09b0960462c757decb32612b95e140c27390ccb72bab34ac21369fae2fa6b69b

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CZSVAFC-35455Ref-EQHXB3116762348.msi
Size

12.9MB
MD5

cbdfd84a4bf8ebcc21d8e67bd864b47a
SHA1

ab77b1611d273a8181a8dc41ff2cd2c6e954ddba
SHA256

84a912201b9552baf9a2958484f46fab11756e6904d45335f89af5809a380860
SHA512

5cb7166ff03b5e99cbd8575383942f6ed3d05f4b058f8a5a5f17b05507f1c701c127d6fee1004d3d32958b6bd6d788e6cc20739395aae49debaabd68a6641bac
SSDEEP

98304:8Q1hjXgH/iPupMJhB/90OiNLwDRizyStZaROUJvR1KmYpaI0:8cjVHiOiNRyWZa8Gv7FA

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e576e0c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F15.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7497.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7747.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7787.tmp	msiexec.exe
File created	C:\Windows\Installer\e576e0c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI736C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7447.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{GCZTUTX8-E5KC-KDC3-QJTD-RY4QJBL434SO}	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
4272	MsiExec.exe
4272	MsiExec.exe
4272	MsiExec.exe
4272	MsiExec.exe
4272	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4604	msiexec.exe
4604	msiexec.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	244	msiexec.exe
Token: SeIncreaseQuotaPrivilege	244	msiexec.exe
Token: SeSecurityPrivilege	4604	msiexec.exe
Token: SeCreateTokenPrivilege	244	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	244	msiexec.exe
Token: SeLockMemoryPrivilege	244	msiexec.exe
Token: SeIncreaseQuotaPrivilege	244	msiexec.exe
Token: SeMachineAccountPrivilege	244	msiexec.exe
Token: SeTcbPrivilege	244	msiexec.exe
Token: SeSecurityPrivilege	244	msiexec.exe
Token: SeTakeOwnershipPrivilege	244	msiexec.exe
Token: SeLoadDriverPrivilege	244	msiexec.exe
Token: SeSystemProfilePrivilege	244	msiexec.exe
Token: SeSystemtimePrivilege	244	msiexec.exe
Token: SeProfSingleProcessPrivilege	244	msiexec.exe
Token: SeIncBasePriorityPrivilege	244	msiexec.exe
Token: SeCreatePagefilePrivilege	244	msiexec.exe
Token: SeCreatePermanentPrivilege	244	msiexec.exe
Token: SeBackupPrivilege	244	msiexec.exe
Token: SeRestorePrivilege	244	msiexec.exe
Token: SeShutdownPrivilege	244	msiexec.exe
Token: SeDebugPrivilege	244	msiexec.exe
Token: SeAuditPrivilege	244	msiexec.exe
Token: SeSystemEnvironmentPrivilege	244	msiexec.exe
Token: SeChangeNotifyPrivilege	244	msiexec.exe
Token: SeRemoteShutdownPrivilege	244	msiexec.exe
Token: SeUndockPrivilege	244	msiexec.exe
Token: SeSyncAgentPrivilege	244	msiexec.exe
Token: SeEnableDelegationPrivilege	244	msiexec.exe
Token: SeManageVolumePrivilege	244	msiexec.exe
Token: SeImpersonatePrivilege	244	msiexec.exe
Token: SeCreateGlobalPrivilege	244	msiexec.exe
Token: SeRestorePrivilege	4604	msiexec.exe
Token: SeTakeOwnershipPrivilege	4604	msiexec.exe
Token: SeRestorePrivilege	4604	msiexec.exe
Token: SeTakeOwnershipPrivilege	4604	msiexec.exe
Token: SeRestorePrivilege	4604	msiexec.exe
Token: SeTakeOwnershipPrivilege	4604	msiexec.exe
Token: SeRestorePrivilege	4604	msiexec.exe
Token: SeTakeOwnershipPrivilege	4604	msiexec.exe
Token: SeRestorePrivilege	4604	msiexec.exe
Token: SeTakeOwnershipPrivilege	4604	msiexec.exe
Token: SeRestorePrivilege	4604	msiexec.exe
Token: SeTakeOwnershipPrivilege	4604	msiexec.exe
Token: SeRestorePrivilege	4604	msiexec.exe
Token: SeTakeOwnershipPrivilege	4604	msiexec.exe
Token: SeRestorePrivilege	4604	msiexec.exe
Token: SeTakeOwnershipPrivilege	4604	msiexec.exe
Token: SeRestorePrivilege	4604	msiexec.exe
Token: SeTakeOwnershipPrivilege	4604	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
244	msiexec.exe
244	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4272	MsiExec.exe
4272	MsiExec.exe
4272	MsiExec.exe
4272	MsiExec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4272	4604	msiexec.exe	91
PID 4604 wrote to memory of 4272	4604	msiexec.exe	91
PID 4604 wrote to memory of 4272	4604	msiexec.exe	91

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CZSVAFC-35455Ref-EQHXB3116762348.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:244

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E43DF6A4A6A577117CEF3D88D33205F9
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e576e0f.rbs

Filesize
586B

MD5
f9de92bc9c1563afe0941356f841cf6a

SHA1
d8e49736ae5e220b38c6f4039fc4f54d5e73aacb

SHA256
3b8c66599563c6ad3a765c6442e64e9775e08dce384339681f1117454bf4db15

SHA512
980ef097e719eb0c991ac511d126962f014eb7ea469f7d1787c9f29ef4b6282b29e1335219190b590f6390023c133dd21b64c1ae94ab8b001204475022c38ba2

Download Submit
C:\Windows\Installer\MSI6F15.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI7787.tmp

Filesize
11.8MB

MD5
6b183672a5eaea82a30cb3c8d3329e5a

SHA1
801cc5d6abd0336fe2a840455fbae5500f7255de

SHA256
0be81bc03e2cb957cbaf20e5dd456373800024612096de01cfe0b18a057ffc8b

SHA512
ba6664704abb1d4a1b2d5263de36b013685a90a56b07aba9fd14984f695fe8fcf3fb91a802e8d2bb59dffcc59d312f6d28f2c8302d491526ffe037799b9f8426

Download Submit