Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 16:19
Static task
static1
Behavioral task
behavioral1
Sample
Tomcat/Tomcat9/Tomcat9.msi
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Tomcat/Tomcat9/Tomcat9.msi
Resource
win10v2004-20240226-en
General
-
Target
Tomcat/Tomcat9/Tomcat9.msi
-
Size
11.0MB
-
MD5
c8e3b53a86e0770d02cbab08df8efc1d
-
SHA1
4abc46444213c0a9e40e9705ed4596681d9bb2c0
-
SHA256
2ad488453a197142582fd244898c4a1605df35ec4c46e789d0d79c39d5c4c0ee
-
SHA512
3a471bf9a44b788e9401249d4f1919b526ad781c3889a7e0754eea36a4701de01d4e72e18bb742937089d97522af8f50c1a768f62fc179741747b124bf41cde9
-
SSDEEP
196608:zxTD3DZc/KXi9xQ1ru8lK5QSiXAmE8Wu3TOEw26yacfnJtReh:1X3u9m1ru8o5xsE8xaEwOaYnn4
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2992 msiexec.exe 5 2992 msiexec.exe 6 2880 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Loads dropped DLL 5 IoCs
pid Process 2880 MsiExec.exe 2880 MsiExec.exe 2880 MsiExec.exe 2880 MsiExec.exe 2880 MsiExec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2992 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2992 msiexec.exe Token: SeIncreaseQuotaPrivilege 2992 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe Token: SeTakeOwnershipPrivilege 1436 msiexec.exe Token: SeSecurityPrivilege 1436 msiexec.exe Token: SeCreateTokenPrivilege 2992 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2992 msiexec.exe Token: SeLockMemoryPrivilege 2992 msiexec.exe Token: SeIncreaseQuotaPrivilege 2992 msiexec.exe Token: SeMachineAccountPrivilege 2992 msiexec.exe Token: SeTcbPrivilege 2992 msiexec.exe Token: SeSecurityPrivilege 2992 msiexec.exe Token: SeTakeOwnershipPrivilege 2992 msiexec.exe Token: SeLoadDriverPrivilege 2992 msiexec.exe Token: SeSystemProfilePrivilege 2992 msiexec.exe Token: SeSystemtimePrivilege 2992 msiexec.exe Token: SeProfSingleProcessPrivilege 2992 msiexec.exe Token: SeIncBasePriorityPrivilege 2992 msiexec.exe Token: SeCreatePagefilePrivilege 2992 msiexec.exe Token: SeCreatePermanentPrivilege 2992 msiexec.exe Token: SeBackupPrivilege 2992 msiexec.exe Token: SeRestorePrivilege 2992 msiexec.exe Token: SeShutdownPrivilege 2992 msiexec.exe Token: SeDebugPrivilege 2992 msiexec.exe Token: SeAuditPrivilege 2992 msiexec.exe Token: SeSystemEnvironmentPrivilege 2992 msiexec.exe Token: SeChangeNotifyPrivilege 2992 msiexec.exe Token: SeRemoteShutdownPrivilege 2992 msiexec.exe Token: SeUndockPrivilege 2992 msiexec.exe Token: SeSyncAgentPrivilege 2992 msiexec.exe Token: SeEnableDelegationPrivilege 2992 msiexec.exe Token: SeManageVolumePrivilege 2992 msiexec.exe Token: SeImpersonatePrivilege 2992 msiexec.exe Token: SeCreateGlobalPrivilege 2992 msiexec.exe Token: SeCreateTokenPrivilege 2992 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2992 msiexec.exe Token: SeLockMemoryPrivilege 2992 msiexec.exe Token: SeIncreaseQuotaPrivilege 2992 msiexec.exe Token: SeMachineAccountPrivilege 2992 msiexec.exe Token: SeTcbPrivilege 2992 msiexec.exe Token: SeSecurityPrivilege 2992 msiexec.exe Token: SeTakeOwnershipPrivilege 2992 msiexec.exe Token: SeLoadDriverPrivilege 2992 msiexec.exe Token: SeSystemProfilePrivilege 2992 msiexec.exe Token: SeSystemtimePrivilege 2992 msiexec.exe Token: SeProfSingleProcessPrivilege 2992 msiexec.exe Token: SeIncBasePriorityPrivilege 2992 msiexec.exe Token: SeCreatePagefilePrivilege 2992 msiexec.exe Token: SeCreatePermanentPrivilege 2992 msiexec.exe Token: SeBackupPrivilege 2992 msiexec.exe