Analysis
-
max time kernel
154s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2024, 10:06
Static task
static1
Behavioral task
behavioral1
Sample
73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi
Resource
win7-20231129-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi
-
Size
5.8MB
-
MD5
483b57478ab379546ae9fbab1c0185fa
-
SHA1
e76211f214c1bcd7eb4ab21478d11a50c31d5da7
-
SHA256
73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3
-
SHA512
a06f6a98831454f70413efcb6ca97a96440c07bc65e42a8bbfa6c2a6ae7d5dc666d3b96455acdd98089867b9f5ed0cbd98c69bda1c088eb6f3a6c7d702bcb9c4
-
SSDEEP
98304:mihTySajXEjCVXrepfrULCZf7ACNQB0zmlwXU8ern7beyN:OjjIzULqpQBv17r3eyN
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Loads dropped DLL 2 IoCs
pid Process 3180 MsiExec.exe 3180 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4636 msiexec.exe Token: SeIncreaseQuotaPrivilege 4636 msiexec.exe Token: SeSecurityPrivilege 4808 msiexec.exe Token: SeCreateTokenPrivilege 4636 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4636 msiexec.exe Token: SeLockMemoryPrivilege 4636 msiexec.exe Token: SeIncreaseQuotaPrivilege 4636 msiexec.exe Token: SeMachineAccountPrivilege 4636 msiexec.exe Token: SeTcbPrivilege 4636 msiexec.exe Token: SeSecurityPrivilege 4636 msiexec.exe Token: SeTakeOwnershipPrivilege 4636 msiexec.exe Token: SeLoadDriverPrivilege 4636 msiexec.exe Token: SeSystemProfilePrivilege 4636 msiexec.exe Token: SeSystemtimePrivilege 4636 msiexec.exe Token: SeProfSingleProcessPrivilege 4636 msiexec.exe Token: SeIncBasePriorityPrivilege 4636 msiexec.exe Token: SeCreatePagefilePrivilege 4636 msiexec.exe Token: SeCreatePermanentPrivilege 4636 msiexec.exe Token: SeBackupPrivilege 4636 msiexec.exe Token: SeRestorePrivilege 4636 msiexec.exe Token: SeShutdownPrivilege 4636 msiexec.exe Token: SeDebugPrivilege 4636 msiexec.exe Token: SeAuditPrivilege 4636 msiexec.exe Token: SeSystemEnvironmentPrivilege 4636 msiexec.exe Token: SeChangeNotifyPrivilege 4636 msiexec.exe Token: SeRemoteShutdownPrivilege 4636 msiexec.exe Token: SeUndockPrivilege 4636 msiexec.exe Token: SeSyncAgentPrivilege 4636 msiexec.exe Token: SeEnableDelegationPrivilege 4636 msiexec.exe Token: SeManageVolumePrivilege 4636 msiexec.exe Token: SeImpersonatePrivilege 4636 msiexec.exe Token: SeCreateGlobalPrivilege 4636 msiexec.exe Token: SeCreateTokenPrivilege 4636 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4636 msiexec.exe Token: SeLockMemoryPrivilege 4636 msiexec.exe Token: SeIncreaseQuotaPrivilege 4636 msiexec.exe Token: SeMachineAccountPrivilege 4636 msiexec.exe Token: SeTcbPrivilege 4636 msiexec.exe Token: SeSecurityPrivilege 4636 msiexec.exe Token: SeTakeOwnershipPrivilege 4636 msiexec.exe Token: SeLoadDriverPrivilege 4636 msiexec.exe Token: SeSystemProfilePrivilege 4636 msiexec.exe Token: SeSystemtimePrivilege 4636 msiexec.exe Token: SeProfSingleProcessPrivilege 4636 msiexec.exe Token: SeIncBasePriorityPrivilege 4636 msiexec.exe Token: SeCreatePagefilePrivilege 4636 msiexec.exe Token: SeCreatePermanentPrivilege 4636 msiexec.exe Token: SeBackupPrivilege 4636 msiexec.exe Token: SeRestorePrivilege 4636 msiexec.exe Token: SeShutdownPrivilege 4636 msiexec.exe Token: SeDebugPrivilege 4636 msiexec.exe Token: SeAuditPrivilege 4636 msiexec.exe Token: SeSystemEnvironmentPrivilege 4636 msiexec.exe Token: SeChangeNotifyPrivilege 4636 msiexec.exe Token: SeRemoteShutdownPrivilege 4636 msiexec.exe Token: SeUndockPrivilege 4636 msiexec.exe Token: SeSyncAgentPrivilege 4636 msiexec.exe Token: SeEnableDelegationPrivilege 4636 msiexec.exe Token: SeManageVolumePrivilege 4636 msiexec.exe Token: SeImpersonatePrivilege 4636 msiexec.exe Token: SeCreateGlobalPrivilege 4636 msiexec.exe Token: SeCreateTokenPrivilege 4636 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4636 msiexec.exe Token: SeLockMemoryPrivilege 4636 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4636 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4808 wrote to memory of 3180 4808 msiexec.exe 100 PID 4808 wrote to memory of 3180 4808 msiexec.exe 100 PID 4808 wrote to memory of 3180 4808 msiexec.exe 100
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4636
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BB283E92872557CAD3827E95936663B6 C2⤵
- Loads dropped DLL
PID:3180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵PID:3404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
721KB
MD55a1f2196056c0a06b79a77ae981c7761
SHA1a880ae54395658f129e24732800e207ecd0b5603
SHA25652f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e
SHA5129afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a