Analysis
-
max time kernel
67s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 22:37
Static task
static1
Behavioral task
behavioral1
Sample
A007 Termbase.msi
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
A007 Termbase.msi
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
A007 Termbase.msi
Resource
win11-20240419-en
General
-
Target
A007 Termbase.msi
-
Size
26.4MB
-
MD5
0d74999e3ce596667b1cef92ebac05fa
-
SHA1
f4cecf3d7f2563b5c74c86f744061e338d2d3421
-
SHA256
6d0e896d138e1e12f3c29a4fe7b91618774a7aa59fe1a818853d32c8b06786f4
-
SHA512
e36740d392e751e94f3273d68e6235b03b96ca5f9a63f33ea0a7b3a19545be1cc889aa245c4a85a318e2b36cbcc31c356911476a58d24c9f16f4a18fd419f245
-
SSDEEP
786432:UeBHVLpoSprl9J1P2nYOWMzgpEH68ppppppppb:U21poSRPynwMzgpEa8ppppppppb
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exepid process 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe 4944 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2264 msiexec.exe Token: SeIncreaseQuotaPrivilege 2264 msiexec.exe Token: SeSecurityPrivilege 4132 msiexec.exe Token: SeCreateTokenPrivilege 2264 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2264 msiexec.exe Token: SeLockMemoryPrivilege 2264 msiexec.exe Token: SeIncreaseQuotaPrivilege 2264 msiexec.exe Token: SeMachineAccountPrivilege 2264 msiexec.exe Token: SeTcbPrivilege 2264 msiexec.exe Token: SeSecurityPrivilege 2264 msiexec.exe Token: SeTakeOwnershipPrivilege 2264 msiexec.exe Token: SeLoadDriverPrivilege 2264 msiexec.exe Token: SeSystemProfilePrivilege 2264 msiexec.exe Token: SeSystemtimePrivilege 2264 msiexec.exe Token: SeProfSingleProcessPrivilege 2264 msiexec.exe Token: SeIncBasePriorityPrivilege 2264 msiexec.exe Token: SeCreatePagefilePrivilege 2264 msiexec.exe Token: SeCreatePermanentPrivilege 2264 msiexec.exe Token: SeBackupPrivilege 2264 msiexec.exe Token: SeRestorePrivilege 2264 msiexec.exe Token: SeShutdownPrivilege 2264 msiexec.exe Token: SeDebugPrivilege 2264 msiexec.exe Token: SeAuditPrivilege 2264 msiexec.exe Token: SeSystemEnvironmentPrivilege 2264 msiexec.exe Token: SeChangeNotifyPrivilege 2264 msiexec.exe Token: SeRemoteShutdownPrivilege 2264 msiexec.exe Token: SeUndockPrivilege 2264 msiexec.exe Token: SeSyncAgentPrivilege 2264 msiexec.exe Token: SeEnableDelegationPrivilege 2264 msiexec.exe Token: SeManageVolumePrivilege 2264 msiexec.exe Token: SeImpersonatePrivilege 2264 msiexec.exe Token: SeCreateGlobalPrivilege 2264 msiexec.exe Token: SeCreateTokenPrivilege 2264 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2264 msiexec.exe Token: SeLockMemoryPrivilege 2264 msiexec.exe Token: SeIncreaseQuotaPrivilege 2264 msiexec.exe Token: SeMachineAccountPrivilege 2264 msiexec.exe Token: SeTcbPrivilege 2264 msiexec.exe Token: SeSecurityPrivilege 2264 msiexec.exe Token: SeTakeOwnershipPrivilege 2264 msiexec.exe Token: SeLoadDriverPrivilege 2264 msiexec.exe Token: SeSystemProfilePrivilege 2264 msiexec.exe Token: SeSystemtimePrivilege 2264 msiexec.exe Token: SeProfSingleProcessPrivilege 2264 msiexec.exe Token: SeIncBasePriorityPrivilege 2264 msiexec.exe Token: SeCreatePagefilePrivilege 2264 msiexec.exe Token: SeCreatePermanentPrivilege 2264 msiexec.exe Token: SeBackupPrivilege 2264 msiexec.exe Token: SeRestorePrivilege 2264 msiexec.exe Token: SeShutdownPrivilege 2264 msiexec.exe Token: SeDebugPrivilege 2264 msiexec.exe Token: SeAuditPrivilege 2264 msiexec.exe Token: SeSystemEnvironmentPrivilege 2264 msiexec.exe Token: SeChangeNotifyPrivilege 2264 msiexec.exe Token: SeRemoteShutdownPrivilege 2264 msiexec.exe Token: SeUndockPrivilege 2264 msiexec.exe Token: SeSyncAgentPrivilege 2264 msiexec.exe Token: SeEnableDelegationPrivilege 2264 msiexec.exe Token: SeManageVolumePrivilege 2264 msiexec.exe Token: SeImpersonatePrivilege 2264 msiexec.exe Token: SeCreateGlobalPrivilege 2264 msiexec.exe Token: SeCreateTokenPrivilege 2264 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2264 msiexec.exe Token: SeLockMemoryPrivilege 2264 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 2264 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
msiexec.exedescription pid process target process PID 4132 wrote to memory of 4944 4132 msiexec.exe MsiExec.exe PID 4132 wrote to memory of 4944 4132 msiexec.exe MsiExec.exe PID 4132 wrote to memory of 4944 4132 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\A007 Termbase.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9F8E1577EE2EF33298A8F8BA730705F1 C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI80E8.tmpFilesize
559KB
MD5fe4d2f9cad2f30990e8f845d4052c2fd
SHA13c2ebd01fdd78f2424d8c76e36404933e4a71a11
SHA2561e28349bf342dd176ff7a899b73e7a1b5792c95e099212a72d7dfe9e75836695
SHA5126dd5d5d30002d18d37a1068730657c84142bf0bd81cc9aab6bcb67286b4f4dd5b77e3b8fb3e6356ea86e26a79805e50a33e686859f5d9e065129a34b7cac66f4