246f58fea5839c6ebbb089fab78ea699db8790d3c23894c2a9db8b0bb343d299

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tomcat/Tomcat9/Tomcat9.msi
Size

11.0MB
MD5

c8e3b53a86e0770d02cbab08df8efc1d
SHA1

4abc46444213c0a9e40e9705ed4596681d9bb2c0
SHA256

2ad488453a197142582fd244898c4a1605df35ec4c46e789d0d79c39d5c4c0ee
SHA512

3a471bf9a44b788e9401249d4f1919b526ad781c3889a7e0754eea36a4701de01d4e72e18bb742937089d97522af8f50c1a768f62fc179741747b124bf41cde9
SSDEEP

196608:zxTD3DZc/KXi9xQ1ru8lK5QSiXAmE8Wu3TOEw26yacfnJtReh:1X3u9m1ru8o5xsE8xaEwOaYnn4

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2992	msiexec.exe
5	2992	msiexec.exe
6	2880	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
2880	MsiExec.exe
2880	MsiExec.exe
2880	MsiExec.exe
2880	MsiExec.exe
2880	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2992	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2992	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2992	msiexec.exe
Token: SeRestorePrivilege	1436	msiexec.exe
Token: SeTakeOwnershipPrivilege	1436	msiexec.exe
Token: SeSecurityPrivilege	1436	msiexec.exe
Token: SeCreateTokenPrivilege	2992	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2992	msiexec.exe
Token: SeLockMemoryPrivilege	2992	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2992	msiexec.exe
Token: SeMachineAccountPrivilege	2992	msiexec.exe
Token: SeTcbPrivilege	2992	msiexec.exe
Token: SeSecurityPrivilege	2992	msiexec.exe
Token: SeTakeOwnershipPrivilege	2992	msiexec.exe
Token: SeLoadDriverPrivilege	2992	msiexec.exe
Token: SeSystemProfilePrivilege	2992	msiexec.exe
Token: SeSystemtimePrivilege	2992	msiexec.exe
Token: SeProfSingleProcessPrivilege	2992	msiexec.exe
Token: SeIncBasePriorityPrivilege	2992	msiexec.exe
Token: SeCreatePagefilePrivilege	2992	msiexec.exe
Token: SeCreatePermanentPrivilege	2992	msiexec.exe
Token: SeBackupPrivilege	2992	msiexec.exe
Token: SeRestorePrivilege	2992	msiexec.exe
Token: SeShutdownPrivilege	2992	msiexec.exe
Token: SeDebugPrivilege	2992	msiexec.exe
Token: SeAuditPrivilege	2992	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2992	msiexec.exe
Token: SeChangeNotifyPrivilege	2992	msiexec.exe
Token: SeRemoteShutdownPrivilege	2992	msiexec.exe
Token: SeUndockPrivilege	2992	msiexec.exe
Token: SeSyncAgentPrivilege	2992	msiexec.exe
Token: SeEnableDelegationPrivilege	2992	msiexec.exe
Token: SeManageVolumePrivilege	2992	msiexec.exe
Token: SeImpersonatePrivilege	2992	msiexec.exe
Token: SeCreateGlobalPrivilege	2992	msiexec.exe
Token: SeCreateTokenPrivilege	2992	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2992	msiexec.exe
Token: SeLockMemoryPrivilege	2992	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2992	msiexec.exe
Token: SeMachineAccountPrivilege	2992	msiexec.exe
Token: SeTcbPrivilege	2992	msiexec.exe
Token: SeSecurityPrivilege	2992	msiexec.exe
Token: SeTakeOwnershipPrivilege	2992	msiexec.exe
Token: SeLoadDriverPrivilege	2992	msiexec.exe
Token: SeSystemProfilePrivilege	2992	msiexec.exe
Token: SeSystemtimePrivilege	2992	msiexec.exe
Token: SeProfSingleProcessPrivilege	2992	msiexec.exe
Token: SeIncBasePriorityPrivilege	2992	msiexec.exe
Token: SeCreatePagefilePrivilege	2992	msiexec.exe
Token: SeCreatePermanentPrivilege	2992	msiexec.exe
Token: SeBackupPrivilege	2992	msiexec.exe
Token: SeRestorePrivilege	2992	msiexec.exe
Token: SeShutdownPrivilege	2992	msiexec.exe
Token: SeDebugPrivilege	2992	msiexec.exe
Token: SeAuditPrivilege	2992	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2992	msiexec.exe
Token: SeChangeNotifyPrivilege	2992	msiexec.exe
Token: SeRemoteShutdownPrivilege	2992	msiexec.exe
Token: SeUndockPrivilege	2992	msiexec.exe
Token: SeSyncAgentPrivilege	2992	msiexec.exe
Token: SeEnableDelegationPrivilege	2992	msiexec.exe
Token: SeManageVolumePrivilege	2992	msiexec.exe
Token: SeImpersonatePrivilege	2992	msiexec.exe
Token: SeCreateGlobalPrivilege	2992	msiexec.exe
Token: SeCreateTokenPrivilege	2992	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2992	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 2880	1436	msiexec.exe	29
PID 1436 wrote to memory of 2880	1436	msiexec.exe	29
PID 1436 wrote to memory of 2880	1436	msiexec.exe	29
PID 1436 wrote to memory of 2880	1436	msiexec.exe	29
PID 1436 wrote to memory of 2880	1436	msiexec.exe	29
PID 1436 wrote to memory of 2880	1436	msiexec.exe	29
PID 1436 wrote to memory of 2880	1436	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Tomcat\Tomcat9\Tomcat9.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2992

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3152B743DFA7F47DC0C4A1241B56F5D9 C
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ae3ee9ca9cd993ff6cb3922612ff076

SHA1
9e9550f466806ec4de89215a8b44538f19589d80

SHA256
48df43a2766c6ebded8b652a88126cd9ce48fcd7577bc6e7a9a3775b052a93a6

SHA512
e2bdf0d062a0ec191f2718e4b642dd9e0422c11f5657be2c9d6da91e76cc1ddfc2cdc763fb77885669f5e775890ee1d554be2c58f5efaf9618f7c14fa84251ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2445.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI26E4.tmp

Filesize
173KB

MD5
d07d2c85ea1c0af02a99b6cf78ae79ef

SHA1
3ac922fc33789b61eb62085f3e49bca6aba4b4a9

SHA256
5a36c709648e40ec1224855fb77e7420ee53e267c185f31c2c016115fba4af38

SHA512
029bed817c10eebabd39a6c819eda3d76b09c7e34d182ec31c9f7d96fed530cd35feed88891ec61b6fb0d86ba44a07bfe3882e6fb3d9f0e41d48d2a99453789a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2762.tmp

Filesize
167KB

MD5
e80f90724939d4f85fc49de2460b94b5

SHA1
512ea4deba1c97cc7ec394bce0e4a32cd497176e

SHA256
8041d3ccbafa491d35f70030c3afeba683b0235bed24f242878d04c7e87b8687

SHA512
9494f1cd058dc3923e4f562d8ed2edf3d252f519efc6db4f1b5289d8a1b841a6cb927e14d33dab98e0bd4d22a5a473b8cd9424f77213527fbe0c183126356767

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2782.tmp

Filesize
2.6MB

MD5
10da8b187ac906d05aab2bd7c59da67d

SHA1
d94e362abbcd1d8842e81af06e0fd08e96946445

SHA256
088b2eb7c9a1fb69cac2cd692cc60fa869f6b46a4cf8b24f959bc45040fb7b8c

SHA512
9ed2d2ecbc2cf5536d98f36f8881f280afc6625ea1c568f4a9b805ba06ccd650e10bb55f62a41c819f24ea72781c82724202af8a5294221e9014a46a814b0c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2457.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{089090BB-9B85-4034-A014-3D462B061F2A}\_is2868.exe

Filesize
179KB

MD5
7a1c100df8065815dc34c05abc0c13de

SHA1
3c23414ae545d2087e5462a8994d2b87d3e6d9e2

SHA256
e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed

SHA512
bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327

Download Submit
\Users\Admin\AppData\Local\Temp\{089090BB-9B85-4034-A014-3D462B061F2A}\ISRT.dll

Filesize
427KB

MD5
85315ad538fa5af8162f1cd2fce1c99d

SHA1
31c177c28a05fa3de5e1f934b96b9d01a8969bba

SHA256
70735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7

SHA512
877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556

Download Submit
\Users\Admin\AppData\Local\Temp\{089090BB-9B85-4034-A014-3D462B061F2A}\_isres_0x0409.dll

Filesize
1.8MB

MD5
befe2ef369d12f83c72c5f2f7069dd87

SHA1
b89c7f6da1241ed98015dc347e70322832bcbe50

SHA256
9652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131

SHA512
760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b

Download Submit
memory/2880-383-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/2880-386-0x0000000004140000-0x0000000004307000-memory.dmp

Filesize
1.8MB

Download