b089485a125e744a166fc05cef1ec2ed5eeaa51b12f3b8e8d0adc73e7579cc5a

Analysis

max time kernel
124s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b089485a125e744a166fc05cef1ec2ed5eeaa51b12f3b8e8d0adc73e7579cc5a.msi
Size

35.0MB
MD5

f21f1b608d45926927f6178511bdd579
SHA1

a1a251359d7cea7dfeb52d1314bc460144533eca
SHA256

b089485a125e744a166fc05cef1ec2ed5eeaa51b12f3b8e8d0adc73e7579cc5a
SHA512

66521db47efc6a6f82693330af0e612886e7f0f13c7737da6459c0abb937ad1cbcd1376dc9fbddd6d78af551bc38913871e2e21e48e8d5ed630377b523e8f276
SSDEEP

786432:tlC27h2QVu9cCct5rB9rIX9gW6cnzELhEe2x53gpY:tldA+ptO2Cnne2xUY

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	4740	msiexec.exe
4	4740	msiexec.exe
6	4740	msiexec.exe
27	5036	powershell.exe
28	5036	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF59E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85E.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f32e.msi	msiexec.exe
File created	C:\Windows\Installer\e57f32a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4B1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF424.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF62B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF520.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f32a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF67B.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2E67F7BB-C4ED-4EB2-B18A-C07C9C672006}	msiexec.exe

Loads dropped DLL 6 IoCs

pid	Process
852	MsiExec.exe
852	MsiExec.exe
852	MsiExec.exe
852	MsiExec.exe
852	MsiExec.exe
852	MsiExec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5036	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
5036	powershell.exe
5036	powershell.exe
5036	powershell.exe
1652	msiexec.exe
1652	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4740	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4740	msiexec.exe
Token: SeSecurityPrivilege	1652	msiexec.exe
Token: SeCreateTokenPrivilege	4740	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4740	msiexec.exe
Token: SeLockMemoryPrivilege	4740	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4740	msiexec.exe
Token: SeMachineAccountPrivilege	4740	msiexec.exe
Token: SeTcbPrivilege	4740	msiexec.exe
Token: SeSecurityPrivilege	4740	msiexec.exe
Token: SeTakeOwnershipPrivilege	4740	msiexec.exe
Token: SeLoadDriverPrivilege	4740	msiexec.exe
Token: SeSystemProfilePrivilege	4740	msiexec.exe
Token: SeSystemtimePrivilege	4740	msiexec.exe
Token: SeProfSingleProcessPrivilege	4740	msiexec.exe
Token: SeIncBasePriorityPrivilege	4740	msiexec.exe
Token: SeCreatePagefilePrivilege	4740	msiexec.exe
Token: SeCreatePermanentPrivilege	4740	msiexec.exe
Token: SeBackupPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	4740	msiexec.exe
Token: SeShutdownPrivilege	4740	msiexec.exe
Token: SeDebugPrivilege	4740	msiexec.exe
Token: SeAuditPrivilege	4740	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4740	msiexec.exe
Token: SeChangeNotifyPrivilege	4740	msiexec.exe
Token: SeRemoteShutdownPrivilege	4740	msiexec.exe
Token: SeUndockPrivilege	4740	msiexec.exe
Token: SeSyncAgentPrivilege	4740	msiexec.exe
Token: SeEnableDelegationPrivilege	4740	msiexec.exe
Token: SeManageVolumePrivilege	4740	msiexec.exe
Token: SeImpersonatePrivilege	4740	msiexec.exe
Token: SeCreateGlobalPrivilege	4740	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4740	msiexec.exe
4740	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 852	1652	msiexec.exe	94
PID 1652 wrote to memory of 852	1652	msiexec.exe	94
PID 1652 wrote to memory of 852	1652	msiexec.exe	94
PID 852 wrote to memory of 5036	852	MsiExec.exe	95
PID 852 wrote to memory of 5036	852	MsiExec.exe	95
PID 852 wrote to memory of 5036	852	MsiExec.exe	95

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b089485a125e744a166fc05cef1ec2ed5eeaa51b12f3b8e8d0adc73e7579cc5a.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AE20E36B326E7A81373DE97563511E78
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssF7D0.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiF7BE.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrF7BF.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrF7C0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3608,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:8
1⤵
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f32d.rbs

Filesize
19KB

MD5
e4a6002e0cc74cda580d50012606cabc

SHA1
6cc4ec466249367ef6faa501e1375b02ba5468de

SHA256
d270daf9add2c361af4244f48488907b7f889bb953f6b1c24e21bdb2739d11ae

SHA512
8db1cc73b067916a1905bf2931662a0bdd430ac7db6497055831b88e058e1f708d41b852ecc66ba555f3c1f60800e9fabac5a579cd7135f65c0cf4eef79c882c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_E049417E5C2A0ECD64032982D0A31504

Filesize
1KB

MD5
7f1db845fad6869ca96884fdb6ab3096

SHA1
df2ffe31d0d2984c421d4bfd52dcb1dba6e47e8d

SHA256
636b6a448251cf920d10bd74279c0755b2b7d97b4df0e481472c777aea5b62e8

SHA512
17810f7d019dc72734e09f0b2eb6194becf03094507e89c68e1ad93bc83491274b5b352d07eefa49d14c2d26f6d78ece31173d46e93bfc6fa8b3cbad1bd4d62b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
04b0628ef44e98d51f856ad56f9d2bfb

