7905df7457eea6b6c6d9f521a587121dd2bf5737d9b62454f7e6473fe7cddf21

Resubmissions

27-04-2024 22:49

240427-2rth2aad39 10

27-04-2024 22:47

240427-2qnamaac87 3

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.msi
Size

8.4MB
MD5

7d0e7e9083315bddec9bbc60fbf30ba3
SHA1

008eb06db4a300ae988ea004503382bec53f0743
SHA256

572e7f82c29a2be6f927cb28c1125eb4f7e62f0d5e82e8489706a64e8e8302e2
SHA512

8678ee4b95226e57d4ed867a3cec5827b01389e4542dccab48e11b10b14966117c698c4bd4e02ed752fb8383459a12b1d6cde3a6fdbe9bb87f4005ae72cab0bc
SSDEEP

196608:KN6gYGIfVlhQ+gtODuwjWT6mPY6T/9dFr5Wfbr:KD3IfVlhQ+glwY6ArT6fb

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI98AB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f768115.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f768112.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI81AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85D5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI86FE.tmp	msiexec.exe
File created	C:\Windows\Installer\f768117.msi	msiexec.exe
File created	C:\Windows\Installer\f768112.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8509.tmp	msiexec.exe
File created	C:\Windows\Installer\f768115.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Loads dropped DLL 4 IoCs

Processes:

MsiExec.exe

pid process

2844 MsiExec.exe
2844 MsiExec.exe
2844 MsiExec.exe
2844 MsiExec.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exemsiexec.exe

pid process

2696 powershell.exe
2220 msiexec.exe
2220 msiexec.exe

pid	process
2844	MsiExec.exe
2844	MsiExec.exe
2844	MsiExec.exe
2844	MsiExec.exe

pid	process
2696	powershell.exe
2220	msiexec.exe
2220	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	2756	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeSecurityPrivilege	2220	msiexec.exe
Token: SeCreateTokenPrivilege	2756	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2756	msiexec.exe
Token: SeLockMemoryPrivilege	2756	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2756	msiexec.exe
Token: SeMachineAccountPrivilege	2756	msiexec.exe
Token: SeTcbPrivilege	2756	msiexec.exe
Token: SeSecurityPrivilege	2756	msiexec.exe
Token: SeTakeOwnershipPrivilege	2756	msiexec.exe
Token: SeLoadDriverPrivilege	2756	msiexec.exe
Token: SeSystemProfilePrivilege	2756	msiexec.exe
Token: SeSystemtimePrivilege	2756	msiexec.exe
Token: SeProfSingleProcessPrivilege	2756	msiexec.exe
Token: SeIncBasePriorityPrivilege	2756	msiexec.exe
Token: SeCreatePagefilePrivilege	2756	msiexec.exe
Token: SeCreatePermanentPrivilege	2756	msiexec.exe
Token: SeBackupPrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2756	msiexec.exe
Token: SeShutdownPrivilege	2756	msiexec.exe
Token: SeDebugPrivilege	2756	msiexec.exe
Token: SeAuditPrivilege	2756	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2756	msiexec.exe
Token: SeChangeNotifyPrivilege	2756	msiexec.exe
Token: SeRemoteShutdownPrivilege	2756	msiexec.exe
Token: SeUndockPrivilege	2756	msiexec.exe
Token: SeSyncAgentPrivilege	2756	msiexec.exe
Token: SeEnableDelegationPrivilege	2756	msiexec.exe
Token: SeManageVolumePrivilege	2756	msiexec.exe
Token: SeImpersonatePrivilege	2756	msiexec.exe
Token: SeCreateGlobalPrivilege	2756	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2756 msiexec.exe
2756 msiexec.exe

pid	process
2756	msiexec.exe
2756	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

