75fb4eb817f922245e1efb31e4209363693da76993b30466e4059b50ab1e80be

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7f61bcdad06be4d2f14d67f428765cd.msi
Size

8.0MB
MD5

c7f61bcdad06be4d2f14d67f428765cd
SHA1

ee4b725f594c985697692ee73be4630f0319bf3b
SHA256

75fb4eb817f922245e1efb31e4209363693da76993b30466e4059b50ab1e80be
SHA512

d2e688c27283c185da386923b964ec723be2a6d247a69c1213bc7f81ddc90c806f4cdb63b93fe8f9bdaf01b7e7284e989b4384895cd6a6872f12c6c41bdf90b4
SSDEEP

98304:qOYaA5EMVUi/7N7t8w+L0787OqOVHnEGVA74cHwKe:q1Bp8z7KP+

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6572.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI66EA.tmp	msiexec.exe
File created	C:\Windows\Installer\e575b5e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e575b5e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C2A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B9336F0D-359B-45BE-BF2A-8661F790585D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI66FA.tmp	msiexec.exe

Loads dropped DLL 4 IoCs

pid	Process
4300	MsiExec.exe
4300	MsiExec.exe
4300	MsiExec.exe
4300	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1688	msiexec.exe
1688	msiexec.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3196	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3196	msiexec.exe
Token: SeSecurityPrivilege	1688	msiexec.exe
Token: SeCreateTokenPrivilege	3196	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3196	msiexec.exe
Token: SeLockMemoryPrivilege	3196	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3196	msiexec.exe
Token: SeMachineAccountPrivilege	3196	msiexec.exe
Token: SeTcbPrivilege	3196	msiexec.exe
Token: SeSecurityPrivilege	3196	msiexec.exe
Token: SeTakeOwnershipPrivilege	3196	msiexec.exe
Token: SeLoadDriverPrivilege	3196	msiexec.exe
Token: SeSystemProfilePrivilege	3196	msiexec.exe
Token: SeSystemtimePrivilege	3196	msiexec.exe
Token: SeProfSingleProcessPrivilege	3196	msiexec.exe
Token: SeIncBasePriorityPrivilege	3196	msiexec.exe
Token: SeCreatePagefilePrivilege	3196	msiexec.exe
Token: SeCreatePermanentPrivilege	3196	msiexec.exe
Token: SeBackupPrivilege	3196	msiexec.exe
Token: SeRestorePrivilege	3196	msiexec.exe
Token: SeShutdownPrivilege	3196	msiexec.exe
Token: SeDebugPrivilege	3196	msiexec.exe
Token: SeAuditPrivilege	3196	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3196	msiexec.exe
Token: SeChangeNotifyPrivilege	3196	msiexec.exe
Token: SeRemoteShutdownPrivilege	3196	msiexec.exe
Token: SeUndockPrivilege	3196	msiexec.exe
Token: SeSyncAgentPrivilege	3196	msiexec.exe
Token: SeEnableDelegationPrivilege	3196	msiexec.exe
Token: SeManageVolumePrivilege	3196	msiexec.exe
Token: SeImpersonatePrivilege	3196	msiexec.exe
Token: SeCreateGlobalPrivilege	3196	msiexec.exe
Token: SeRestorePrivilege	1688	msiexec.exe
Token: SeTakeOwnershipPrivilege	1688	msiexec.exe
Token: SeRestorePrivilege	1688	msiexec.exe
Token: SeTakeOwnershipPrivilege	1688	msiexec.exe
Token: SeRestorePrivilege	1688	msiexec.exe
Token: SeTakeOwnershipPrivilege	1688	msiexec.exe
Token: SeRestorePrivilege	1688	msiexec.exe
Token: SeTakeOwnershipPrivilege	1688	msiexec.exe
Token: SeRestorePrivilege	1688	msiexec.exe
Token: SeTakeOwnershipPrivilege	1688	msiexec.exe
Token: SeRestorePrivilege	1688	msiexec.exe
Token: SeTakeOwnershipPrivilege	1688	msiexec.exe
Token: SeRestorePrivilege	1688	msiexec.exe
Token: SeTakeOwnershipPrivilege	1688	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3196	msiexec.exe
3196	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 4300	1688	msiexec.exe	96
PID 1688 wrote to memory of 4300	1688	msiexec.exe	96
PID 1688 wrote to memory of 4300	1688	msiexec.exe	96

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c7f61bcdad06be4d2f14d67f428765cd.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3196

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8C90404B794EB6D4F0012142719433C7
  2⤵
  - Loads dropped DLL
  PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e575b61.rbs

Filesize
720B

MD5
42d00255e89602cfdd2cb3446807e1b3

SHA1
32a6748f00207bbd7bec2f788ef236b61bb5cebe

SHA256
b204d29f2ea91fe0f05ec0aeace2b51248ac690645c3adb1be92217c59ee8054

SHA512
c6efd51bee48e3cd7e11177599c3bbbab484dd5527380f4edf99219e413166b691fb9a5c47026285236155206e4bf4a4e2f31ef5ab93bd4845f00d851e030474

Download Submit
C:\Windows\Installer\MSI5C2A.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSI66FA.tmp

Filesize
4.1MB

MD5
28ced4afaeb99db26b27e205f819c96f

SHA1
09fff58d4398cf09c766a52f222c0a2083c484dc

SHA256
788b3bb8a8400b4bfd3e1104ce7a3ed61a780aca94cf6dd4d02a295cf333fb15

SHA512
57c581dd2a9a3fc57638c8d6eb3b3e8b96bb4916ccc839d41003682d7e2c3ee62bc61fcf3bbdfa71d4368a023b166345bcb2dc4ac3fcd63e80f2b4ca86192d80

Download Submit
C:\Windows\Installer\MSI66FA.tmp

Filesize
4.2MB

MD5
66fc198276bd327db064f34835267912

SHA1
138482ccdb003a9e620ceccc07982d944fe20f4a

SHA256
ea1030ee9ddcabd419c184d5a35ba7d08e637eab8795d4da67abfb86d85c5887

SHA512
ca5d0e62bc23d3867e34cc3ecc99fc3753094a06773bce9d908c770607f18a254a8c38a01574002c3730fce081433db4d21ee97f8be209b2679fdc9455a98ced

Download Submit
C:\Windows\Installer\MSI66FA.tmp

Filesize
3.8MB

MD5
2272225db7a1309d2b6adc809d7101b5

SHA1
f28aa4b9ad0d4ca522f65a7bc0227778402f6abd

SHA256
e771b6abf0d346030b92eedae24bfcaee72193b0cabb64e158ce65209d4154b3

SHA512
a500577961ee208c829fe7a311692ba567ef8cfbca9cf684b489087e36030996ad3f69d2797957e1394ecc95304d6459e20380c369beb0a8d880318df808be8b

Download Submit
memory/4300-15-0x0000000002DB0000-0x0000000003578000-memory.dmp

Filesize
7.8MB

Download
memory/4300-17-0x0000000002DB0000-0x0000000003578000-memory.dmp

Filesize
7.8MB

Download