75fb4eb817f922245e1efb31e4209363693da76993b30466e4059b50ab1e80be

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7f61bcdad06be4d2f14d67f428765cd.msi
Size

8.0MB
MD5

c7f61bcdad06be4d2f14d67f428765cd
SHA1

ee4b725f594c985697692ee73be4630f0319bf3b
SHA256

75fb4eb817f922245e1efb31e4209363693da76993b30466e4059b50ab1e80be
SHA512

d2e688c27283c185da386923b964ec723be2a6d247a69c1213bc7f81ddc90c806f4cdb63b93fe8f9bdaf01b7e7284e989b4384895cd6a6872f12c6c41bdf90b4
SSDEEP

98304:qOYaA5EMVUi/7N7t8w+L0787OqOVHnEGVA74cHwKe:q1Bp8z7KP+

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f75fec9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f75fec9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f75fecc.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF26.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFB4.tmp	msiexec.exe
File created	C:\Windows\Installer\f75fecc.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDE.tmp	msiexec.exe

Loads dropped DLL 3 IoCs

pid	Process
2540	MsiExec.exe
2540	MsiExec.exe
2540	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2568	msiexec.exe
2568	msiexec.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2916	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeSecurityPrivilege	2568	msiexec.exe
Token: SeCreateTokenPrivilege	2916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2916	msiexec.exe
Token: SeLockMemoryPrivilege	2916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2916	msiexec.exe
Token: SeMachineAccountPrivilege	2916	msiexec.exe
Token: SeTcbPrivilege	2916	msiexec.exe
Token: SeSecurityPrivilege	2916	msiexec.exe
Token: SeTakeOwnershipPrivilege	2916	msiexec.exe
Token: SeLoadDriverPrivilege	2916	msiexec.exe
Token: SeSystemProfilePrivilege	2916	msiexec.exe
Token: SeSystemtimePrivilege	2916	msiexec.exe
Token: SeProfSingleProcessPrivilege	2916	msiexec.exe
Token: SeIncBasePriorityPrivilege	2916	msiexec.exe
Token: SeCreatePagefilePrivilege	2916	msiexec.exe
Token: SeCreatePermanentPrivilege	2916	msiexec.exe
Token: SeBackupPrivilege	2916	msiexec.exe
Token: SeRestorePrivilege	2916	msiexec.exe
Token: SeShutdownPrivilege	2916	msiexec.exe
Token: SeDebugPrivilege	2916	msiexec.exe
Token: SeAuditPrivilege	2916	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2916	msiexec.exe
Token: SeChangeNotifyPrivilege	2916	msiexec.exe
Token: SeRemoteShutdownPrivilege	2916	msiexec.exe
Token: SeUndockPrivilege	2916	msiexec.exe
Token: SeSyncAgentPrivilege	2916	msiexec.exe
Token: SeEnableDelegationPrivilege	2916	msiexec.exe
Token: SeManageVolumePrivilege	2916	msiexec.exe
Token: SeImpersonatePrivilege	2916	msiexec.exe
Token: SeCreateGlobalPrivilege	2916	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2916	msiexec.exe
2916	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2540	2568	msiexec.exe	29
PID 2568 wrote to memory of 2540	2568	msiexec.exe	29
PID 2568 wrote to memory of 2540	2568	msiexec.exe	29
PID 2568 wrote to memory of 2540	2568	msiexec.exe	29
PID 2568 wrote to memory of 2540	2568	msiexec.exe	29
PID 2568 wrote to memory of 2540	2568	msiexec.exe	29
PID 2568 wrote to memory of 2540	2568	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c7f61bcdad06be4d2f14d67f428765cd.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2916

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C57D0A1C1F329D44EDE81209FCE0EEB
  2⤵
  - Loads dropped DLL
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f75fecd.rbs

Filesize
720B

MD5
627d68567c4daeb93a5332785585a7cb

SHA1
dc4aa13f73b1c905971e43ba787585aa32250431

SHA256
451b1357cba5116db332b1916f69ecc4a968fdabf967f686e99d7ab8f384b31a

SHA512
2431cbb03d824edc7d717eac9eaee79ff2b24533752019ad8e022931e4b886def7c35aa846049cfa1e93702c4df2ff8309f73fcb14cd62862e27797fa31684e3

Download Submit
C:\Windows\Installer\MSIDE.tmp

Filesize
7.7MB

MD5
3bcad32dbb1b865476c1f86da4044100

SHA1
20df7a47826a8b21d0d3bad464c6b90055800972

SHA256
f0916585db46a13b63e0b564a5558d3534d46e6423a2c53792837f431439d763

SHA512
6600f6b03f30d8d2ade51d15ace3f1d97c2cfaaa752a2ea4682b12512ff517595a0b96d1dd017f0a9e51967b71fdfe176b576557c3d39fe0ce12cf37ca2113d1

Download Submit
C:\Windows\Installer\MSIFF26.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
memory/2540-13-0x0000000002860000-0x0000000003028000-memory.dmp

Filesize
7.8MB

Download
memory/2540-15-0x0000000002860000-0x0000000003028000-memory.dmp

Filesize
7.8MB

Download