Token: SeSystemProfilePrivilege	4112	msiexec.exe
Token: SeSystemtimePrivilege	4112	msiexec.exe
Token: SeProfSingleProcessPrivilege	4112	msiexec.exe
Token: SeIncBasePriorityPrivilege	4112	msiexec.exe
Token: SeCreatePagefilePrivilege	4112	msiexec.exe
Token: SeCreatePermanentPrivilege	4112	msiexec.exe
Token: SeBackupPrivilege	4112	msiexec.exe
Token: SeRestorePrivilege	4112	msiexec.exe
Token: SeShutdownPrivilege	4112	msiexec.exe
Token: SeDebugPrivilege	4112	msiexec.exe
Token: SeAuditPrivilege	4112	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4112	msiexec.exe
Token: SeChangeNotifyPrivilege	4112	msiexec.exe
Token: SeRemoteShutdownPrivilege	4112	msiexec.exe
Token: SeUndockPrivilege	4112	msiexec.exe
Token: SeSyncAgentPrivilege	4112	msiexec.exe
Token: SeEnableDelegationPrivilege	4112	msiexec.exe
Token: SeManageVolumePrivilege	4112	msiexec.exe
Token: SeImpersonatePrivilege	4112	msiexec.exe
Token: SeCreateGlobalPrivilege	4112	msiexec.exe
Token: SeCreateTokenPrivilege	4112	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4112	msiexec.exe
Token: SeLockMemoryPrivilege	4112	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4112	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 3832	3492	msiexec.exe	87
PID 3492 wrote to memory of 3832	3492	msiexec.exe	87
PID 3492 wrote to memory of 3832	3492	msiexec.exe	87

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\35cee7837f460d9e1141e375af8438e868a9e6b8d923ed2673a980fcadfd4774.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4112

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A15C6085AE2CFAAB4F43E718EBD53F99 C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI567C.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI57C7.tmp

Filesize
417KB

MD5
04f7c8bb49f8df7a8f9be35af75f2efa

SHA1
1562dec8bba7740df956df4fa3b9cbabfd80b844

SHA256
66af83021c36ae286d2d8ff2e79dd5dee281dd0bc3007c696a2fcd2ccc97508b

SHA512
505ce1eb310cc4e4a37be2af325d5679702b7c2a3975c97ac8e62d513f04a76dccbb1eb25de6bfc58947ac5ad11468904af3e3fdcdc3a7638d8b53c4536e834e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI57E7.tmp

Filesize
325KB

MD5
3c6a2c0acaac6db47c2a0b3ad2249c44

SHA1
622132636a69429da17be26eae07a607cfe597b5

SHA256
fc9b1250a4a768f9958f175f6e2160bee2f4ce085fee9b1ca4cf505791192a2a

SHA512
cc05078c7d5085c1fdcc65796e99a3d9447df4c40ee98f36df6407029bf4a006178c087c80e41cb1a133488543d12e81da3e286bb788a91652b9aa76a1ddb585

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI57E7.tmp

Filesize
218KB

MD5
c4af82702c4e2848981b70955e1676d6

SHA1
b313de0181f12239f92e7e7cdfc7736aaa8b15a9

SHA256
f9659fabf35694ba9c0ed387a0c5cef8d11bc36c2880a9566f9c0fb2d18f3bff

SHA512
aabbacab20dd0a860a57bf576eb678579dcbc0fa75fd3d55ad6361f296d892e510c046a7b5e1e7a8f51c265677c54554b3f9ba3579453f591e37fe01a6ca7c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5807.tmp

Filesize
375KB

MD5
34302ed8481f939914b962190c3f0537

SHA1
130b0f1776befce1020d6c1fb17fce0ea4b3fca1

SHA256
27cbaf1f90b3e1e8a0ec3d0033f35d592d5f6981d68e888ed495cc6affd0cb8d

SHA512
2020f89b1474a8a23e8fa14a5c5c19458c5ad6c8320988b903d3cb27dee14099bd8b72aa67ca4b8cd68d37840148acd81d521854d9f097a0cfc397eb75ae3ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5807.tmp

Filesize
259KB

MD5
e44d29f347514fbc5f5cf681d088659b

SHA1
5dd214516afff1cd2a9183162e396d1ac09b83c7

SHA256
3761243014cce05d82fd173128e7fdedc21655710368f62ad5cf10a7cb54d94d

SHA512
cd6c37bd8f20875ecdccf81bd98ed20595cd265850009bc297afbd7813a03939c4b7969417fd901dccd451c2669c414d34aa7e27b33a5a735b9113ec28634bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5837.tmp

Filesize
325KB

MD5
e51a114956aa075940b063f29f9e43f3

SHA1
97a705e28ddaecf0ac33c196109073cff8327add

SHA256
c9970a91c24d603f6e83ae832dc91ab89a7cf128d83348b1e0a116087e155735

SHA512
8f79cf7b0945a49b45c82e6378843a3955a68e51613dfbe4676baf063704b764a6caf9e6f8cebda8b1c9e795d9db7a94b010c3f710fbfb0f0227739ebd5db997

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5837.tmp

Filesize
264KB

MD5
58c04009dc499a7094dbdee7c88d62d5

SHA1
c0c1fe362f0ad831d85e147fc31d3e090153e108

SHA256
ebb95f7e38704ffae02a658e8b634d2e0e3c276814b4e3a927f433c62a62554c

SHA512
a5da5f34a4f69c5fb4129db7aacf3901b51b0bab3f0f34420dbdbab94dda41a998ce0f4dfa3016ae22b1b60c9e634732b9e49c681cf40210e9bad3bd552fcd5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI58F3.tmp

Filesize
897KB

MD5
6189cdcb92ab9ddbffd95facd0b631fa

SHA1
b74c72cefcb5808e2c9ae4ba976fa916ba57190d

SHA256
519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783

SHA512
ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf

Download Submit