73e0dd261d9f034b53907d259188280c4ca08e99f4086bf2fd6ff05c52986dff

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c736e9da1a17431c6099f7e61fec3dcb0ee1efa4a11d31b62c0bff015b721a2c.msi
Size

5.7MB
MD5

b5d67962ab77e978bd00e0173b9ab672
SHA1

e246bda11be964146218ff8ae4a4ad520bf7af60
SHA256

c736e9da1a17431c6099f7e61fec3dcb0ee1efa4a11d31b62c0bff015b721a2c
SHA512

ad425ccd435a72a2309e6762f949055f9d1af640342a2236a23ec84a1290c3e3c67319a79b8ec8c3d73cb3ea82f2ada6d2e4d725b92bf9bfb75f2aa0e6aa44c5
SSDEEP

98304:X8QWZVxvBoijLxS84kNsTF00SbSW2A18xerFsSivzwhP840O41/xBsUU:PWPxZooNB7WF00qSW2o8xer6Si8hZ0Ok

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2504	msiexec.exe
5	2504	msiexec.exe
7	2504	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Loads dropped DLL 9 IoCs

pid	Process
2880	MsiExec.exe
2880	MsiExec.exe
2880	MsiExec.exe
2880	MsiExec.exe
2880	MsiExec.exe
2880	MsiExec.exe
2880	MsiExec.exe
2880	MsiExec.exe
2880	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2504	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeSecurityPrivilege	2476	msiexec.exe
Token: SeCreateTokenPrivilege	2504	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2504	msiexec.exe
Token: SeLockMemoryPrivilege	2504	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2504	msiexec.exe
Token: SeMachineAccountPrivilege	2504	msiexec.exe
Token: SeTcbPrivilege	2504	msiexec.exe
Token: SeSecurityPrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeLoadDriverPrivilege	2504	msiexec.exe
Token: SeSystemProfilePrivilege	2504	msiexec.exe
Token: SeSystemtimePrivilege	2504	msiexec.exe
Token: SeProfSingleProcessPrivilege	2504	msiexec.exe
Token: SeIncBasePriorityPrivilege	2504	msiexec.exe
Token: SeCreatePagefilePrivilege	2504	msiexec.exe
Token: SeCreatePermanentPrivilege	2504	msiexec.exe
Token: SeBackupPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeShutdownPrivilege	2504	msiexec.exe
Token: SeDebugPrivilege	2504	msiexec.exe
Token: SeAuditPrivilege	2504	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2504	msiexec.exe
Token: SeChangeNotifyPrivilege	2504	msiexec.exe
Token: SeRemoteShutdownPrivilege	2504	msiexec.exe
Token: SeUndockPrivilege	2504	msiexec.exe
Token: SeSyncAgentPrivilege	2504	msiexec.exe
Token: SeEnableDelegationPrivilege	2504	msiexec.exe
Token: SeManageVolumePrivilege	2504	msiexec.exe
Token: SeImpersonatePrivilege	2504	msiexec.exe
Token: SeCreateGlobalPrivilege	2504	msiexec.exe
Token: SeCreateTokenPrivilege	2504	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2504	msiexec.exe
Token: SeLockMemoryPrivilege	2504	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2504	msiexec.exe
Token: SeMachineAccountPrivilege	2504	msiexec.exe
Token: SeTcbPrivilege	2504	msiexec.exe
Token: SeSecurityPrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeLoadDriverPrivilege	2504	msiexec.exe
Token: SeSystemProfilePrivilege	2504	msiexec.exe
Token: SeSystemtimePrivilege	2504	msiexec.exe
Token: SeProfSingleProcessPrivilege	2504	msiexec.exe
Token: SeIncBasePriorityPrivilege	2504	msiexec.exe
Token: SeCreatePagefilePrivilege	2504	msiexec.exe
Token: SeCreatePermanentPrivilege	2504	msiexec.exe
Token: SeBackupPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeShutdownPrivilege	2504	msiexec.exe
Token: SeDebugPrivilege	2504	msiexec.exe
Token: SeAuditPrivilege	2504	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2504	msiexec.exe
Token: SeChangeNotifyPrivilege	2504	msiexec.exe
Token: SeRemoteShutdownPrivilege	2504	msiexec.exe
Token: SeUndockPrivilege	2504	msiexec.exe
Token: SeSyncAgentPrivilege	2504	msiexec.exe
Token: SeEnableDelegationPrivilege	2504	msiexec.exe
Token: SeManageVolumePrivilege	2504	msiexec.exe
Token: SeImpersonatePrivilege	2504	msiexec.exe
Token: SeCreateGlobalPrivilege	2504	msiexec.exe
Token: SeCreateTokenPrivilege	2504	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2504	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2880	2476	msiexec.exe	29
PID 2476 wrote to memory of 2880	2476	msiexec.exe	29
PID 2476 wrote to memory of 2880	2476	msiexec.exe	29
PID 2476 wrote to memory of 2880	2476	msiexec.exe	29
PID 2476 wrote to memory of 2880	2476	msiexec.exe	29
PID 2476 wrote to memory of 2880	2476	msiexec.exe	29
PID 2476 wrote to memory of 2880	2476	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c736e9da1a17431c6099f7e61fec3dcb0ee1efa4a11d31b62c0bff015b721a2c.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2504

