b089485a125e744a166fc05cef1ec2ed5eeaa51b12f3b8e8d0adc73e7579cc5a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b089485a125e744a166fc05cef1ec2ed5eeaa51b12f3b8e8d0adc73e7579cc5a.msi
Size

35.0MB
MD5

f21f1b608d45926927f6178511bdd579
SHA1

a1a251359d7cea7dfeb52d1314bc460144533eca
SHA256

b089485a125e744a166fc05cef1ec2ed5eeaa51b12f3b8e8d0adc73e7579cc5a
SHA512

66521db47efc6a6f82693330af0e612886e7f0f13c7737da6459c0abb937ad1cbcd1376dc9fbddd6d78af551bc38913871e2e21e48e8d5ed630377b523e8f276
SSDEEP

786432:tlC27h2QVu9cCct5rB9rIX9gW6cnzELhEe2x53gpY:tldA+ptO2Cnne2xUY

Score

6^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2988	msiexec.exe
5	2988	msiexec.exe
7	2988	msiexec.exe
8	2012	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f762c5e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3074.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI30C3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f762c63.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f762c61.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f762c5e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F89.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3151.tmp	msiexec.exe
File created	C:\Windows\Installer\f762c61.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3557.tmp	msiexec.exe

Loads dropped DLL 4 IoCs

pid	Process
772	MsiExec.exe
772	MsiExec.exe
772	MsiExec.exe
772	MsiExec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1852	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1852	powershell.exe
2012	msiexec.exe
2012	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2988	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeSecurityPrivilege	2012	msiexec.exe
Token: SeCreateTokenPrivilege	2988	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2988	msiexec.exe
Token: SeLockMemoryPrivilege	2988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2988	msiexec.exe
Token: SeMachineAccountPrivilege	2988	msiexec.exe
Token: SeTcbPrivilege	2988	msiexec.exe
Token: SeSecurityPrivilege	2988	msiexec.exe
Token: SeTakeOwnershipPrivilege	2988	msiexec.exe
Token: SeLoadDriverPrivilege	2988	msiexec.exe
Token: SeSystemProfilePrivilege	2988	msiexec.exe
Token: SeSystemtimePrivilege	2988	msiexec.exe
Token: SeProfSingleProcessPrivilege	2988	msiexec.exe
Token: SeIncBasePriorityPrivilege	2988	msiexec.exe
Token: SeCreatePagefilePrivilege	2988	msiexec.exe
Token: SeCreatePermanentPrivilege	2988	msiexec.exe
Token: SeBackupPrivilege	2988	msiexec.exe
Token: SeRestorePrivilege	2988	msiexec.exe
Token: SeShutdownPrivilege	2988	msiexec.exe
Token: SeDebugPrivilege	2988	msiexec.exe
Token: SeAuditPrivilege	2988	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2988	msiexec.exe
Token: SeChangeNotifyPrivilege	2988	msiexec.exe
Token: SeRemoteShutdownPrivilege	2988	msiexec.exe
Token: SeUndockPrivilege	2988	msiexec.exe
Token: SeSyncAgentPrivilege	2988	msiexec.exe
Token: SeEnableDelegationPrivilege	2988	msiexec.exe
Token: SeManageVolumePrivilege	2988	msiexec.exe
Token: SeImpersonatePrivilege	2988	msiexec.exe
Token: SeCreateGlobalPrivilege	2988	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2988	msiexec.exe
2988	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 772	2012	msiexec.exe	29
PID 2012 wrote to memory of 772	2012	msiexec.exe	29
PID 2012 wrote to memory of 772	2012	msiexec.exe	29
PID 2012 wrote to memory of 772	2012	msiexec.exe	29
PID 2012 wrote to memory of 772	2012	msiexec.exe	29
PID 2012 wrote to memory of 772	2012	msiexec.exe	29
PID 2012 wrote to memory of 772	2012	msiexec.exe	29
PID 772 wrote to memory of 1852	772	MsiExec.exe	30
PID 772 wrote to memory of 1852	772	MsiExec.exe	30
PID 772 wrote to memory of 1852	772	MsiExec.exe	30
PID 772 wrote to memory of 1852	772	MsiExec.exe	30

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b089485a125e744a166fc05cef1ec2ed5eeaa51b12f3b8e8d0adc73e7579cc5a.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADE1D9C0DDDC29D576404620C103BA0E
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss319E.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi319B.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr319C.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr319D.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f762c62.rbs

Filesize
18KB

MD5
92d15d9d66dddcc4e826b8b5707179b2

SHA1
261a99f7dd42c0edb1393ecd5a2e5b397da81537

SHA256
de53c468ed9447d3e7291dfb191358687c5bc2662b86d9bdf45929355c999d21

SHA512
7fbc589370acd7f7c392f0e05cbd9401d136234160f6840c097bba847bf3d80625f3dfaad8d966930d1085408233a24e1fc47e59c987d223df24f3ae740fdf09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

Filesize
1KB

MD5
e94fb54871208c00df70f708ac47085b

SHA1
4efc31460c619ecae59c1bce2c008036d94c84b8

SHA256
7b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86

SHA512
2e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72306638196ad3fb54b9dc5f0c8930e0

SHA1
c36e2897f19133fdc2b1b291e7bfc71902892c96

SHA256
bf3c651c4f5ba5cebd9af6d21b2302cefb45b6dd9c51a8569afbb79300760528

SHA512
45adf116b1e4bb9edd138fffc055995d6ba7c2d7fea440ef8459c5a9687d5394a64367dc03c034e873d03c1d0914fa47ae8bb9164ad0afa88967962060bacc2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

Filesize
264B

MD5
a60c2a14e13a34af09f98daba3799b9e

SHA1
ba304278ee290e5c7ed3d4ae07c8b1fc4a01f308

SHA256
0d0f26448f79d6ef82d0064ff3cda2acbd66a0dd99f8f9f4982a7aaa55b0409c

SHA512
88f92ef48c0ba365a28cb14ed7c811538604497b3d9cc36c712b1297e5e9650e7f94734273fb175784595a44d2da7ab8fc6fb52c965e1c29a556a09f93c69d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2AA0.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msi319B.txt

Filesize
54B

MD5
db420131f396adc6189eb74ccab4ef61

SHA1
f7a0653289e00ae8a37836e4bb0c484a5434f4db

SHA256
20712a091c0903c153ec0394f349e4e687fc16980c77434fab8af6c768b4de22

SHA512
8f29ec5eae268faa330bc71859bada8e36b6f53e27d819dff04451de2cb644307c80f64f71b5768906a6c5eb28e5e77f4a1b23dde01bbfa0e6b9575c4fd92f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss319E.ps1

Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr319C.ps1

Filesize
558B

MD5
32aaf95e81f7c25950c11c53615c753a

SHA1
603ae202e859261d2ea09ac44f84d98a44007316

SHA256
e523cdefc4d381fd0bb040f80f8ebcba9a022c7b731d1e3fba27ef0ad8643a58

SHA512
4076c6b5a77ebc5c5e02c28269cf4751644a508c9661806e7560664e9c9379c808ca8c0860e6efd4ea3c837edbcbc4b20060413012e5f446f17a44efcef517db

Download Submit
C:\Users\Admin\AppData\Roaming\Vuis Queue\AppQue\libgcrypt-20.dll

Filesize
975KB

MD5
24dac6152c216a1b7b1afef7c36e2b65

SHA1
a832467931f07b3f41772d89feb194a90be4119b

SHA256
784af4a0d287a6611d5ee4fda32e31d7b3d5afcd14bca75d2564bb9f0045b449

SHA512
b4da7fe3e32fe1dc89197ec4f0a84c1cb38ff4d872f842f4692d1520e2b39efd2d7e3b928a8e225d2504aadf72a923ed7ee7e3552988c6365b9b30358912d6ce

Download Submit
C:\Windows\Installer\MSI2F89.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSI3151.tmp

Filesize
758KB

MD5
fb4665320c9da54598321c59cc5ed623

SHA1
89e87b3cc569edd26b5805244cfacb2f9c892bc7

SHA256
9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59

SHA512
b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

Download Submit
C:\Windows\Installer\f762c5e.msi

Filesize
35.0MB

MD5
f21f1b608d45926927f6178511bdd579

SHA1
a1a251359d7cea7dfeb52d1314bc460144533eca

SHA256
b089485a125e744a166fc05cef1ec2ed5eeaa51b12f3b8e8d0adc73e7579cc5a

SHA512
66521db47efc6a6f82693330af0e612886e7f0f13c7737da6459c0abb937ad1cbcd1376dc9fbddd6d78af551bc38913871e2e21e48e8d5ed630377b523e8f276

Download Submit