msiexec.exeMsiExec.exe

description	pid	process	target process
PID 2220 wrote to memory of 2844	2220	msiexec.exe	MsiExec.exe
PID 2220 wrote to memory of 2844	2220	msiexec.exe	MsiExec.exe
PID 2220 wrote to memory of 2844	2220	msiexec.exe	MsiExec.exe
PID 2220 wrote to memory of 2844	2220	msiexec.exe	MsiExec.exe
PID 2220 wrote to memory of 2844	2220	msiexec.exe	MsiExec.exe
PID 2220 wrote to memory of 2844	2220	msiexec.exe	MsiExec.exe
PID 2220 wrote to memory of 2844	2220	msiexec.exe	MsiExec.exe
PID 2844 wrote to memory of 2696	2844	MsiExec.exe	powershell.exe
PID 2844 wrote to memory of 2696	2844	MsiExec.exe	powershell.exe
PID 2844 wrote to memory of 2696	2844	MsiExec.exe	powershell.exe
PID 2844 wrote to memory of 2696	2844	MsiExec.exe	powershell.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2756

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A31B46C1B271D0DB86FC5134D459310E
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss895E.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi894C.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr894D.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr894E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f768116.rbs

Filesize
17KB

MD5
a5ff96315d8e674244880886ad0b4910

SHA1
c4add0479ef6c53da5e54cac0b01ddac171b769f

SHA256
2fa98c9df133aee62fc6ce41954cb4e6dce749474183af5a15908af546053a65

SHA512
772d276d99c2482dd7724a40fefcf1708f2cf3bf5e3955118206c696340b37c7b17a636fedce7ee1782039c33cb45b150520bfe737abe71d234cfe9c3e41df6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\msi894C.txt

Filesize
42B

MD5
0fb609a6d2027ec24eb33cf64bd95b20

SHA1
ec07f4535b17f362ba12924d62fd952a93e61547

SHA256
b9227e3366d64bcf11da5683b8fc1d5e10afa40b66434ddb7b279f835a9401c9

SHA512
cc522dfac8b6958b97cc495af936b7c716199d1b257f3aa4f9eaf08a78f003c5a4ea8b90ab506db46ea751988d51b0f99bea9fdbcc46037b4c0997ccb86557b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss895E.ps1

Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr894D.ps1

Filesize
542B

MD5
753240f3d0c58563dcba1244db69b0d7

SHA1
4a0f248fccc2431ece50f717cbf80f6681504932

SHA256
e77dbd670eaa228e96cb8ab002b0aa7f55a78779fb58754436ec691e6de14e5a

SHA512
03987837557d6342280d7871b19472e7c05cabc203824081f6fff38083ecef2da8135642644b598b21ee294816d1ed22d0573db04e5c739b2b08c28f7c441ae9

Download Submit
C:\Users\Admin\AppData\Roaming\publub\DuvApp\libgcrypt-20.dll

Filesize
792KB

MD5
ed2da404c1bc70efc1a249f609a9cedd

SHA1
8abbf1a5b85d678385764cceb7457988beaf5117

SHA256
b4acc6c738ec4a72209ec67f3c1f8fd7e23fe4fe493686d2bc5c59dca26b9ac5

SHA512
ad997bd588c7c9867b198a0c4233d842a760176df653b457580bb6b6c9ccb1c751d999aba80de36182d42ea6549335ff6c67b3134655d60bf1e51fce1d93ec6b

Download Submit
C:\Windows\Installer\MSI81AE.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSI86FE.tmp

Filesize
758KB

MD5
fb4665320c9da54598321c59cc5ed623

SHA1
89e87b3cc569edd26b5805244cfacb2f9c892bc7

SHA256
9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59

SHA512
b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

Download Submit
C:\Windows\Installer\f768112.msi

Filesize
8.4MB

MD5
7d0e7e9083315bddec9bbc60fbf30ba3

SHA1
008eb06db4a300ae988ea004503382bec53f0743

SHA256
572e7f82c29a2be6f927cb28c1125eb4f7e62f0d5e82e8489706a64e8e8302e2

SHA512
8678ee4b95226e57d4ed867a3cec5827b01389e4542dccab48e11b10b14966117c698c4bd4e02ed752fb8383459a12b1d6cde3a6fdbe9bb87f4005ae72cab0bc

Download Submit