ac0ad6fa6a84cd64a77bd52cb09bf01213b6e2bccccd09d7dabea222419a3bc6

General

Target

X-TPM.msi
Size

41.1MB
MD5

1c3ae290b4057032b76e189009cbeaf0
SHA1

06d5dc01195e2f499806e76049b6c3a28fa029d0
SHA256

ac0ad6fa6a84cd64a77bd52cb09bf01213b6e2bccccd09d7dabea222419a3bc6
SHA512

e9cbea7a43e2fdaf8233a64c89f52c47eb80ac5489f249d9dc8656898c83b01626e7b8fd94525209098ce8a8828874875bed856d1741f0d603ad3fd771d9a64a
SSDEEP

786432:QA2pJpNITFIyP9uI4SD+o/iNmvYMONJfzYj40ZNhUmfIyU3rzyAB2AeS75/3e1C:QVnD2FIyP9uI8o0lJfi40ZNjj2Xy49e8

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Loads dropped DLL 6 IoCs

Processes:

MsiExec.exe

pid process

4760 MsiExec.exe
4760 MsiExec.exe
4760 MsiExec.exe
4760 MsiExec.exe
4760 MsiExec.exe
4760 MsiExec.exe

pid	process
4760	MsiExec.exe
4760	MsiExec.exe
4760	MsiExec.exe
4760	MsiExec.exe
4760	MsiExec.exe
4760	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2988	msiexec.exe
Token: SeSecurityPrivilege	4264	msiexec.exe
Token: SeCreateTokenPrivilege	2988	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2988	msiexec.exe
Token: SeLockMemoryPrivilege	2988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2988	msiexec.exe
Token: SeMachineAccountPrivilege	2988	msiexec.exe
Token: SeTcbPrivilege	2988	msiexec.exe
Token: SeSecurityPrivilege	2988	msiexec.exe
Token: SeTakeOwnershipPrivilege	2988	msiexec.exe
Token: SeLoadDriverPrivilege	2988	msiexec.exe
Token: SeSystemProfilePrivilege	2988	msiexec.exe
Token: SeSystemtimePrivilege	2988	msiexec.exe
Token: SeProfSingleProcessPrivilege	2988	msiexec.exe
Token: SeIncBasePriorityPrivilege	2988	msiexec.exe
Token: SeCreatePagefilePrivilege	2988	msiexec.exe
Token: SeCreatePermanentPrivilege	2988	msiexec.exe
Token: SeBackupPrivilege	2988	msiexec.exe
Token: SeRestorePrivilege	2988	msiexec.exe
Token: SeShutdownPrivilege	2988	msiexec.exe
Token: SeDebugPrivilege	2988	msiexec.exe
Token: SeAuditPrivilege	2988	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2988	msiexec.exe
Token: SeChangeNotifyPrivilege	2988	msiexec.exe
Token: SeRemoteShutdownPrivilege	2988	msiexec.exe
Token: SeUndockPrivilege	2988	msiexec.exe
Token: SeSyncAgentPrivilege	2988	msiexec.exe
Token: SeEnableDelegationPrivilege	2988	msiexec.exe
Token: SeManageVolumePrivilege	2988	msiexec.exe
Token: SeImpersonatePrivilege	2988	msiexec.exe
Token: SeCreateGlobalPrivilege	2988	msiexec.exe
Token: SeCreateTokenPrivilege	2988	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2988	msiexec.exe
Token: SeLockMemoryPrivilege	2988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2988	msiexec.exe
Token: SeMachineAccountPrivilege	2988	msiexec.exe
Token: SeTcbPrivilege	2988	msiexec.exe
Token: SeSecurityPrivilege	2988	msiexec.exe
Token: SeTakeOwnershipPrivilege	2988	msiexec.exe
Token: SeLoadDriverPrivilege	2988	msiexec.exe
Token: SeSystemProfilePrivilege	2988	msiexec.exe
Token: SeSystemtimePrivilege	2988	msiexec.exe
Token: SeProfSingleProcessPrivilege	2988	msiexec.exe
Token: SeIncBasePriorityPrivilege	2988	msiexec.exe
Token: SeCreatePagefilePrivilege	2988	msiexec.exe
Token: SeCreatePermanentPrivilege	2988	msiexec.exe
Token: SeBackupPrivilege	2988	msiexec.exe
Token: SeRestorePrivilege	2988	msiexec.exe
Token: SeShutdownPrivilege	2988	msiexec.exe
Token: SeDebugPrivilege	2988	msiexec.exe
Token: SeAuditPrivilege	2988	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2988	msiexec.exe
Token: SeChangeNotifyPrivilege	2988	msiexec.exe
Token: SeRemoteShutdownPrivilege	2988	msiexec.exe
Token: SeUndockPrivilege	2988	msiexec.exe
Token: SeSyncAgentPrivilege	2988	msiexec.exe
Token: SeEnableDelegationPrivilege	2988	msiexec.exe
Token: SeManageVolumePrivilege	2988	msiexec.exe
Token: SeImpersonatePrivilege	2988	msiexec.exe
Token: SeCreateGlobalPrivilege	2988	msiexec.exe
Token: SeCreateTokenPrivilege	2988	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2988	msiexec.exe
Token: SeLockMemoryPrivilege	2988	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2988 msiexec.exe

pid	process
2988	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 4264 wrote to memory of 4760	4264	msiexec.exe	MsiExec.exe
PID 4264 wrote to memory of 4760	4264	msiexec.exe	MsiExec.exe
PID 4264 wrote to memory of 4760	4264	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\X-TPM.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B80DB456181AF7B24B31B88A05B382A3 C
2⤵
- Loads dropped DLL
PID:4760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI4A67.tmp
Filesize
559KB

MD5
fe4d2f9cad2f30990e8f845d4052c2fd

SHA1
3c2ebd01fdd78f2424d8c76e36404933e4a71a11

SHA256
1e28349bf342dd176ff7a899b73e7a1b5792c95e099212a72d7dfe9e75836695

SHA512
6dd5d5d30002d18d37a1068730657c84142bf0bd81cc9aab6bcb67286b4f4dd5b77e3b8fb3e6356ea86e26a79805e50a33e686859f5d9e065129a34b7cac66f4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads