b9f0f29ab0015b207fc68d51ffb2a98813e69401c49b5ad505419d5fcbc6b33e

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9f0f29ab0015b207fc68d51ffb2a98813e69401c49b5ad505419d5fcbc6b33e.msi
Size

2.3MB
MD5

798e2c0dfd79867c67973832c8a09e74
SHA1

0ca5cef61d40fc0a03bf69f7de913b1fa8ac38fc
SHA256

b9f0f29ab0015b207fc68d51ffb2a98813e69401c49b5ad505419d5fcbc6b33e
SHA512

d777a453b248d18185463a025e8d67cf3748a62078a286d2568a51bf1f75ada08544deea8ca20af6df6b131f97f92d2756904a3ab323bae975bcf4554ed132da
SSDEEP

49152:hka9ibZ7ZKumZrRq4Fb6HXr1iWnYs4ntHurpllQ6a6uxtZZjhdnNnVY7nE2N/ET:6bzKZFnWnLuxBjvMEW/

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Loads dropped DLL 9 IoCs

pid	Process
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2556	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1652	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1652	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeSecurityPrivilege	2592	msiexec.exe
Token: SeCreateTokenPrivilege	1652	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1652	msiexec.exe
Token: SeLockMemoryPrivilege	1652	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1652	msiexec.exe
Token: SeMachineAccountPrivilege	1652	msiexec.exe
Token: SeTcbPrivilege	1652	msiexec.exe
Token: SeSecurityPrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeLoadDriverPrivilege	1652	msiexec.exe
Token: SeSystemProfilePrivilege	1652	msiexec.exe
Token: SeSystemtimePrivilege	1652	msiexec.exe
Token: SeProfSingleProcessPrivilege	1652	msiexec.exe
Token: SeIncBasePriorityPrivilege	1652	msiexec.exe
Token: SeCreatePagefilePrivilege	1652	msiexec.exe
Token: SeCreatePermanentPrivilege	1652	msiexec.exe
Token: SeBackupPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeShutdownPrivilege	1652	msiexec.exe
Token: SeDebugPrivilege	1652	msiexec.exe
Token: SeAuditPrivilege	1652	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1652	msiexec.exe
Token: SeChangeNotifyPrivilege	1652	msiexec.exe
Token: SeRemoteShutdownPrivilege	1652	msiexec.exe
Token: SeUndockPrivilege	1652	msiexec.exe
Token: SeSyncAgentPrivilege	1652	msiexec.exe
Token: SeEnableDelegationPrivilege	1652	msiexec.exe
Token: SeManageVolumePrivilege	1652	msiexec.exe
Token: SeImpersonatePrivilege	1652	msiexec.exe
Token: SeCreateGlobalPrivilege	1652	msiexec.exe
Token: SeCreateTokenPrivilege	1652	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1652	msiexec.exe
Token: SeLockMemoryPrivilege	1652	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1652	msiexec.exe
Token: SeMachineAccountPrivilege	1652	msiexec.exe
Token: SeTcbPrivilege	1652	msiexec.exe
Token: SeSecurityPrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeLoadDriverPrivilege	1652	msiexec.exe
Token: SeSystemProfilePrivilege	1652	msiexec.exe
Token: SeSystemtimePrivilege	1652	msiexec.exe
Token: SeProfSingleProcessPrivilege	1652	msiexec.exe
Token: SeIncBasePriorityPrivilege	1652	msiexec.exe
Token: SeCreatePagefilePrivilege	1652	msiexec.exe
Token: SeCreatePermanentPrivilege	1652	msiexec.exe
Token: SeBackupPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeShutdownPrivilege	1652	msiexec.exe
Token: SeDebugPrivilege	1652	msiexec.exe
Token: SeAuditPrivilege	1652	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1652	msiexec.exe
Token: SeChangeNotifyPrivilege	1652	msiexec.exe
Token: SeRemoteShutdownPrivilege	1652	msiexec.exe
Token: SeUndockPrivilege	1652	msiexec.exe
Token: SeSyncAgentPrivilege	1652	msiexec.exe
Token: SeEnableDelegationPrivilege	1652	msiexec.exe
Token: SeManageVolumePrivilege	1652	msiexec.exe
Token: SeImpersonatePrivilege	1652	msiexec.exe
Token: SeCreateGlobalPrivilege	1652	msiexec.exe
Token: SeCreateTokenPrivilege	1652	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1652	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2556	2592	msiexec.exe	29
PID 2592 wrote to memory of 2556	2592	msiexec.exe	29
PID 2592 wrote to memory of 2556	2592	msiexec.exe	29
PID 2592 wrote to memory of 2556	2592	msiexec.exe	29
PID 2592 wrote to memory of 2556	2592	msiexec.exe	29
PID 2592 wrote to memory of 2556	2592	msiexec.exe	29
PID 2592 wrote to memory of 2556	2592	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b9f0f29ab0015b207fc68d51ffb2a98813e69401c49b5ad505419d5fcbc6b33e.msi
1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1652

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 910E4D86C9A38529DC8900C6DE9AF54E C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI4C6B.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4FF9.tmp

Filesize
897KB

MD5
6189cdcb92ab9ddbffd95facd0b631fa

SHA1
b74c72cefcb5808e2c9ae4ba976fa916ba57190d

SHA256
519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783

SHA512
ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf

Download Submit