7ca944aceb280237597a251217a9b5db9f04279fe63b5ab6583f13e15dfc9f46

General

Target

73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi
Size

5.8MB
MD5

483b57478ab379546ae9fbab1c0185fa
SHA1

e76211f214c1bcd7eb4ab21478d11a50c31d5da7
SHA256

73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3
SHA512

a06f6a98831454f70413efcb6ca97a96440c07bc65e42a8bbfa6c2a6ae7d5dc666d3b96455acdd98089867b9f5ed0cbd98c69bda1c088eb6f3a6c7d702bcb9c4
SSDEEP

98304:mihTySajXEjCVXrepfrULCZf7ACNQB0zmlwXU8ern7beyN:OjjIzULqpQBv17r3eyN

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

3180 MsiExec.exe
3180 MsiExec.exe

pid	process
3180	MsiExec.exe
3180	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4636	msiexec.exe
Token: SeSecurityPrivilege	4808	msiexec.exe
Token: SeCreateTokenPrivilege	4636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4636	msiexec.exe
Token: SeLockMemoryPrivilege	4636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4636	msiexec.exe
Token: SeMachineAccountPrivilege	4636	msiexec.exe
Token: SeTcbPrivilege	4636	msiexec.exe
Token: SeSecurityPrivilege	4636	msiexec.exe
Token: SeTakeOwnershipPrivilege	4636	msiexec.exe
Token: SeLoadDriverPrivilege	4636	msiexec.exe
Token: SeSystemProfilePrivilege	4636	msiexec.exe
Token: SeSystemtimePrivilege	4636	msiexec.exe
Token: SeProfSingleProcessPrivilege	4636	msiexec.exe
Token: SeIncBasePriorityPrivilege	4636	msiexec.exe
Token: SeCreatePagefilePrivilege	4636	msiexec.exe
Token: SeCreatePermanentPrivilege	4636	msiexec.exe
Token: SeBackupPrivilege	4636	msiexec.exe
Token: SeRestorePrivilege	4636	msiexec.exe
Token: SeShutdownPrivilege	4636	msiexec.exe
Token: SeDebugPrivilege	4636	msiexec.exe
Token: SeAuditPrivilege	4636	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4636	msiexec.exe
Token: SeChangeNotifyPrivilege	4636	msiexec.exe
Token: SeRemoteShutdownPrivilege	4636	msiexec.exe
Token: SeUndockPrivilege	4636	msiexec.exe
Token: SeSyncAgentPrivilege	4636	msiexec.exe
Token: SeEnableDelegationPrivilege	4636	msiexec.exe
Token: SeManageVolumePrivilege	4636	msiexec.exe
Token: SeImpersonatePrivilege	4636	msiexec.exe
Token: SeCreateGlobalPrivilege	4636	msiexec.exe
Token: SeCreateTokenPrivilege	4636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4636	msiexec.exe
Token: SeLockMemoryPrivilege	4636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4636	msiexec.exe
Token: SeMachineAccountPrivilege	4636	msiexec.exe
Token: SeTcbPrivilege	4636	msiexec.exe
Token: SeSecurityPrivilege	4636	msiexec.exe
Token: SeTakeOwnershipPrivilege	4636	msiexec.exe
Token: SeLoadDriverPrivilege	4636	msiexec.exe
Token: SeSystemProfilePrivilege	4636	msiexec.exe
Token: SeSystemtimePrivilege	4636	msiexec.exe
Token: SeProfSingleProcessPrivilege	4636	msiexec.exe
Token: SeIncBasePriorityPrivilege	4636	msiexec.exe
Token: SeCreatePagefilePrivilege	4636	msiexec.exe
Token: SeCreatePermanentPrivilege	4636	msiexec.exe
Token: SeBackupPrivilege	4636	msiexec.exe
Token: SeRestorePrivilege	4636	msiexec.exe
Token: SeShutdownPrivilege	4636	msiexec.exe
Token: SeDebugPrivilege	4636	msiexec.exe
Token: SeAuditPrivilege	4636	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4636	msiexec.exe
Token: SeChangeNotifyPrivilege	4636	msiexec.exe
Token: SeRemoteShutdownPrivilege	4636	msiexec.exe
Token: SeUndockPrivilege	4636	msiexec.exe
Token: SeSyncAgentPrivilege	4636	msiexec.exe
Token: SeEnableDelegationPrivilege	4636	msiexec.exe
Token: SeManageVolumePrivilege	4636	msiexec.exe
Token: SeImpersonatePrivilege	4636	msiexec.exe
Token: SeCreateGlobalPrivilege	4636	msiexec.exe
Token: SeCreateTokenPrivilege	4636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4636	msiexec.exe
Token: SeLockMemoryPrivilege	4636	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

4636 msiexec.exe

pid	process
4636	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 4808 wrote to memory of 3180	4808	msiexec.exe	MsiExec.exe
PID 4808 wrote to memory of 3180	4808	msiexec.exe	MsiExec.exe
PID 4808 wrote to memory of 3180	4808	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\73472cfc52f2732b933e385ef80b4541191c45c995ce5c42844484c33c9867a3.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4636

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BB283E92872557CAD3827E95936663B6 C
2⤵
- Loads dropped DLL
PID:3180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:3404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSID750.tmp
Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads