1bbea0e1462c744cd9970fc0dffb81cc08c993a510d1644c826ffb262b59ef11

Analysis

max time kernel
452s
max time network
455s
platform
windows10-2004_x64
resource
win10v2004-20240221-it
resource tags

arch:x64arch:x86image:win10v2004-20240221-itlocale:it-itos:windows10-2004-x64systemwindows
submitted
22-02-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

744787985728297732483.msi
Size

259KB
MD5

1a8193ca96aa5b7bb8669b388d546a4d
SHA1

3192083d28e9d143a1ac2552ebc0cbf2b18c5d2b
SHA256

e5fa5e96d60d08c5630323becc33fcea1e73273d4c6d5f900b7a1bcfa0243dbb
SHA512

dc6a4305c2221f9b76a3490aab48d99b42a63d1e7daea6a2e512f57f543ebce3dc1c20ce4b0d7b25ecb8e4516528e1a435983bfae0ebcb225aa902f447c696f5
SSDEEP

3072:JPwIY993DQY5AXU6ij4qpXqnnDibAJBVkkMcB3RUN46ILJ9+ZB5yOanVE:JoIS3DQY5AXTqp4nwEkrWE

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
6	1960	MsiExec.exe
21	1960	MsiExec.exe
23	1960	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI396F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A89.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{80AD736B-AE20-44BB-BE81-97A1458FD4D1}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3AE8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e573921.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e573921.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	MsiExec.exe
1960	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4264	msiexec.exe
4264	msiexec.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4856	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4856	msiexec.exe
Token: SeSecurityPrivilege	4264	msiexec.exe
Token: SeCreateTokenPrivilege	4856	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4856	msiexec.exe
Token: SeLockMemoryPrivilege	4856	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4856	msiexec.exe
Token: SeMachineAccountPrivilege	4856	msiexec.exe
Token: SeTcbPrivilege	4856	msiexec.exe
Token: SeSecurityPrivilege	4856	msiexec.exe
Token: SeTakeOwnershipPrivilege	4856	msiexec.exe
Token: SeLoadDriverPrivilege	4856	msiexec.exe
Token: SeSystemProfilePrivilege	4856	msiexec.exe
Token: SeSystemtimePrivilege	4856	msiexec.exe
Token: SeProfSingleProcessPrivilege	4856	msiexec.exe
Token: SeIncBasePriorityPrivilege	4856	msiexec.exe
Token: SeCreatePagefilePrivilege	4856	msiexec.exe
Token: SeCreatePermanentPrivilege	4856	msiexec.exe
Token: SeBackupPrivilege	4856	msiexec.exe
Token: SeRestorePrivilege	4856	msiexec.exe
Token: SeShutdownPrivilege	4856	msiexec.exe
Token: SeDebugPrivilege	4856	msiexec.exe
Token: SeAuditPrivilege	4856	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4856	msiexec.exe
Token: SeChangeNotifyPrivilege	4856	msiexec.exe
Token: SeRemoteShutdownPrivilege	4856	msiexec.exe
Token: SeUndockPrivilege	4856	msiexec.exe
Token: SeSyncAgentPrivilege	4856	msiexec.exe
Token: SeEnableDelegationPrivilege	4856	msiexec.exe
Token: SeManageVolumePrivilege	4856	msiexec.exe
Token: SeImpersonatePrivilege	4856	msiexec.exe
Token: SeCreateGlobalPrivilege	4856	msiexec.exe
Token: SeRestorePrivilege	4264	msiexec.exe
Token: SeTakeOwnershipPrivilege	4264	msiexec.exe
Token: SeRestorePrivilege	4264	msiexec.exe
Token: SeTakeOwnershipPrivilege	4264	msiexec.exe
Token: SeRestorePrivilege	4264	msiexec.exe
Token: SeTakeOwnershipPrivilege	4264	msiexec.exe
Token: SeRestorePrivilege	4264	msiexec.exe
Token: SeTakeOwnershipPrivilege	4264	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4856	msiexec.exe
4856	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 1960	4264	msiexec.exe	88
PID 4264 wrote to memory of 1960	4264	msiexec.exe	88
PID 4264 wrote to memory of 1960	4264	msiexec.exe	88

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\744787985728297732483.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4856

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 55F8A444A3347B70B6C0EF9DEB1095EB
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI737aa.LOG

Filesize
20KB

MD5
b33f890dfeff4f74a1b2bc422b9f7a7f

SHA1
5c67c0106e2601ec908ab4fe95c48fb517bc06ba

SHA256
30e44969b6722467b954876c73d3388d678e4098d22c105e705e292e4d65934e

SHA512
0841c8bae8d647d4d156b2f275f2d438ef802c034749b8bc4e2424a040f2cd0904d61c39222f2e86373981e3633a9029c425acc72eb3b85334f250369fdedafb

Download Submit
C:\Windows\Installer\MSI396F.tmp

Filesize
91KB

MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit