09b0960462c757decb32612b95e140c27390ccb72bab34ac21369fae2fa6b69b

Analysis

max time kernel
122s
max time network
133s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-03-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CZSVAFC-35455Ref-EQHXB3116762348.msi
Size

12.9MB
MD5

cbdfd84a4bf8ebcc21d8e67bd864b47a
SHA1

ab77b1611d273a8181a8dc41ff2cd2c6e954ddba
SHA256

84a912201b9552baf9a2958484f46fab11756e6904d45335f89af5809a380860
SHA512

5cb7166ff03b5e99cbd8575383942f6ed3d05f4b058f8a5a5f17b05507f1c701c127d6fee1004d3d32958b6bd6d788e6cc20739395aae49debaabd68a6641bac
SSDEEP

98304:8Q1hjXgH/iPupMJhB/90OiNLwDRizyStZaROUJvR1KmYpaI0:8cjVHiOiNRyWZa8Gv7FA

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC026.tmp	msiexec.exe
File created	C:\Windows\Installer\f76bd3a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEAFE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD95.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF3B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB3E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76bd3a.ipi	msiexec.exe
File created	C:\Windows\Installer\f76bd37.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76bd37.msi	msiexec.exe

Loads dropped DLL 4 IoCs

pid	Process
2548	MsiExec.exe
2548	MsiExec.exe
2548	MsiExec.exe
2548	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2536	msiexec.exe
2536	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2740	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2536	msiexec.exe
Token: SeTakeOwnershipPrivilege	2536	msiexec.exe
Token: SeSecurityPrivilege	2536	msiexec.exe
Token: SeCreateTokenPrivilege	2740	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2740	msiexec.exe
Token: SeLockMemoryPrivilege	2740	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2740	msiexec.exe
Token: SeMachineAccountPrivilege	2740	msiexec.exe
Token: SeTcbPrivilege	2740	msiexec.exe
Token: SeSecurityPrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeLoadDriverPrivilege	2740	msiexec.exe
Token: SeSystemProfilePrivilege	2740	msiexec.exe
Token: SeSystemtimePrivilege	2740	msiexec.exe
Token: SeProfSingleProcessPrivilege	2740	msiexec.exe
Token: SeIncBasePriorityPrivilege	2740	msiexec.exe
Token: SeCreatePagefilePrivilege	2740	msiexec.exe
Token: SeCreatePermanentPrivilege	2740	msiexec.exe
Token: SeBackupPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeShutdownPrivilege	2740	msiexec.exe
Token: SeDebugPrivilege	2740	msiexec.exe
Token: SeAuditPrivilege	2740	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2740	msiexec.exe
Token: SeChangeNotifyPrivilege	2740	msiexec.exe
Token: SeRemoteShutdownPrivilege	2740	msiexec.exe
Token: SeUndockPrivilege	2740	msiexec.exe
Token: SeSyncAgentPrivilege	2740	msiexec.exe
Token: SeEnableDelegationPrivilege	2740	msiexec.exe
Token: SeManageVolumePrivilege	2740	msiexec.exe
Token: SeImpersonatePrivilege	2740	msiexec.exe
Token: SeCreateGlobalPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2536	msiexec.exe
Token: SeTakeOwnershipPrivilege	2536	msiexec.exe
Token: SeRestorePrivilege	2536	msiexec.exe
Token: SeTakeOwnershipPrivilege	2536	msiexec.exe
Token: SeRestorePrivilege	2536	msiexec.exe
Token: SeTakeOwnershipPrivilege	2536	msiexec.exe
Token: SeRestorePrivilege	2536	msiexec.exe
Token: SeTakeOwnershipPrivilege	2536	msiexec.exe
Token: SeRestorePrivilege	2536	msiexec.exe
Token: SeTakeOwnershipPrivilege	2536	msiexec.exe
Token: SeRestorePrivilege	2536	msiexec.exe
Token: SeTakeOwnershipPrivilege	2536	msiexec.exe
Token: SeRestorePrivilege	2536	msiexec.exe
Token: SeTakeOwnershipPrivilege	2536	msiexec.exe
Token: SeRestorePrivilege	2536	msiexec.exe
Token: SeTakeOwnershipPrivilege	2536	msiexec.exe
Token: SeRestorePrivilege	2536	msiexec.exe
Token: SeTakeOwnershipPrivilege	2536	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2740	msiexec.exe
2740	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2548	MsiExec.exe
2548	MsiExec.exe
2548	MsiExec.exe
2548	MsiExec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2548	2536	msiexec.exe	28
PID 2536 wrote to memory of 2548	2536	msiexec.exe	28
PID 2536 wrote to memory of 2548	2536	msiexec.exe	28
PID 2536 wrote to memory of 2548	2536	msiexec.exe	28
PID 2536 wrote to memory of 2548	2536	msiexec.exe	28
PID 2536 wrote to memory of 2548	2536	msiexec.exe	28
PID 2536 wrote to memory of 2548	2536	msiexec.exe	28

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CZSVAFC-35455Ref-EQHXB3116762348.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 99B286D4D0DE27C4E9A50347BF2022DC
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76bd3b.rbs

Filesize
586B

MD5
f807f2a35439c0c6b4405d47c361d61e

SHA1
83e2232974b9011145350ee5c0f37b7ceab10c94

SHA256
71e5077c59568e1ceb97e7513c305e9b4148df8f655303c809e7f545c2f9a105

SHA512
53dead2f3b95d2bd6f5bdffecb2ca75c1400010d600f1d3a0812e3aa2a2aa1f76b83ccfab2f45c1142e29c29daf1097350dfe42c3d3f20a468b2edd295192511

Download Submit
C:\Windows\Installer\MSIBD95.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSIEB3E.tmp

Filesize
11.8MB

MD5
6b183672a5eaea82a30cb3c8d3329e5a

SHA1
801cc5d6abd0336fe2a840455fbae5500f7255de

SHA256
0be81bc03e2cb957cbaf20e5dd456373800024612096de01cfe0b18a057ffc8b

SHA512
ba6664704abb1d4a1b2d5263de36b013685a90a56b07aba9fd14984f695fe8fcf3fb91a802e8d2bb59dffcc59d312f6d28f2c8302d491526ffe037799b9f8426

Download Submit