Token: SeRestorePrivilege 2992 msiexec.exe Token: SeShutdownPrivilege 2992 msiexec.exe Token: SeDebugPrivilege 2992 msiexec.exe Token: SeAuditPrivilege 2992 msiexec.exe Token: SeSystemEnvironmentPrivilege 2992 msiexec.exe Token: SeChangeNotifyPrivilege 2992 msiexec.exe Token: SeRemoteShutdownPrivilege 2992 msiexec.exe Token: SeUndockPrivilege 2992 msiexec.exe Token: SeSyncAgentPrivilege 2992 msiexec.exe Token: SeEnableDelegationPrivilege 2992 msiexec.exe Token: SeManageVolumePrivilege 2992 msiexec.exe Token: SeImpersonatePrivilege 2992 msiexec.exe Token: SeCreateGlobalPrivilege 2992 msiexec.exe Token: SeCreateTokenPrivilege 2992 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2992 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1436 wrote to memory of 2880 1436 msiexec.exe 29 PID 1436 wrote to memory of 2880 1436 msiexec.exe 29 PID 1436 wrote to memory of 2880 1436 msiexec.exe 29 PID 1436 wrote to memory of 2880 1436 msiexec.exe 29 PID 1436 wrote to memory of 2880 1436 msiexec.exe 29 PID 1436 wrote to memory of 2880 1436 msiexec.exe 29 PID 1436 wrote to memory of 2880 1436 msiexec.exe 29
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Tomcat\Tomcat9\Tomcat9.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2992
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3152B743DFA7F47DC0C4A1241B56F5D9 C2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2880
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56ae3ee9ca9cd993ff6cb3922612ff076
SHA19e9550f466806ec4de89215a8b44538f19589d80
SHA25648df43a2766c6ebded8b652a88126cd9ce48fcd7577bc6e7a9a3775b052a93a6
SHA512e2bdf0d062a0ec191f2718e4b642dd9e0422c11f5657be2c9d6da91e76cc1ddfc2cdc763fb77885669f5e775890ee1d554be2c58f5efaf9618f7c14fa84251ce
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
173KB
MD5d07d2c85ea1c0af02a99b6cf78ae79ef
SHA13ac922fc33789b61eb62085f3e49bca6aba4b4a9
SHA2565a36c709648e40ec1224855fb77e7420ee53e267c185f31c2c016115fba4af38
SHA512029bed817c10eebabd39a6c819eda3d76b09c7e34d182ec31c9f7d96fed530cd35feed88891ec61b6fb0d86ba44a07bfe3882e6fb3d9f0e41d48d2a99453789a
-
Filesize
167KB
MD5e80f90724939d4f85fc49de2460b94b5
SHA1512ea4deba1c97cc7ec394bce0e4a32cd497176e
SHA2568041d3ccbafa491d35f70030c3afeba683b0235bed24f242878d04c7e87b8687
SHA5129494f1cd058dc3923e4f562d8ed2edf3d252f519efc6db4f1b5289d8a1b841a6cb927e14d33dab98e0bd4d22a5a473b8cd9424f77213527fbe0c183126356767
-
Filesize
2.6MB
MD510da8b187ac906d05aab2bd7c59da67d
SHA1d94e362abbcd1d8842e81af06e0fd08e96946445
SHA256088b2eb7c9a1fb69cac2cd692cc60fa869f6b46a4cf8b24f959bc45040fb7b8c
SHA5129ed2d2ecbc2cf5536d98f36f8881f280afc6625ea1c568f4a9b805ba06ccd650e10bb55f62a41c819f24ea72781c82724202af8a5294221e9014a46a814b0c8a
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
179KB
MD57a1c100df8065815dc34c05abc0c13de
SHA13c23414ae545d2087e5462a8994d2b87d3e6d9e2
SHA256e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed
SHA512bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327
-
Filesize
427KB
MD585315ad538fa5af8162f1cd2fce1c99d
SHA131c177c28a05fa3de5e1f934b96b9d01a8969bba
SHA25670735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7
SHA512877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556
-
Filesize
1.8MB
MD5befe2ef369d12f83c72c5f2f7069dd87
SHA1b89c7f6da1241ed98015dc347e70322832bcbe50
SHA2569652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131
SHA512760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b