Overview
overview
7Static
static
3InstMsiA.exe
windows7-x64
7InstMsiA.exe
windows10-2004-x64
7InstMsiW.exe
windows7-x64
7InstMsiW.exe
windows10-2004-x64
7MSIcn.msi
windows7-x64
6MSIcn.msi
windows10-2004-x64
6MSIen.msi
windows7-x64
6MSIen.msi
windows10-2004-x64
6MSIfr.msi
windows7-x64
6MSIfr.msi
windows10-2004-x64
6MSIge.msi
windows7-x64
6MSIge.msi
windows10-2004-x64
6MSIit.msi
windows7-x64
6MSIit.msi
windows10-2004-x64
6MSIjp.msi
windows7-x64
6MSIjp.msi
windows10-2004-x64
6MSIko.msi
windows7-x64
6MSIko.msi
windows10-2004-x64
6MSIsp.msi
windows7-x64
6MSIsp.msi
windows10-2004-x64
6MSItw.msi
windows7-x64
6MSItw.msi
windows10-2004-x64
6_0200BEB4E...2D.dll
windows7-x64
1_0200BEB4E...2D.dll
windows10-2004-x64
1_07F57D9CE...47.exe
windows7-x64
1_07F57D9CE...47.exe
windows10-2004-x64
1_1B4DC5A2E...9B.dll
windows7-x64
1_1B4DC5A2E...9B.dll
windows10-2004-x64
1_2797A4C85...0E.exe
windows7-x64
1_2797A4C85...0E.exe
windows10-2004-x64
1_29F1BB284...4.html
windows7-x64
1_29F1BB284...4.html
windows10-2004-x64
1Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 02:45
Static task
static1
Behavioral task
behavioral1
Sample
InstMsiA.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
InstMsiA.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
InstMsiW.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
InstMsiW.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
MSIcn.msi
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
MSIcn.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
MSIen.msi
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
MSIen.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
MSIfr.msi
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
MSIfr.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
MSIge.msi
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
MSIge.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
MSIit.msi
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
MSIit.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
MSIjp.msi
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
MSIjp.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
MSIko.msi
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
MSIko.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
MSIsp.msi
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
MSIsp.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
MSItw.msi
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
MSItw.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
_0200BEB4EFB34AC8AF68134E35F0622D.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
_0200BEB4EFB34AC8AF68134E35F0622D.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
_07F57D9CEFDA42F78AFA5E0E12E5A347.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
_07F57D9CEFDA42F78AFA5E0E12E5A347.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
_1B4DC5A2E06842A2AF67D90F083EA79B.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
_1B4DC5A2E06842A2AF67D90F083EA79B.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
_2797A4C85C6646FB9F5D7699281AD20E.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral30
Sample
_2797A4C85C6646FB9F5D7699281AD20E.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
_29F1BB2847B84F499F5F20825A00ABC4.html
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral32
Sample
_29F1BB2847B84F499F5F20825A00ABC4.html
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
MSIfr.msi
-
Size
137KB
-
MD5
315ef3953101e77d99f3394dbcd96e10
-
SHA1
b1a941715c6f717949626f89f7198e4fe71c87b5
-
SHA256
8196434bd037073738258442f9147eea048273d5878e78896ce2d1c0b280c1df
-
SHA512
c964341e0c8ac1f72913abe8ee71f1c3ec8d3201dc694480f61ad7a537a08373737a466b0145ba0b830ce3ebe07aba831a82eb022b992ef83096ad0d1c1f1343
-
SSDEEP
1536:iWFtC7FSUHlXAcKlTnZIBxIQJKqECeLtvIBPme73tFpzOGQaIhQQhqLh0QQhQQhq:DCZXtKlO0CzEC0wBPme79Fp
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 4748 msiexec.exe Token: SeIncreaseQuotaPrivilege 4748 msiexec.exe Token: SeSecurityPrivilege 1400 msiexec.exe Token: SeCreateTokenPrivilege 4748 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4748 msiexec.exe Token: SeLockMemoryPrivilege 4748 msiexec.exe Token: SeIncreaseQuotaPrivilege 4748 msiexec.exe Token: SeMachineAccountPrivilege 4748 msiexec.exe Token: SeTcbPrivilege 4748 msiexec.exe Token: SeSecurityPrivilege 4748 msiexec.exe Token: SeTakeOwnershipPrivilege 4748 msiexec.exe Token: SeLoadDriverPrivilege 4748 msiexec.exe Token: SeSystemProfilePrivilege 4748 msiexec.exe Token: SeSystemtimePrivilege 4748 msiexec.exe Token: SeProfSingleProcessPrivilege 4748 msiexec.exe Token: SeIncBasePriorityPrivilege 4748 msiexec.exe Token: SeCreatePagefilePrivilege 4748 msiexec.exe Token: SeCreatePermanentPrivilege 4748 msiexec.exe Token: SeBackupPrivilege 4748 msiexec.exe Token: SeRestorePrivilege 4748 msiexec.exe Token: SeShutdownPrivilege 4748 msiexec.exe Token: SeDebugPrivilege 4748 msiexec.exe Token: SeAuditPrivilege 4748 msiexec.exe Token: SeSystemEnvironmentPrivilege 4748 msiexec.exe Token: SeChangeNotifyPrivilege 4748 msiexec.exe Token: SeRemoteShutdownPrivilege 4748 msiexec.exe Token: SeUndockPrivilege 4748 msiexec.exe Token: SeSyncAgentPrivilege 4748 msiexec.exe Token: SeEnableDelegationPrivilege 4748 msiexec.exe Token: SeManageVolumePrivilege 4748 msiexec.exe Token: SeImpersonatePrivilege 4748 msiexec.exe Token: SeCreateGlobalPrivilege 4748 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4748 msiexec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\MSIfr.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4748
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:4472