246f58fea5839c6ebbb089fab78ea699db8790d3c23894c2a9db8b0bb343d299

Analysis

max time kernel
136s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tomcat/Tomcat9/Tomcat9.msi
Size

11.0MB
MD5

c8e3b53a86e0770d02cbab08df8efc1d
SHA1

4abc46444213c0a9e40e9705ed4596681d9bb2c0
SHA256

2ad488453a197142582fd244898c4a1605df35ec4c46e789d0d79c39d5c4c0ee
SHA512

3a471bf9a44b788e9401249d4f1919b526ad781c3889a7e0754eea36a4701de01d4e72e18bb742937089d97522af8f50c1a768f62fc179741747b124bf41cde9
SSDEEP

196608:zxTD3DZc/KXi9xQ1ru8lK5QSiXAmE8Wu3TOEw26yacfnJtReh:1X3u9m1ru8o5xsE8xaEwOaYnn4

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	2916	msiexec.exe
7	2916	msiexec.exe
19	5092	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Executes dropped EXE 10 IoCs

pid	Process
1904	_is67FC.exe
3976	_is67FC.exe
4632	_is67FC.exe
3864	_is67FC.exe
4916	_is67FC.exe
3124	_is67FC.exe
3164	_is67FC.exe
3924	_is67FC.exe
4268	_is67FC.exe
4900	_is67FC.exe

Loads dropped DLL 6 IoCs

pid	Process
5092	MsiExec.exe
5092	MsiExec.exe
5092	MsiExec.exe
5092	MsiExec.exe
5092	MsiExec.exe
5092	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2916	msiexec.exe
Token: SeSecurityPrivilege	4844	msiexec.exe
Token: SeCreateTokenPrivilege	2916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2916	msiexec.exe
Token: SeLockMemoryPrivilege	2916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2916	msiexec.exe
Token: SeMachineAccountPrivilege	2916	msiexec.exe
Token: SeTcbPrivilege	2916	msiexec.exe
Token: SeSecurityPrivilege	2916	msiexec.exe
Token: SeTakeOwnershipPrivilege	2916	msiexec.exe
Token: SeLoadDriverPrivilege	2916	msiexec.exe
Token: SeSystemProfilePrivilege	2916	msiexec.exe
Token: SeSystemtimePrivilege	2916	msiexec.exe
Token: SeProfSingleProcessPrivilege	2916	msiexec.exe
Token: SeIncBasePriorityPrivilege	2916	msiexec.exe
Token: SeCreatePagefilePrivilege	2916	msiexec.exe
Token: SeCreatePermanentPrivilege	2916	msiexec.exe
Token: SeBackupPrivilege	2916	msiexec.exe
Token: SeRestorePrivilege	2916	msiexec.exe
Token: SeShutdownPrivilege	2916	msiexec.exe
Token: SeDebugPrivilege	2916	msiexec.exe
Token: SeAuditPrivilege	2916	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2916	msiexec.exe
Token: SeChangeNotifyPrivilege	2916	msiexec.exe
Token: SeRemoteShutdownPrivilege	2916	msiexec.exe
Token: SeUndockPrivilege	2916	msiexec.exe
Token: SeSyncAgentPrivilege	2916	msiexec.exe
Token: SeEnableDelegationPrivilege	2916	msiexec.exe
Token: SeManageVolumePrivilege	2916	msiexec.exe
Token: SeImpersonatePrivilege	2916	msiexec.exe
Token: SeCreateGlobalPrivilege	2916	msiexec.exe
Token: SeCreateTokenPrivilege	2916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2916	msiexec.exe
Token: SeLockMemoryPrivilege	2916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2916	msiexec.exe
Token: SeMachineAccountPrivilege	2916	msiexec.exe
Token: SeTcbPrivilege	2916	msiexec.exe
Token: SeSecurityPrivilege	2916	msiexec.exe
Token: SeTakeOwnershipPrivilege	2916	msiexec.exe
Token: SeLoadDriverPrivilege	2916	msiexec.exe
Token: SeSystemProfilePrivilege	2916	msiexec.exe
Token: SeSystemtimePrivilege	2916	msiexec.exe
Token: SeProfSingleProcessPrivilege	2916	msiexec.exe
Token: SeIncBasePriorityPrivilege	2916	msiexec.exe
Token: SeCreatePagefilePrivilege	2916	msiexec.exe
Token: SeCreatePermanentPrivilege	2916	msiexec.exe
Token: SeBackupPrivilege	2916	msiexec.exe
Token: SeRestorePrivilege	2916	msiexec.exe
Token: SeShutdownPrivilege	2916	msiexec.exe
Token: SeDebugPrivilege	2916	msiexec.exe
Token: SeAuditPrivilege	2916	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2916	msiexec.exe
Token: SeChangeNotifyPrivilege	2916	msiexec.exe
Token: SeRemoteShutdownPrivilege	2916	msiexec.exe
Token: SeUndockPrivilege	2916	msiexec.exe
Token: SeSyncAgentPrivilege	2916	msiexec.exe
Token: SeEnableDelegationPrivilege	2916	msiexec.exe
Token: SeManageVolumePrivilege	2916	msiexec.exe
Token: SeImpersonatePrivilege	2916	msiexec.exe
Token: SeCreateGlobalPrivilege	2916	msiexec.exe
Token: SeCreateTokenPrivilege	2916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2916	msiexec.exe
Token: SeLockMemoryPrivilege	2916	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2916	msiexec.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 5092	4844	msiexec.exe	92
PID 4844 wrote to memory of 5092	4844	msiexec.exe	92
PID 4844 wrote to memory of 5092	4844	msiexec.exe	92
PID 5092 wrote to memory of 1904	5092	MsiExec.exe	94
PID 5092 wrote to memory of 1904	5092	MsiExec.exe	94
PID 5092 wrote to memory of 3976	5092	MsiExec.exe	95
PID 5092 wrote to memory of 3976	5092	MsiExec.exe	95
PID 5092 wrote to memory of 4632	5092	MsiExec.exe	96
PID 5092 wrote to memory of 4632	5092	MsiExec.exe	96
PID 5092 wrote to memory of 3864	5092	MsiExec.exe	98
PID 5092 wrote to memory of 3864	5092	MsiExec.exe	98
PID 5092 wrote to memory of 4916	5092	MsiExec.exe	99
PID 5092 wrote to memory of 4916	5092	MsiExec.exe	99
PID 5092 wrote to memory of 3124	5092	MsiExec.exe	100
PID 5092 wrote to memory of 3124	5092	MsiExec.exe	100
PID 5092 wrote to memory of 3164	5092	MsiExec.exe	101
PID 5092 wrote to memory of 3164	5092	MsiExec.exe	101
PID 5092 wrote to memory of 3924	5092	MsiExec.exe	102
PID 5092 wrote to memory of 3924	5092	MsiExec.exe	102
PID 5092 wrote to memory of 4268	5092	MsiExec.exe	103
PID 5092 wrote to memory of 4268	5092	MsiExec.exe	103
PID 5092 wrote to memory of 4900	5092	MsiExec.exe	104
PID 5092 wrote to memory of 4900	5092	MsiExec.exe	104

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Tomcat\Tomcat9\Tomcat9.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2916

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 88F943EB0EE91EF7F52A3F529E0D103B C
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe
    C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{33B10FCC-1601-49AF-BA2F-134F2DEB72C3}
    3⤵
    - Executes dropped EXE
    PID:1904
- - C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe
    C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A2CC17D9-493A-4785-8A47-4CF7AE4BD8BF}
    3⤵
    - Executes dropped EXE
    PID:3976
- - C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe
    C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A4B944C6-8F08-43CD-85C6-85573B976E6A}
    3⤵
    - Executes dropped EXE
    PID:4632
- - C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe
    C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{09ECA351-4C0D-4E3A-9648-1434956F2836}
    3⤵
    - Executes dropped EXE
    PID:3864
- - C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe
    C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F01D83AD-AA9F-4A43-A71C-5C8EFF4767EC}
    3⤵
    - Executes dropped EXE
    PID:4916
- - C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe
    C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2E81C43E-4BFB-4E8E-B046-79CE84D045CC}
    3⤵
    - Executes dropped EXE
    PID:3124
- - C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe
    C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F5428224-21E9-4B2C-8211-3947207CE3BF}
    3⤵
    - Executes dropped EXE
    PID:3164
- - C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe
    C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B6C71ABA-C27D-4604-AF0E-BA8ECBD4C5B6}
    3⤵
    - Executes dropped EXE
    PID:3924
- - C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe
    C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{81C84742-7200-4C94-AD43-285884BB2256}
    3⤵
    - Executes dropped EXE
    PID:4268
- - C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe
    C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{884D93F6-8806-438E-820A-3671A1A3BFC6}
    3⤵
    - Executes dropped EXE
    PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
62af5c9799d1414a7c65acdf6314317d

SHA1
e771b110bcf62cb5a1109859bb5f12187f76293c

SHA256
b5a2c4e070f26aa983c09e89c571c2635bffb45a0f03d4472090f722ea78bc92

SHA512
cc1081876b37831293ef96562a1ce7f088bb23f53db86c867aa127e8c3a8710131f7f3b8a2c9512e35a5d54e565c346394edafe1dbbcbc64a8b409ab56201cfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
8adc2a027f26a0ec445777d0723b6928

SHA1
ae8244844b06eee9a1f5d843d431a97e9c8e5877

SHA256
fb4c63d2e53646e8789ae944f5fe689ea5a42aee5141da840e2cd204b2c3098b

SHA512
df63461afa508440b4d23e45c90cf620f1c3d53c1d58aa302cac806f2c6691f75c18ced10a66e6b616bb5e8f1a94c54f7c878d5aeed1d6027c1d79be79d916bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3BAC.tmp

Filesize
173KB

MD5
d07d2c85ea1c0af02a99b6cf78ae79ef

SHA1
3ac922fc33789b61eb62085f3e49bca6aba4b4a9

SHA256
5a36c709648e40ec1224855fb77e7420ee53e267c185f31c2c016115fba4af38

SHA512
029bed817c10eebabd39a6c819eda3d76b09c7e34d182ec31c9f7d96fed530cd35feed88891ec61b6fb0d86ba44a07bfe3882e6fb3d9f0e41d48d2a99453789a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6240.tmp

Filesize
167KB

MD5
e80f90724939d4f85fc49de2460b94b5

SHA1
512ea4deba1c97cc7ec394bce0e4a32cd497176e

SHA256
8041d3ccbafa491d35f70030c3afeba683b0235bed24f242878d04c7e87b8687

SHA512
9494f1cd058dc3923e4f562d8ed2edf3d252f519efc6db4f1b5289d8a1b841a6cb927e14d33dab98e0bd4d22a5a473b8cd9424f77213527fbe0c183126356767

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI636A.tmp

Filesize
2.6MB

MD5
10da8b187ac906d05aab2bd7c59da67d

SHA1
d94e362abbcd1d8842e81af06e0fd08e96946445

SHA256
088b2eb7c9a1fb69cac2cd692cc60fa869f6b46a4cf8b24f959bc45040fb7b8c

SHA512
9ed2d2ecbc2cf5536d98f36f8881f280afc6625ea1c568f4a9b805ba06ccd650e10bb55f62a41c819f24ea72781c82724202af8a5294221e9014a46a814b0c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\ISRT.dll

Filesize
427KB

MD5
85315ad538fa5af8162f1cd2fce1c99d

SHA1
31c177c28a05fa3de5e1f934b96b9d01a8969bba

SHA256
70735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7

SHA512
877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_is67FC.exe

Filesize
179KB

MD5
7a1c100df8065815dc34c05abc0c13de

SHA1
3c23414ae545d2087e5462a8994d2b87d3e6d9e2

SHA256
e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed

SHA512
bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CCE27D85-2A59-44F6-861F-955345F35CDB}\_isres_0x0409.dll

Filesize
1.8MB

MD5
befe2ef369d12f83c72c5f2f7069dd87

SHA1
b89c7f6da1241ed98015dc347e70322832bcbe50

SHA256
9652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131

SHA512
760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b

Download Submit
memory/5092-53-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/5092-58-0x0000000002F40000-0x0000000003107000-memory.dmp

Filesize
1.8MB

Download