c0a3de641576cce67bbeb6c58c776f73d86e09ee89d37570c724071bf848afc5

Analysis

max time kernel
135s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-es
resource tags

arch:x64arch:x86image:win10v2004-20240419-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
03-05-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0a3de641576cce67bbeb6c58c776f73d86e09ee89d37570c724071bf848afc5.msi
Size

13.7MB
MD5

b9f84cbf370857a27761d54dae9a31f0
SHA1

db4b996018577044895978e48fe1244d639eeb93
SHA256

c0a3de641576cce67bbeb6c58c776f73d86e09ee89d37570c724071bf848afc5
SHA512

be6b60499906bd5b5e52e7685980d5a1648a4f8a82b81d05a8d7da46ae01e9cd1a852db0e8af4993e391dbfbee39f83808aa942667083fc504871b43762104a6
SSDEEP

98304:DtNkaeb7Yp7pRFjr+fTHopNj2AGvCg5P2hyzJGuvPEsxNg9Lkh8l480:DebGX0HuNABQyNPEsDKwS

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	4896	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4309.tmp	msiexec.exe
File created	C:\Windows\Installer\e574100.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41FB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI421C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI422C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e574100.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI416E.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{H8OSMGOH-8VK7-65CZ-LV3M-JB8R8FVJLT0R}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42BA.tmp	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
4896	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2200	4896	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3664	msiexec.exe
3664	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2652	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2652	msiexec.exe
Token: SeSecurityPrivilege	3664	msiexec.exe
Token: SeCreateTokenPrivilege	2652	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2652	msiexec.exe
Token: SeLockMemoryPrivilege	2652	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2652	msiexec.exe
Token: SeMachineAccountPrivilege	2652	msiexec.exe
Token: SeTcbPrivilege	2652	msiexec.exe
Token: SeSecurityPrivilege	2652	msiexec.exe
Token: SeTakeOwnershipPrivilege	2652	msiexec.exe
Token: SeLoadDriverPrivilege	2652	msiexec.exe
Token: SeSystemProfilePrivilege	2652	msiexec.exe
Token: SeSystemtimePrivilege	2652	msiexec.exe
Token: SeProfSingleProcessPrivilege	2652	msiexec.exe
Token: SeIncBasePriorityPrivilege	2652	msiexec.exe
Token: SeCreatePagefilePrivilege	2652	msiexec.exe
Token: SeCreatePermanentPrivilege	2652	msiexec.exe
Token: SeBackupPrivilege	2652	msiexec.exe
Token: SeRestorePrivilege	2652	msiexec.exe
Token: SeShutdownPrivilege	2652	msiexec.exe
Token: SeDebugPrivilege	2652	msiexec.exe
Token: SeAuditPrivilege	2652	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2652	msiexec.exe
Token: SeChangeNotifyPrivilege	2652	msiexec.exe
Token: SeRemoteShutdownPrivilege	2652	msiexec.exe
Token: SeUndockPrivilege	2652	msiexec.exe
Token: SeSyncAgentPrivilege	2652	msiexec.exe
Token: SeEnableDelegationPrivilege	2652	msiexec.exe
Token: SeManageVolumePrivilege	2652	msiexec.exe
Token: SeImpersonatePrivilege	2652	msiexec.exe
Token: SeCreateGlobalPrivilege	2652	msiexec.exe
Token: SeRestorePrivilege	3664	msiexec.exe
Token: SeTakeOwnershipPrivilege	3664	msiexec.exe
Token: SeRestorePrivilege	3664	msiexec.exe
Token: SeTakeOwnershipPrivilege	3664	msiexec.exe
Token: SeRestorePrivilege	3664	msiexec.exe
Token: SeTakeOwnershipPrivilege	3664	msiexec.exe
Token: SeRestorePrivilege	3664	msiexec.exe
Token: SeTakeOwnershipPrivilege	3664	msiexec.exe
Token: SeRestorePrivilege	3664	msiexec.exe
Token: SeTakeOwnershipPrivilege	3664	msiexec.exe
Token: SeRestorePrivilege	3664	msiexec.exe
Token: SeTakeOwnershipPrivilege	3664	msiexec.exe
Token: SeRestorePrivilege	3664	msiexec.exe
Token: SeTakeOwnershipPrivilege	3664	msiexec.exe
Token: SeRestorePrivilege	3664	msiexec.exe
Token: SeTakeOwnershipPrivilege	3664	msiexec.exe
Token: SeRestorePrivilege	3664	msiexec.exe
Token: SeTakeOwnershipPrivilege	3664	msiexec.exe
Token: SeRestorePrivilege	3664	msiexec.exe
Token: SeTakeOwnershipPrivilege	3664	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2652	msiexec.exe
2652	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4896	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 4896	3664	msiexec.exe	86
PID 3664 wrote to memory of 4896	3664	msiexec.exe	86
PID 3664 wrote to memory of 4896	3664	msiexec.exe	86

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c0a3de641576cce67bbeb6c58c776f73d86e09ee89d37570c724071bf848afc5.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2652

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3736DE07D71FE001F13E52F83093BCED
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1296
    3⤵
    - Program crash
    PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4896 -ip 4896
1⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI416E.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI4309.tmp

Filesize
12.6MB

MD5
f93953ae688e969695943a1948920507

SHA1
72e6b4e6b43cd6978e54d50771c8f74cf19110bd

SHA256
8b233d87ce4e5e7795bad1c4011e0ac922a344a2d584ebc7070e07d2166f90e6

SHA512
086b2f8bf0f9e8412e5339ac18791fd10404e889de23d065c8351a63f1d527034d3bd97352bd697eb9e621c0fb4414f496531e501da391a1d9d1f6e94ca7cfdf

Download Submit