0dae1e15c6646388022b6e2cc42f68b8bfde13788c058da910b6964702d0f49e

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dae1e15c6646388022b6e2cc42f68b8bfde13788c058da910b6964702d0f49e.msi
Size

20.0MB
MD5

03766b0b5b499a0b74b00e30ef8ddfc9
SHA1

c228b53117e28553e5eb392d932c2d0873cb8252
SHA256

0dae1e15c6646388022b6e2cc42f68b8bfde13788c058da910b6964702d0f49e
SHA512

a970821edc247afcc96671cd25e2eb3c2accfa949c9bf6a2826134cebc3fe83658e46cb066a595f19581be9ba537f398f2e944d4dccce26b9e7555d3a3f67a28
SSDEEP

196608:Ya++UP3yS4F0PIHrKjvOSEyOd37sc0/r/dolYrZjO:Ya+uJBOjvwZ8/r/7Zq

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f7614a9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI17D9.tmp	msiexec.exe
File created	C:\Windows\Installer\f7614a9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1507.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI15F2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1631.tmp	msiexec.exe
File created	C:\Windows\Installer\f7614ac.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI17B8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7614ac.ipi	msiexec.exe

Loads dropped DLL 4 IoCs

pid	Process
2672	MsiExec.exe
2672	MsiExec.exe
2672	MsiExec.exe
2672	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2492	msiexec.exe
2492	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2092	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2092	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeSecurityPrivilege	2492	msiexec.exe
Token: SeCreateTokenPrivilege	2092	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2092	msiexec.exe
Token: SeLockMemoryPrivilege	2092	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2092	msiexec.exe
Token: SeMachineAccountPrivilege	2092	msiexec.exe
Token: SeTcbPrivilege	2092	msiexec.exe
Token: SeSecurityPrivilege	2092	msiexec.exe
Token: SeTakeOwnershipPrivilege	2092	msiexec.exe
Token: SeLoadDriverPrivilege	2092	msiexec.exe
Token: SeSystemProfilePrivilege	2092	msiexec.exe
Token: SeSystemtimePrivilege	2092	msiexec.exe
Token: SeProfSingleProcessPrivilege	2092	msiexec.exe
Token: SeIncBasePriorityPrivilege	2092	msiexec.exe
Token: SeCreatePagefilePrivilege	2092	msiexec.exe
Token: SeCreatePermanentPrivilege	2092	msiexec.exe
Token: SeBackupPrivilege	2092	msiexec.exe
Token: SeRestorePrivilege	2092	msiexec.exe
Token: SeShutdownPrivilege	2092	msiexec.exe
Token: SeDebugPrivilege	2092	msiexec.exe
Token: SeAuditPrivilege	2092	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2092	msiexec.exe
Token: SeChangeNotifyPrivilege	2092	msiexec.exe
Token: SeRemoteShutdownPrivilege	2092	msiexec.exe
Token: SeUndockPrivilege	2092	msiexec.exe
Token: SeSyncAgentPrivilege	2092	msiexec.exe
Token: SeEnableDelegationPrivilege	2092	msiexec.exe
Token: SeManageVolumePrivilege	2092	msiexec.exe
Token: SeImpersonatePrivilege	2092	msiexec.exe
Token: SeCreateGlobalPrivilege	2092	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2092	msiexec.exe
2092	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2672	MsiExec.exe
2672	MsiExec.exe
2672	MsiExec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2672	2492	msiexec.exe	29
PID 2492 wrote to memory of 2672	2492	msiexec.exe	29
PID 2492 wrote to memory of 2672	2492	msiexec.exe	29
PID 2492 wrote to memory of 2672	2492	msiexec.exe	29
PID 2492 wrote to memory of 2672	2492	msiexec.exe	29
PID 2492 wrote to memory of 2672	2492	msiexec.exe	29
PID 2492 wrote to memory of 2672	2492	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0dae1e15c6646388022b6e2cc42f68b8bfde13788c058da910b6964702d0f49e.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2092

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24A0CEBBE986DE2915FCDBA74DC200C1
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7614ad.rbs

Filesize
618B

MD5
652151a3edcf5de19ee7b93e49a3ec18

SHA1
b91cc3738ed905c7a23a0b97f67761c3a6bcf7f2

SHA256
5fb6cddd6b0b626ea9ced44503ad1764f2f9bde72a8bf987f94d6976f039a278

SHA512
7fbad8328a9fb29e16510650a83a3a9961333153ddc5945acc0a0d5eec294815258329692b600fb93a0230155d800475c531a66b573556233ab81e7271fe5295

Download Submit
C:\Windows\Installer\MSI17D9.tmp

Filesize
18.8MB

MD5
8cc479cfdbbc3aac07a49d58a47ced81

SHA1
b0153242fa9f8b5646eb0d77fca62d338908fc2b

SHA256
22ea13c175a4bb34b6095150a0ba93a6b640ca3b4b0d5f52f35338359ac25f05

SHA512
bf8c54b99cb6237aadcf19f1a35cbe222ee6419194e7ba83673fee6557a92da29b8c10c09c4f9399c52378fcebb546b4782c216a8c9c0757d3b5ad216f0e0cde

Download Submit
\Windows\Installer\MSI1507.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
memory/2672-21-0x0000000072530000-0x00000000738B3000-memory.dmp

Filesize
19.5MB

Download