6d0e896d138e1e12f3c29a4fe7b91618774a7aa59fe1a818853d32c8b06786f4

General

Target

A007 Termbase.msi
Size

26.4MB
MD5

0d74999e3ce596667b1cef92ebac05fa
SHA1

f4cecf3d7f2563b5c74c86f744061e338d2d3421
SHA256

6d0e896d138e1e12f3c29a4fe7b91618774a7aa59fe1a818853d32c8b06786f4
SHA512

e36740d392e751e94f3273d68e6235b03b96ca5f9a63f33ea0a7b3a19545be1cc889aa245c4a85a318e2b36cbcc31c356911476a58d24c9f16f4a18fd419f245
SSDEEP

786432:UeBHVLpoSprl9J1P2nYOWMzgpEH68ppppppppb:U21poSRPynwMzgpEa8ppppppppb

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Loads dropped DLL 6 IoCs

Processes:

MsiExec.exe

pid process

4944 MsiExec.exe
4944 MsiExec.exe
4944 MsiExec.exe
4944 MsiExec.exe
4944 MsiExec.exe
4944 MsiExec.exe

pid	process
4944	MsiExec.exe
4944	MsiExec.exe
4944	MsiExec.exe
4944	MsiExec.exe
4944	MsiExec.exe
4944	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2264	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2264	msiexec.exe
Token: SeSecurityPrivilege	4132	msiexec.exe
Token: SeCreateTokenPrivilege	2264	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2264	msiexec.exe
Token: SeLockMemoryPrivilege	2264	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2264	msiexec.exe
Token: SeMachineAccountPrivilege	2264	msiexec.exe
Token: SeTcbPrivilege	2264	msiexec.exe
Token: SeSecurityPrivilege	2264	msiexec.exe
Token: SeTakeOwnershipPrivilege	2264	msiexec.exe
Token: SeLoadDriverPrivilege	2264	msiexec.exe
Token: SeSystemProfilePrivilege	2264	msiexec.exe
Token: SeSystemtimePrivilege	2264	msiexec.exe
Token: SeProfSingleProcessPrivilege	2264	msiexec.exe
Token: SeIncBasePriorityPrivilege	2264	msiexec.exe
Token: SeCreatePagefilePrivilege	2264	msiexec.exe
Token: SeCreatePermanentPrivilege	2264	msiexec.exe
Token: SeBackupPrivilege	2264	msiexec.exe
Token: SeRestorePrivilege	2264	msiexec.exe
Token: SeShutdownPrivilege	2264	msiexec.exe
Token: SeDebugPrivilege	2264	msiexec.exe
Token: SeAuditPrivilege	2264	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2264	msiexec.exe
Token: SeChangeNotifyPrivilege	2264	msiexec.exe
Token: SeRemoteShutdownPrivilege	2264	msiexec.exe
Token: SeUndockPrivilege	2264	msiexec.exe
Token: SeSyncAgentPrivilege	2264	msiexec.exe
Token: SeEnableDelegationPrivilege	2264	msiexec.exe
Token: SeManageVolumePrivilege	2264	msiexec.exe
Token: SeImpersonatePrivilege	2264	msiexec.exe
Token: SeCreateGlobalPrivilege	2264	msiexec.exe
Token: SeCreateTokenPrivilege	2264	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2264	msiexec.exe
Token: SeLockMemoryPrivilege	2264	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2264	msiexec.exe
Token: SeMachineAccountPrivilege	2264	msiexec.exe
Token: SeTcbPrivilege	2264	msiexec.exe
Token: SeSecurityPrivilege	2264	msiexec.exe
Token: SeTakeOwnershipPrivilege	2264	msiexec.exe
Token: SeLoadDriverPrivilege	2264	msiexec.exe
Token: SeSystemProfilePrivilege	2264	msiexec.exe
Token: SeSystemtimePrivilege	2264	msiexec.exe
Token: SeProfSingleProcessPrivilege	2264	msiexec.exe
Token: SeIncBasePriorityPrivilege	2264	msiexec.exe
Token: SeCreatePagefilePrivilege	2264	msiexec.exe
Token: SeCreatePermanentPrivilege	2264	msiexec.exe
Token: SeBackupPrivilege	2264	msiexec.exe
Token: SeRestorePrivilege	2264	msiexec.exe
Token: SeShutdownPrivilege	2264	msiexec.exe
Token: SeDebugPrivilege	2264	msiexec.exe
Token: SeAuditPrivilege	2264	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2264	msiexec.exe
Token: SeChangeNotifyPrivilege	2264	msiexec.exe
Token: SeRemoteShutdownPrivilege	2264	msiexec.exe
Token: SeUndockPrivilege	2264	msiexec.exe
Token: SeSyncAgentPrivilege	2264	msiexec.exe
Token: SeEnableDelegationPrivilege	2264	msiexec.exe
Token: SeManageVolumePrivilege	2264	msiexec.exe
Token: SeImpersonatePrivilege	2264	msiexec.exe
Token: SeCreateGlobalPrivilege	2264	msiexec.exe
Token: SeCreateTokenPrivilege	2264	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2264	msiexec.exe
Token: SeLockMemoryPrivilege	2264	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2264 msiexec.exe

pid	process
2264	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 4132 wrote to memory of 4944	4132	msiexec.exe	MsiExec.exe
PID 4132 wrote to memory of 4944	4132	msiexec.exe	MsiExec.exe
PID 4132 wrote to memory of 4944	4132	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\A007 Termbase.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2264

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9F8E1577EE2EF33298A8F8BA730705F1 C
2⤵
- Loads dropped DLL
PID:4944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI80E8.tmp
Filesize
559KB

MD5
fe4d2f9cad2f30990e8f845d4052c2fd

SHA1
3c2ebd01fdd78f2424d8c76e36404933e4a71a11

SHA256
1e28349bf342dd176ff7a899b73e7a1b5792c95e099212a72d7dfe9e75836695

SHA512
6dd5d5d30002d18d37a1068730657c84142bf0bd81cc9aab6bcb67286b4f4dd5b77e3b8fb3e6356ea86e26a79805e50a33e686859f5d9e065129a34b7cac66f4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads