b5a00c7c902fdfba6c6e693d516c39e1ba04fae89c34efc5cda059060121da1c

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5a00c7c902fdfba6c6e693d516c39e1ba04fae89c34efc5cda059060121da1c.msi
Size

16.9MB
MD5

340365f7123c5449c53af6eed45ee75b
SHA1

d9de46db15f358d6c6777134932ea7b1e57e3acc
SHA256

b5a00c7c902fdfba6c6e693d516c39e1ba04fae89c34efc5cda059060121da1c
SHA512

0a9dcfea79a12bfa79c7e917f9643c87edb8310bf95beb27ad358fed899c0a363f6e853f7d4d73540def7dbfe2e5b352d9d66b866331b2997b90e287c449644c
SSDEEP

98304:yf/9Lm8KkEQMvRKGpw4dyJQFZVAuTcBJqx4KBBBz68qi4h1xAsZP2nLS7vZ2YX2W:ydMBaWnhTcBeOfi4y5LpFTp

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f761e0f.ipi	msiexec.exe
File created	C:\Windows\Installer\f761e0c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f761e0c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E3A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1EF7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F84.tmp	msiexec.exe
File created	C:\Windows\Installer\f761e0f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2149.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI216B.tmp	msiexec.exe

Loads dropped DLL 4 IoCs

pid	Process
2624	MsiExec.exe
2624	MsiExec.exe
2624	MsiExec.exe
2624	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2496	msiexec.exe
2496	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2488	msiexec.exe
Token: SeRestorePrivilege	2496	msiexec.exe
Token: SeTakeOwnershipPrivilege	2496	msiexec.exe
Token: SeSecurityPrivilege	2496	msiexec.exe
Token: SeCreateTokenPrivilege	2488	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2488	msiexec.exe
Token: SeLockMemoryPrivilege	2488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2488	msiexec.exe
Token: SeMachineAccountPrivilege	2488	msiexec.exe
Token: SeTcbPrivilege	2488	msiexec.exe
Token: SeSecurityPrivilege	2488	msiexec.exe
Token: SeTakeOwnershipPrivilege	2488	msiexec.exe
Token: SeLoadDriverPrivilege	2488	msiexec.exe
Token: SeSystemProfilePrivilege	2488	msiexec.exe
Token: SeSystemtimePrivilege	2488	msiexec.exe
Token: SeProfSingleProcessPrivilege	2488	msiexec.exe
Token: SeIncBasePriorityPrivilege	2488	msiexec.exe
Token: SeCreatePagefilePrivilege	2488	msiexec.exe
Token: SeCreatePermanentPrivilege	2488	msiexec.exe
Token: SeBackupPrivilege	2488	msiexec.exe
Token: SeRestorePrivilege	2488	msiexec.exe
Token: SeShutdownPrivilege	2488	msiexec.exe
Token: SeDebugPrivilege	2488	msiexec.exe
Token: SeAuditPrivilege	2488	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2488	msiexec.exe
Token: SeChangeNotifyPrivilege	2488	msiexec.exe
Token: SeRemoteShutdownPrivilege	2488	msiexec.exe
Token: SeUndockPrivilege	2488	msiexec.exe
Token: SeSyncAgentPrivilege	2488	msiexec.exe
Token: SeEnableDelegationPrivilege	2488	msiexec.exe
Token: SeManageVolumePrivilege	2488	msiexec.exe
Token: SeImpersonatePrivilege	2488	msiexec.exe
Token: SeCreateGlobalPrivilege	2488	msiexec.exe
Token: SeRestorePrivilege	2496	msiexec.exe
Token: SeTakeOwnershipPrivilege	2496	msiexec.exe
Token: SeRestorePrivilege	2496	msiexec.exe
Token: SeTakeOwnershipPrivilege	2496	msiexec.exe
Token: SeRestorePrivilege	2496	msiexec.exe
Token: SeTakeOwnershipPrivilege	2496	msiexec.exe
Token: SeRestorePrivilege	2496	msiexec.exe
Token: SeTakeOwnershipPrivilege	2496	msiexec.exe
Token: SeRestorePrivilege	2496	msiexec.exe
Token: SeTakeOwnershipPrivilege	2496	msiexec.exe
Token: SeRestorePrivilege	2496	msiexec.exe
Token: SeTakeOwnershipPrivilege	2496	msiexec.exe
Token: SeRestorePrivilege	2496	msiexec.exe
Token: SeTakeOwnershipPrivilege	2496	msiexec.exe
Token: SeRestorePrivilege	2496	msiexec.exe
Token: SeTakeOwnershipPrivilege	2496	msiexec.exe
Token: SeRestorePrivilege	2496	msiexec.exe
Token: SeTakeOwnershipPrivilege	2496	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2488	msiexec.exe
2488	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2624	MsiExec.exe
2624	MsiExec.exe
2624	MsiExec.exe
2624	MsiExec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2624	2496	msiexec.exe	29
PID 2496 wrote to memory of 2624	2496	msiexec.exe	29
PID 2496 wrote to memory of 2624	2496	msiexec.exe	29
PID 2496 wrote to memory of 2624	2496	msiexec.exe	29
PID 2496 wrote to memory of 2624	2496	msiexec.exe	29
PID 2496 wrote to memory of 2624	2496	msiexec.exe	29
PID 2496 wrote to memory of 2624	2496	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b5a00c7c902fdfba6c6e693d516c39e1ba04fae89c34efc5cda059060121da1c.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2488

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C152FCC0B603FC0027F85F2754AD7102
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f761e10.rbs

Filesize
618B

MD5
8fef2fc7d05480d0709383181c33f038

SHA1
0a0d9dc950cd19bf1701e9e25a8200283c4de4e8

SHA256
dff72e3a72934f35dbc4280d79e317993418de982c455d284b9f720a4b889553

SHA512
42ee665f88a1f7f8fbaaddd783c19c507901b3db3c57617faec0e10e87d2e86c8646bc99d5a0c28fd64756cdbf194d9c5075ce4f5a2fad1e377db297be394d0d

Download Submit
C:\Windows\Installer\MSI216B.tmp

Filesize
15.8MB

MD5
ffbba29cf71745019e017791dcd9ea3f

SHA1
03181b189d1a35d4dd8ae1059a384ed68126c826

SHA256
0e1543c8cb71eca6b03c5e9e9d79a46b426da56820840f49ab7d9a56d60becc7

SHA512
7ecacac834efd53df2ac6361006ec0241b9a2e6bc7218eb7b84474e0657a9f5908d422c9ae7923265072cfc857e4216bb852836c015c48ad0c66ebbe0934a591

Download Submit
\Windows\Installer\MSI1E3A.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit