Overview

overview

7

Static

static

1

3d36a85048...70.msi

windows7-x64

6

3d36a85048...70.msi

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/05/2024, 16:02

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3d36a85048e6c35edac1fcc9e9a00bc140f18bac364b61cbe43d04ae7d2c1d70.msi

  • Size

    4.9MB

  • MD5

    76cb7942862b8e5ac5c86c7cbab709bd

  • SHA1

    0c0631dc78a8add250dd225f67a918f3f9c71524

  • SHA256

    3d36a85048e6c35edac1fcc9e9a00bc140f18bac364b61cbe43d04ae7d2c1d70

  • SHA512

    b9ca576c949f79f123b6cf0d9d3469f47c88ee6f53c9f6e97643fc529ee5a360c95172457b4b2eddb0836baf68d88ffd9a958f8a3cbcca270bcfeb519dc22752

  • SSDEEP

    98304:wyclEycl/Y5AbXwNSOgbPJ84mkWQBlVbZ0L8xKpIx0Ttq6zVommY:wyIEyINXwNUJdV9jxK1tqOeQ

Score
6/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3d36a85048e6c35edac1fcc9e9a00bc140f18bac364b61cbe43d04ae7d2c1d70.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2008
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F3520FDBDC175C27F485D734FCA896A7
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C mkdir C:\Users\Admin\hAAdmin14\
        3⤵
          PID:2604
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C mkdir C:\Users\Admin\hAAdmin14\hAAdmin14
          3⤵
            PID:2528

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\Installer\MSI421F.tmp
              Filesize

              738KB

              MD5

              8e65fea37f700d948d1b67afd43b97fc

              SHA1

              823d2b30ec0372e0dc36f7983ad2de1ceda4036c

              SHA256

              20c648a2a4313b1b20da50a9b788d8a1b9637e154adae4541b65badaa40266c9

              SHA512

              07faf03685fde9c71f6bc4b3caecfe4d3c707a8bec5bce1a544f59c1f853edde8f37c019c16bffd3e8fbe5c72c0666ffe0e2dffd878744da64f47e52c7625084

              Download Submit

            • memory/2544-1-0x00000000002B0000-0x00000000002B2000-memory.dmp

              Filesize

              8KB

              Download