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7DF18105C9543C4D853459AA2231DF03 U
  2⤵
  - Loads dropped DLL
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab955F.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI29959\WixSharp.UI.CA.dll

Filesize
457KB

MD5
cf0fa2cd20e7ea065d62d2c28a8d47ec

SHA1
ede6528feed5be6987d7f9cdcbc0ddf2b5720b58

SHA256
84344f6aa863afa1df15c4e969dc5e6158609f270dc92ef69001d61b77170308

SHA512
5f7aace164ce6ab312b55c83abbdf5a7f2440dee8daa1e8dceb28748c19a2c5692352d7e15ea3b4ffe36dc8f3e5a2b145c971873a6d57dcda5e079af428aea51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar95CF.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9895.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
\Users\Admin\AppData\Local\Temp\MSI29959\Microsoft.Deployment.WindowsInstaller.dll

Filesize
172KB

MD5
5ef88919012e4a3d8a1e2955dc8c8d81

SHA1
c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

SHA256
3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

SHA512
4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

Download Submit
\Users\Admin\AppData\Local\Temp\MSI29959\WixSharp.UI.dll

Filesize
234KB

MD5
ed059042de45f7f67c66930b2dd2b2f0

SHA1
19c8230807a2e6b3e3301ea981ed2a14ca4830c6

SHA256
486bccc1ae0995ca6cd53352fa81dd3fb122b4ad5c59e7b2d1514a820b09cbde

SHA512
d5bdf7bde352eea90bfe266fb8baa0877dfe83388a4f3e43880788e2a067580bd17d8cf9673d042e5dd7510567701d38cf0344dd8c6db57c0d67b0deeba204c1

Download Submit
\Users\Admin\AppData\Local\Temp\MSI29959\WixSharp.dll

Filesize
364KB

MD5
d602548c03ae9d7e3aff54043de98c0b

SHA1
b9159c2b7c940eb1f1fe7742f43650d25c27ca7f

SHA256
e1a73519c3f6dd962371edd68d4d7c85464c711c5503272aa85cdc00ca5a1890

SHA512
8fdb5bdd66582943cc34f7d3aa8629b534907d982237a88721dad1a1f79dc7ccefab689782795c2f73846507abfa364bb4034879c22f6e9cda603a5ef0f7335e

Download Submit
\Users\Admin\AppData\Local\Temp\MSI29959\WixSharpSetup.exe

Filesize
79KB

MD5
6c1cc306f2b4b5f8353f03a4455efa76

SHA1
c5d81064bce0d5ed8b2dab7f557c4ad7c4a1c3d7

SHA256
2eff450b8ae3894e21b5cb7dc343f4c4fe084868daaff30d6465756b2ad7ca78

SHA512
1b68abb1f67299db64a848b50e1947d25f355d5ce68a687c4df4590d895a64c00376b48712db3fd20c75281b99d5d1c76eaf054faed9a891d6e1a619d5703f97

Download Submit
memory/2880-94-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2880-93-0x00000000009E0000-0x0000000000A0E000-memory.dmp

Filesize
184KB

Download
memory/2880-98-0x0000000000ED0000-0x0000000000F12000-memory.dmp

Filesize
264KB

Download
memory/2880-102-0x00000000047C0000-0x0000000004822000-memory.dmp

Filesize
392KB

Download
memory/2880-106-0x0000000000A90000-0x0000000000AA8000-memory.dmp

Filesize
96KB

Download
memory/2880-111-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2880-112-0x0000000005610000-0x0000000005710000-memory.dmp

Filesize
1024KB

Download
memory/2880-113-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2880-114-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2880-115-0x0000000005610000-0x0000000005710000-memory.dmp

Filesize
1024KB

Download