62eac825cf2d3a02138d78af175c0b4f260f5f8bbe98f7056845d168fa00df46

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5b3ac8fe2f537f7705ccef8357e27ec.msi
Size

2.5MB
MD5

b5b3ac8fe2f537f7705ccef8357e27ec
SHA1

252f13c987b8d8994d6f47b8a7b1d2f4b5227e36
SHA256

62eac825cf2d3a02138d78af175c0b4f260f5f8bbe98f7056845d168fa00df46
SHA512

f41d8563f6eaa9aea0593b8119ea0f9ec524d0da79d3a873b249430a725b2ea6f1fed31502757683d56931b7788d438195359efecbc01bf973d9b4d8f1211ec6
SSDEEP

49152:vaHOyVYyGOvJUD0S830aofbBraqQn1nQYaMz:UVYyMPHNu

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
2888	MsiExec.exe
2888	MsiExec.exe
2888	MsiExec.exe
2888	MsiExec.exe
2888	MsiExec.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wid	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1556	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1556	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	2188	msiexec.exe
Token: SeTakeOwnershipPrivilege	2188	msiexec.exe
Token: SeSecurityPrivilege	2188	msiexec.exe
Token: SeCreateTokenPrivilege	1556	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1556	msiexec.exe
Token: SeLockMemoryPrivilege	1556	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1556	msiexec.exe
Token: SeMachineAccountPrivilege	1556	msiexec.exe
Token: SeTcbPrivilege	1556	msiexec.exe
Token: SeSecurityPrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeLoadDriverPrivilege	1556	msiexec.exe
Token: SeSystemProfilePrivilege	1556	msiexec.exe
Token: SeSystemtimePrivilege	1556	msiexec.exe
Token: SeProfSingleProcessPrivilege	1556	msiexec.exe
Token: SeIncBasePriorityPrivilege	1556	msiexec.exe
Token: SeCreatePagefilePrivilege	1556	msiexec.exe
Token: SeCreatePermanentPrivilege	1556	msiexec.exe
Token: SeBackupPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeShutdownPrivilege	1556	msiexec.exe
Token: SeDebugPrivilege	1556	msiexec.exe
Token: SeAuditPrivilege	1556	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1556	msiexec.exe
Token: SeChangeNotifyPrivilege	1556	msiexec.exe
Token: SeRemoteShutdownPrivilege	1556	msiexec.exe
Token: SeUndockPrivilege	1556	msiexec.exe
Token: SeSyncAgentPrivilege	1556	msiexec.exe
Token: SeEnableDelegationPrivilege	1556	msiexec.exe
Token: SeManageVolumePrivilege	1556	msiexec.exe
Token: SeImpersonatePrivilege	1556	msiexec.exe
Token: SeCreateGlobalPrivilege	1556	msiexec.exe
Token: SeCreateTokenPrivilege	1556	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1556	msiexec.exe
Token: SeLockMemoryPrivilege	1556	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1556	msiexec.exe
Token: SeMachineAccountPrivilege	1556	msiexec.exe
Token: SeTcbPrivilege	1556	msiexec.exe
Token: SeSecurityPrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeLoadDriverPrivilege	1556	msiexec.exe
Token: SeSystemProfilePrivilege	1556	msiexec.exe
Token: SeSystemtimePrivilege	1556	msiexec.exe
Token: SeProfSingleProcessPrivilege	1556	msiexec.exe
Token: SeIncBasePriorityPrivilege	1556	msiexec.exe
Token: SeCreatePagefilePrivilege	1556	msiexec.exe
Token: SeCreatePermanentPrivilege	1556	msiexec.exe
Token: SeBackupPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeShutdownPrivilege	1556	msiexec.exe
Token: SeDebugPrivilege	1556	msiexec.exe
Token: SeAuditPrivilege	1556	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1556	msiexec.exe
Token: SeChangeNotifyPrivilege	1556	msiexec.exe
Token: SeRemoteShutdownPrivilege	1556	msiexec.exe
Token: SeUndockPrivilege	1556	msiexec.exe
Token: SeSyncAgentPrivilege	1556	msiexec.exe
Token: SeEnableDelegationPrivilege	1556	msiexec.exe
Token: SeManageVolumePrivilege	1556	msiexec.exe
Token: SeImpersonatePrivilege	1556	msiexec.exe
Token: SeCreateGlobalPrivilege	1556	msiexec.exe
Token: SeCreateTokenPrivilege	1556	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1556	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2888	2188	msiexec.exe	29
PID 2188 wrote to memory of 2888	2188	msiexec.exe	29
PID 2188 wrote to memory of 2888	2188	msiexec.exe	29
PID 2188 wrote to memory of 2888	2188	msiexec.exe	29
PID 2188 wrote to memory of 2888	2188	msiexec.exe	29
PID 2188 wrote to memory of 2888	2188	msiexec.exe	29
PID 2188 wrote to memory of 2888	2188	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b5b3ac8fe2f537f7705ccef8357e27ec.msi
1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1556

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D03CC7D4DCD727C0C4C2321B038C4357 C
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIAC46.tmp

Filesize
80KB

MD5
c7e62920e43f44adabeb1ce0955ff655

SHA1
4b4ea5c0009cd59672907c14af87c73e6d9f3d0e

SHA256
6536cbba1783b4f128c17dfd2729c50ba69d8efff0af5d3e0ed24c43a91dcb0a

SHA512
12b51315249f98582f4374c9d51a817b17532ff96db9b095db35a40aa78756c4d1ec3124f6c6b2819b6e77cc1c44d335eba93be1428f52642af1351a25cdb73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIADDD.tmp

Filesize
528KB

MD5
e2e8fd4ae36ccafbbcbc4ca8c1477dd4

SHA1
3a6a175526a1db2780768b1ecc09460aee748d8c

SHA256
bd16e29857ffa3844c806d8f6897f1e5bcc4e70ed9e41ebcb2cde5d5c3da085f

SHA512
b3ed988d4a44da364025f091bca5b1eab4d2985188a27980e2394cb25170fd3b906bbd62ae46ab2d020df1139fbacbf532e7940524cfc8d8f38b9202e586e30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAF25.tmp

Filesize
28KB

MD5
6491ee1102ddbf8f49f6c0a4ad46f5d9

SHA1
3fae1aae2e4610389f8a7faee49ea60b708e1413

SHA256
afabbff977c0401d469c9165e7b2e1aca8ab719f62ad24203c8e09262273ec87

SHA512
e83117cbfdce71e47e54b1178d0cd00b3fcae56c8d30f632b561f1b20d741a7e051dbc64dee2a91cc26fa64c04181f3dfe6be0a696ba1dead8796be91480a078

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAF55.tmp

Filesize
204KB

MD5
fcedde5e28b6e9a08c42984ceecae889

SHA1
efce0cd624daeea81bd0c3ca08c796392fe493ee

SHA256
0a7cac9fd21fa21b3e9a3a161da9eb7b159f2b57d339308d8cb77bda8f60c580

SHA512
4a93cf0601befee8863bc6b1ca3a936fc9f899217b68b5f253ace8cc6e9fc2dae2cfc934d051a8b4bb4ea2d84d99da762bfa19e4daf0129026b35147394e5c73

Download Submit