a1b3c334db545aaf83e573c915d23e4eefae734970ad6895a67a7b97279c24f8

Analysis

max time kernel
139s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240426-es
resource tags

arch:x64arch:x86image:win10v2004-20240426-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
18-05-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1b3c334db545aaf83e573c915d23e4eefae734970ad6895a67a7b97279c24f8.msi
Size

22.9MB
MD5

1a526ef8e0d93204cf570fe413be69cf
SHA1

4eac6841481e6b35f48c38bb8cf64ebb3878fc04
SHA256

a1b3c334db545aaf83e573c915d23e4eefae734970ad6895a67a7b97279c24f8
SHA512

5ebf90213460c9b92401da2d7765af19305e977d8ea6a10e3c7b435a73a010f2e0fa418a932ab7f5dc0aaa025123a1bfc5a8105edb42b5ec424690585026c85e
SSDEEP

393216:xopaHTAZuGS1jOXNl/BXbcl0Xrz8o04Z:7LmBV04Z

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	4008	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{M3JHSTI7-P6TK-NHC7-T0IJ-QOXNJIV1TT5D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EFD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e575bfb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C78.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5DA3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e575bfb.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D34.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5DD2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EBE.tmp	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
4008	MsiExec.exe
4008	MsiExec.exe
4008	MsiExec.exe
4008	MsiExec.exe
4008	MsiExec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1636	4008	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1768	msiexec.exe
1768	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5088	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5088	msiexec.exe
Token: SeSecurityPrivilege	1768	msiexec.exe
Token: SeCreateTokenPrivilege	5088	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5088	msiexec.exe
Token: SeLockMemoryPrivilege	5088	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5088	msiexec.exe
Token: SeMachineAccountPrivilege	5088	msiexec.exe
Token: SeTcbPrivilege	5088	msiexec.exe
Token: SeSecurityPrivilege	5088	msiexec.exe
Token: SeTakeOwnershipPrivilege	5088	msiexec.exe
Token: SeLoadDriverPrivilege	5088	msiexec.exe
Token: SeSystemProfilePrivilege	5088	msiexec.exe
Token: SeSystemtimePrivilege	5088	msiexec.exe
Token: SeProfSingleProcessPrivilege	5088	msiexec.exe
Token: SeIncBasePriorityPrivilege	5088	msiexec.exe
Token: SeCreatePagefilePrivilege	5088	msiexec.exe
Token: SeCreatePermanentPrivilege	5088	msiexec.exe
Token: SeBackupPrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	5088	msiexec.exe
Token: SeShutdownPrivilege	5088	msiexec.exe
Token: SeDebugPrivilege	5088	msiexec.exe
Token: SeAuditPrivilege	5088	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5088	msiexec.exe
Token: SeChangeNotifyPrivilege	5088	msiexec.exe
Token: SeRemoteShutdownPrivilege	5088	msiexec.exe
Token: SeUndockPrivilege	5088	msiexec.exe
Token: SeSyncAgentPrivilege	5088	msiexec.exe
Token: SeEnableDelegationPrivilege	5088	msiexec.exe
Token: SeManageVolumePrivilege	5088	msiexec.exe
Token: SeImpersonatePrivilege	5088	msiexec.exe
Token: SeCreateGlobalPrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5088	msiexec.exe
5088	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4008	MsiExec.exe
4008	MsiExec.exe
4008	MsiExec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 4008	1768	msiexec.exe	86
PID 1768 wrote to memory of 4008	1768	msiexec.exe	86
PID 1768 wrote to memory of 4008	1768	msiexec.exe	86

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\a1b3c334db545aaf83e573c915d23e4eefae734970ad6895a67a7b97279c24f8.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5088

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2CD15073FA1FFC2618F27A40B0B658B9
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1264
    3⤵
    - Program crash
    PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4008 -ip 4008
1⤵
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI5C78.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI5EFD.tmp

Filesize
21.8MB

MD5
6aef22a7a79011375c339df8e1dfb7e2

SHA1
40bb0afaf2c9e249632c938c1c4cf67691dbd5af

SHA256
3c1db818b1d35baa6aa32d24012c41dd2f0ad45a300713366fd4a850695123a9

SHA512
2ab05a71c23cbcb23b823b80edfafd3f326ede8c08ef87244d385706733ccf2fe8b70822e67d6fc5c5c83274910a2738647e169aa16ff61394b209af591c011d

Download Submit