SHA1
b79b2a8f11841e803e7842968667186a7ac139ed

SHA256
a15302934d0d87194efb22bc08857c100c279a3adc7e7a510298bf12c3d7535a

SHA512
2b258e29ec20507bc189f1ea437a7338a698fdde79e7057c10ae3a86c4a7b177b78366276af55e1f51fa325dd49f9ba588d880311c8070fb5744cadabe0f2a99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_E049417E5C2A0ECD64032982D0A31504

Filesize
536B

MD5
4aa85d4dd2834b269590bfdf95418503

SHA1
932104d868996ecba410ab4c8347a7a43437296b

SHA256
39624c0628c06cdbcfb48294f76a67e5c2d509fda9d84c68d93412e3cc90a24a

SHA512
d33a1009a0761f463152dcf3c5481a4f3cf41218fd0872f3f5c79a65d125099a7a7f6c41216d433d4724d0b94523fc395fad8fc74b6719d0395b64eb2c695abe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
4a157f34f4a25f5c2bf5917ae6de8a09

SHA1
8172951cb03bab6bd6365e3a2fca9ade0cea90cf

SHA256
50e1a5c1e3eaae694cc4569e65655ed755c40434257776ebb5c829699787a245

SHA512
7f4a4af0e9e630cc19ddcf38f2ff74094686f9ae3e001b5b1bcb78a6f31040604f29813af5647a552d63a8150bdea6935f4e4b367eda6a2b279f4b6f7460a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k2jpcyp4.hpc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msiF7BE.txt

Filesize
54B

MD5
db420131f396adc6189eb74ccab4ef61

SHA1
f7a0653289e00ae8a37836e4bb0c484a5434f4db

SHA256
20712a091c0903c153ec0394f349e4e687fc16980c77434fab8af6c768b4de22

SHA512
8f29ec5eae268faa330bc71859bada8e36b6f53e27d819dff04451de2cb644307c80f64f71b5768906a6c5eb28e5e77f4a1b23dde01bbfa0e6b9575c4fd92f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssF7D0.ps1

Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrF7BF.ps1

Filesize
558B

MD5
32aaf95e81f7c25950c11c53615c753a

SHA1
603ae202e859261d2ea09ac44f84d98a44007316

SHA256
e523cdefc4d381fd0bb040f80f8ebcba9a022c7b731d1e3fba27ef0ad8643a58

SHA512
4076c6b5a77ebc5c5e02c28269cf4751644a508c9661806e7560664e9c9379c808ca8c0860e6efd4ea3c837edbcbc4b20060413012e5f446f17a44efcef517db

Download Submit
C:\Users\Admin\AppData\Roaming\Vuis Queue\AppQue\libgcrypt-20.dll

Filesize
975KB

MD5
24dac6152c216a1b7b1afef7c36e2b65

SHA1
a832467931f07b3f41772d89feb194a90be4119b

SHA256
784af4a0d287a6611d5ee4fda32e31d7b3d5afcd14bca75d2564bb9f0045b449

SHA512
b4da7fe3e32fe1dc89197ec4f0a84c1cb38ff4d872f842f4692d1520e2b39efd2d7e3b928a8e225d2504aadf72a923ed7ee7e3552988c6365b9b30358912d6ce

Download Submit
C:\Windows\Installer\MSIF424.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSIF67B.tmp

Filesize
758KB

MD5
fb4665320c9da54598321c59cc5ed623

SHA1
89e87b3cc569edd26b5805244cfacb2f9c892bc7

SHA256
9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59

SHA512
b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

Download Submit
C:\Windows\Installer\e57f32a.msi

Filesize
35.0MB

MD5
f21f1b608d45926927f6178511bdd579

SHA1
a1a251359d7cea7dfeb52d1314bc460144533eca

SHA256
b089485a125e744a166fc05cef1ec2ed5eeaa51b12f3b8e8d0adc73e7579cc5a

SHA512
66521db47efc6a6f82693330af0e612886e7f0f13c7737da6459c0abb937ad1cbcd1376dc9fbddd6d78af551bc38913871e2e21e48e8d5ed630377b523e8f276

Download Submit
memory/5036-43-0x00000000054B0000-0x0000000005AD8000-memory.dmp

Filesize
6.2MB

Download
memory/5036-64-0x00000000082B0000-0x0000000008854000-memory.dmp

Filesize
5.6MB

Download
memory/5036-57-0x00000000062B0000-0x00000000062CE000-memory.dmp

Filesize
120KB

Download
memory/5036-60-0x0000000007C30000-0x00000000082AA000-memory.dmp

Filesize
6.5MB

Download
memory/5036-61-0x0000000006810000-0x000000000682A000-memory.dmp

Filesize
104KB

Download
memory/5036-62-0x00000000068F0000-0x0000000006986000-memory.dmp

Filesize
600KB

Download
memory/5036-63-0x00000000068A0000-0x00000000068C2000-memory.dmp

Filesize
136KB

Download
memory/5036-58-0x0000000006300000-0x000000000634C000-memory.dmp

Filesize
304KB

Download
memory/5036-56-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/5036-66-0x0000000008860000-0x0000000008A22000-memory.dmp

Filesize
1.8MB

Download
memory/5036-67-0x0000000008F60000-0x000000000948C000-memory.dmp

Filesize
5.2MB

Download
memory/5036-46-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/5036-45-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/5036-44-0x0000000005310000-0x0000000005332000-memory.dmp

Filesize
136KB

Download
memory/5036-42-0x0000000002CF0000-0x0000000002D26000-memory.dmp

Filesize
216KB

Download