Analysis
-
max time kernel
145s -
max time network
159s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-04-2024 22:43
Static task
static1
Behavioral task
behavioral1
Sample
X-TPM.msi
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
X-TPM.msi
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
X-TPM.msi
Resource
win11-20240419-en
General
-
Target
X-TPM.msi
-
Size
41.1MB
-
MD5
1c3ae290b4057032b76e189009cbeaf0
-
SHA1
06d5dc01195e2f499806e76049b6c3a28fa029d0
-
SHA256
ac0ad6fa6a84cd64a77bd52cb09bf01213b6e2bccccd09d7dabea222419a3bc6
-
SHA512
e9cbea7a43e2fdaf8233a64c89f52c47eb80ac5489f249d9dc8656898c83b01626e7b8fd94525209098ce8a8828874875bed856d1741f0d603ad3fd771d9a64a
-
SSDEEP
786432:QA2pJpNITFIyP9uI4SD+o/iNmvYMONJfzYj40ZNhUmfIyU3rzyAB2AeS75/3e1C:QVnD2FIyP9uI8o0lJfi40ZNjj2Xy49e8
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exepid process 4760 MsiExec.exe 4760 MsiExec.exe 4760 MsiExec.exe 4760 MsiExec.exe 4760 MsiExec.exe 4760 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2988 msiexec.exe Token: SeIncreaseQuotaPrivilege 2988 msiexec.exe Token: SeSecurityPrivilege 4264 msiexec.exe Token: SeCreateTokenPrivilege 2988 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2988 msiexec.exe Token: SeLockMemoryPrivilege 2988 msiexec.exe Token: SeIncreaseQuotaPrivilege 2988 msiexec.exe Token: SeMachineAccountPrivilege 2988 msiexec.exe Token: SeTcbPrivilege 2988 msiexec.exe Token: SeSecurityPrivilege 2988 msiexec.exe Token: SeTakeOwnershipPrivilege 2988 msiexec.exe Token: SeLoadDriverPrivilege 2988 msiexec.exe Token: SeSystemProfilePrivilege 2988 msiexec.exe Token: SeSystemtimePrivilege 2988 msiexec.exe Token: SeProfSingleProcessPrivilege 2988 msiexec.exe Token: SeIncBasePriorityPrivilege 2988 msiexec.exe Token: SeCreatePagefilePrivilege 2988 msiexec.exe Token: SeCreatePermanentPrivilege 2988 msiexec.exe Token: SeBackupPrivilege 2988 msiexec.exe Token: SeRestorePrivilege 2988 msiexec.exe Token: SeShutdownPrivilege 2988 msiexec.exe Token: SeDebugPrivilege 2988 msiexec.exe Token: SeAuditPrivilege 2988 msiexec.exe Token: SeSystemEnvironmentPrivilege 2988 msiexec.exe Token: SeChangeNotifyPrivilege 2988 msiexec.exe Token: SeRemoteShutdownPrivilege 2988 msiexec.exe Token: SeUndockPrivilege 2988 msiexec.exe Token: SeSyncAgentPrivilege 2988 msiexec.exe Token: SeEnableDelegationPrivilege 2988 msiexec.exe Token: SeManageVolumePrivilege 2988 msiexec.exe Token: SeImpersonatePrivilege 2988 msiexec.exe Token: SeCreateGlobalPrivilege 2988 msiexec.exe Token: SeCreateTokenPrivilege 2988 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2988 msiexec.exe Token: SeLockMemoryPrivilege 2988 msiexec.exe Token: SeIncreaseQuotaPrivilege 2988 msiexec.exe Token: SeMachineAccountPrivilege 2988 msiexec.exe Token: SeTcbPrivilege 2988 msiexec.exe Token: SeSecurityPrivilege 2988 msiexec.exe Token: SeTakeOwnershipPrivilege 2988 msiexec.exe Token: SeLoadDriverPrivilege 2988 msiexec.exe Token: SeSystemProfilePrivilege 2988 msiexec.exe Token: SeSystemtimePrivilege 2988 msiexec.exe Token: SeProfSingleProcessPrivilege 2988 msiexec.exe Token: SeIncBasePriorityPrivilege 2988 msiexec.exe Token: SeCreatePagefilePrivilege 2988 msiexec.exe Token: SeCreatePermanentPrivilege 2988 msiexec.exe Token: SeBackupPrivilege 2988 msiexec.exe Token: SeRestorePrivilege 2988 msiexec.exe Token: SeShutdownPrivilege 2988 msiexec.exe Token: SeDebugPrivilege 2988 msiexec.exe Token: SeAuditPrivilege 2988 msiexec.exe Token: SeSystemEnvironmentPrivilege 2988 msiexec.exe Token: SeChangeNotifyPrivilege 2988 msiexec.exe Token: SeRemoteShutdownPrivilege 2988 msiexec.exe Token: SeUndockPrivilege 2988 msiexec.exe Token: SeSyncAgentPrivilege 2988 msiexec.exe Token: SeEnableDelegationPrivilege 2988 msiexec.exe Token: SeManageVolumePrivilege 2988 msiexec.exe Token: SeImpersonatePrivilege 2988 msiexec.exe Token: SeCreateGlobalPrivilege 2988 msiexec.exe Token: SeCreateTokenPrivilege 2988 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2988 msiexec.exe Token: SeLockMemoryPrivilege 2988 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 2988 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
msiexec.exedescription pid process target process PID 4264 wrote to memory of 4760 4264 msiexec.exe MsiExec.exe PID 4264 wrote to memory of 4760 4264 msiexec.exe MsiExec.exe PID 4264 wrote to memory of 4760 4264 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\X-TPM.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B80DB456181AF7B24B31B88A05B382A3 C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI4A67.tmpFilesize
559KB
MD5fe4d2f9cad2f30990e8f845d4052c2fd
SHA13c2ebd01fdd78f2424d8c76e36404933e4a71a11
SHA2561e28349bf342dd176ff7a899b73e7a1b5792c95e099212a72d7dfe9e75836695
SHA5126dd5d5d30002d18d37a1068730657c84142bf0bd81cc9aab6bcb67286b4f4dd5b77e3b8fb3e6356ea86e26a79805e50a33e686859f5d9e065129a34b7cac66f4