Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-03-2024 07:56
Static task
static1
Behavioral task
behavioral1
Sample
setup.msi
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
setup.msi
Resource
win10v2004-20240508-en
General
-
Target
setup.msi
-
Size
8.5MB
-
MD5
86a68878633d570e195609fe33640561
-
SHA1
5a5355a80750693493c4ff9d4184d3234ad62b73
-
SHA256
7a5d8ef1b6de2d300a6a3118426562e881577c85ab2d919f0337e4de0e9aaa92
-
SHA512
502f996aff0273aecd4256bd25b3bcd2187a2b44c1b26c0b64a622ae2d788328d8f8e9bbd8fa9119a0edb282d1737f8f502ecf69484a70b14fd287442630c1a9
-
SSDEEP
196608:zN7EYGIfVlhQ+gtODuwjWT6mPLJo/QkPM27rMr:z+3IfVlhQ+glwY6AW/h37rM
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 11 IoCs
Processes:
msiexec.exedescription ioc Process File created C:\Windows\Installer\f760732.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI78F.tmp msiexec.exe File created C:\Windows\Installer\f760735.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\f760735.ipi msiexec.exe File created C:\Windows\Installer\f760737.msi msiexec.exe File opened for modification C:\Windows\Installer\f760732.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI84B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8E8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI957.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID3E.tmp msiexec.exe -
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exepid Process 2900 MsiExec.exe 2900 MsiExec.exe 2900 MsiExec.exe 2900 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exemsiexec.exepid Process 2692 powershell.exe 1680 msiexec.exe 1680 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exepowershell.exedescription pid Process Token: SeShutdownPrivilege 2332 msiexec.exe Token: SeIncreaseQuotaPrivilege 2332 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeSecurityPrivilege 1680 msiexec.exe Token: SeCreateTokenPrivilege 2332 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2332 msiexec.exe Token: SeLockMemoryPrivilege 2332 msiexec.exe Token: SeIncreaseQuotaPrivilege 2332 msiexec.exe Token: SeMachineAccountPrivilege 2332 msiexec.exe Token: SeTcbPrivilege 2332 msiexec.exe Token: SeSecurityPrivilege 2332 msiexec.exe Token: SeTakeOwnershipPrivilege 2332 msiexec.exe Token: SeLoadDriverPrivilege 2332 msiexec.exe Token: SeSystemProfilePrivilege 2332 msiexec.exe Token: SeSystemtimePrivilege 2332 msiexec.exe Token: SeProfSingleProcessPrivilege 2332 msiexec.exe Token: SeIncBasePriorityPrivilege 2332 msiexec.exe Token: SeCreatePagefilePrivilege 2332 msiexec.exe Token: SeCreatePermanentPrivilege 2332 msiexec.exe Token: SeBackupPrivilege 2332 msiexec.exe Token: SeRestorePrivilege 2332 msiexec.exe Token: SeShutdownPrivilege 2332 msiexec.exe Token: SeDebugPrivilege 2332 msiexec.exe Token: SeAuditPrivilege 2332 msiexec.exe Token: SeSystemEnvironmentPrivilege 2332 msiexec.exe Token: SeChangeNotifyPrivilege 2332 msiexec.exe Token: SeRemoteShutdownPrivilege 2332 msiexec.exe Token: SeUndockPrivilege 2332 msiexec.exe Token: SeSyncAgentPrivilege 2332 msiexec.exe Token: SeEnableDelegationPrivilege 2332 msiexec.exe Token: SeManageVolumePrivilege 2332 msiexec.exe Token: SeImpersonatePrivilege 2332 msiexec.exe Token: SeCreateGlobalPrivilege 2332 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid Process 2332 msiexec.exe 2332 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exedescription pid Process procid_target PID 1680 wrote to memory of 2900 1680 msiexec.exe 29 PID 1680 wrote to memory of 2900 1680 msiexec.exe 29 PID 1680 wrote to memory of 2900 1680 msiexec.exe 29 PID 1680 wrote to memory of 2900 1680 msiexec.exe 29 PID 1680 wrote to memory of 2900 1680 msiexec.exe 29 PID 1680 wrote to memory of 2900 1680 msiexec.exe 29 PID 1680 wrote to memory of 2900 1680 msiexec.exe 29 PID 2900 wrote to memory of 2692 2900 MsiExec.exe 30 PID 2900 wrote to memory of 2692 2900 MsiExec.exe 30 PID 2900 wrote to memory of 2692 2900 MsiExec.exe 30 PID 2900 wrote to memory of 2692 2900 MsiExec.exe 30
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2332
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AD15DBC04DDF5263A70E43D327F874F12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss9F3.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi9F0.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr9F1.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr9F2.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5f0f7ef7aa6e815942a2841caa8173519
SHA1e0edd7c333a9577e33e51bc52f07bb6315acf261
SHA256ea5cdb578178b4e2e5cf9b3e4cfe72ec126ad3c013e82810d03a9a9c2474a83f
SHA512402b47b7cbf4c06dfb3186bc1cc00518fb2bb8205d7cdb397c4685b11923eb1e309f27b1cd85afb7c0e11d991178381d3bf6ac6f22a6dbbf9d7c06046c5c4e28
-
Filesize
42B
MD50fb609a6d2027ec24eb33cf64bd95b20
SHA1ec07f4535b17f362ba12924d62fd952a93e61547
SHA256b9227e3366d64bcf11da5683b8fc1d5e10afa40b66434ddb7b279f835a9401c9
SHA512cc522dfac8b6958b97cc495af936b7c716199d1b257f3aa4f9eaf08a78f003c5a4ea8b90ab506db46ea751988d51b0f99bea9fdbcc46037b4c0997ccb86557b3
-
Filesize
6KB
MD530c30ef2cb47e35101d13402b5661179
SHA125696b2aab86a9233f19017539e2dd83b2f75d4e
SHA25653094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458
-
Filesize
542B
MD5753240f3d0c58563dcba1244db69b0d7
SHA14a0f248fccc2431ece50f717cbf80f6681504932
SHA256e77dbd670eaa228e96cb8ab002b0aa7f55a78779fb58754436ec691e6de14e5a
SHA51203987837557d6342280d7871b19472e7c05cabc203824081f6fff38083ecef2da8135642644b598b21ee294816d1ed22d0573db04e5c739b2b08c28f7c441ae9
-
Filesize
1.1MB
MD5f74e6b15bbb4d3a8decb9fe17175d056
SHA120a67c7d020bce3adcbd34cb0044771ae0bcb2ba
SHA25650235ec9328d759d9adceb1224999bcf5d602594b2c6260c4f793b84c533e6d3
SHA5125c896a916537cbf6e4f6c995a240b3e651356e5a5fc549058cc60892c5905e64a3fd78cf0998149ca88f474f9ce78c94ea398bd245735a1b242f497adb44bbf4
-
Filesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
Filesize
758KB
MD5fb4665320c9da54598321c59cc5ed623
SHA189e87b3cc569edd26b5805244cfacb2f9c892bc7
SHA2569fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59
SHA512b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf
-
Filesize
8.5MB
MD586a68878633d570e195609fe33640561
SHA15a5355a80750693493c4ff9d4184d3234ad62b73
SHA2567a5d8ef1b6de2d300a6a3118426562e881577c85ab2d919f0337e4de0e9aaa92
SHA512502f996aff0273aecd4256bd25b3bcd2187a2b44c1b26c0b64a622ae2d788328d8f8e9bbd8fa9119a0edb282d1737f8f502ecf69484a70b14fd287442630c1a9