Analysis
-
max time kernel
453s -
max time network
1181s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-05-2024 14:33
Static task
static1
Behavioral task
behavioral1
Sample
EpicInstaller-15.17.1 (1).msi
Resource
win11-20240426-en
General
-
Target
EpicInstaller-15.17.1 (1).msi
-
Size
176.5MB
-
MD5
7a2cf04ac0c504a8ea5aed805dde484d
-
SHA1
0536d7a178d1a42cea1476ea6b44bc53ed26bc63
-
SHA256
6f3f486d7a8409fc174198818c039152c6268bd9fdf210ee6be1c91bf832b7e9
-
SHA512
42aeed1d015ab279df3065e04adff8001672a13180f4d73121ace3bc8989783f12c7a5d0b50c684c74fd138fc1b4f451439acd7b6342d4f60c7d3a18034e0988
-
SSDEEP
3145728:oyKHxXZR5bsPL+buxE4ynkX+kKbtt3V8mIeDLhZ8muXNNE7byK88OmTZbOW/rXi:IP4PAwUnkuk8BNbLIxg7bUQ
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
msiexec.exeflow pid process 2 3576 msiexec.exe 3 3576 msiexec.exe 4 3576 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid process 2120 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 3576 msiexec.exe Token: SeIncreaseQuotaPrivilege 3576 msiexec.exe Token: SeSecurityPrivilege 2244 msiexec.exe Token: SeCreateTokenPrivilege 3576 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3576 msiexec.exe Token: SeLockMemoryPrivilege 3576 msiexec.exe Token: SeIncreaseQuotaPrivilege 3576 msiexec.exe Token: SeMachineAccountPrivilege 3576 msiexec.exe Token: SeTcbPrivilege 3576 msiexec.exe Token: SeSecurityPrivilege 3576 msiexec.exe Token: SeTakeOwnershipPrivilege 3576 msiexec.exe Token: SeLoadDriverPrivilege 3576 msiexec.exe Token: SeSystemProfilePrivilege 3576 msiexec.exe Token: SeSystemtimePrivilege 3576 msiexec.exe Token: SeProfSingleProcessPrivilege 3576 msiexec.exe Token: SeIncBasePriorityPrivilege 3576 msiexec.exe Token: SeCreatePagefilePrivilege 3576 msiexec.exe Token: SeCreatePermanentPrivilege 3576 msiexec.exe Token: SeBackupPrivilege 3576 msiexec.exe Token: SeRestorePrivilege 3576 msiexec.exe Token: SeShutdownPrivilege 3576 msiexec.exe Token: SeDebugPrivilege 3576 msiexec.exe Token: SeAuditPrivilege 3576 msiexec.exe Token: SeSystemEnvironmentPrivilege 3576 msiexec.exe Token: SeChangeNotifyPrivilege 3576 msiexec.exe Token: SeRemoteShutdownPrivilege 3576 msiexec.exe Token: SeUndockPrivilege 3576 msiexec.exe Token: SeSyncAgentPrivilege 3576 msiexec.exe Token: SeEnableDelegationPrivilege 3576 msiexec.exe Token: SeManageVolumePrivilege 3576 msiexec.exe Token: SeImpersonatePrivilege 3576 msiexec.exe Token: SeCreateGlobalPrivilege 3576 msiexec.exe Token: SeCreateTokenPrivilege 3576 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3576 msiexec.exe Token: SeLockMemoryPrivilege 3576 msiexec.exe Token: SeIncreaseQuotaPrivilege 3576 msiexec.exe Token: SeMachineAccountPrivilege 3576 msiexec.exe Token: SeTcbPrivilege 3576 msiexec.exe Token: SeSecurityPrivilege 3576 msiexec.exe Token: SeTakeOwnershipPrivilege 3576 msiexec.exe Token: SeLoadDriverPrivilege 3576 msiexec.exe Token: SeSystemProfilePrivilege 3576 msiexec.exe Token: SeSystemtimePrivilege 3576 msiexec.exe Token: SeProfSingleProcessPrivilege 3576 msiexec.exe Token: SeIncBasePriorityPrivilege 3576 msiexec.exe Token: SeCreatePagefilePrivilege 3576 msiexec.exe Token: SeCreatePermanentPrivilege 3576 msiexec.exe Token: SeBackupPrivilege 3576 msiexec.exe Token: SeRestorePrivilege 3576 msiexec.exe Token: SeShutdownPrivilege 3576 msiexec.exe Token: SeDebugPrivilege 3576 msiexec.exe Token: SeAuditPrivilege 3576 msiexec.exe Token: SeSystemEnvironmentPrivilege 3576 msiexec.exe Token: SeChangeNotifyPrivilege 3576 msiexec.exe Token: SeRemoteShutdownPrivilege 3576 msiexec.exe Token: SeUndockPrivilege 3576 msiexec.exe Token: SeSyncAgentPrivilege 3576 msiexec.exe Token: SeEnableDelegationPrivilege 3576 msiexec.exe Token: SeManageVolumePrivilege 3576 msiexec.exe Token: SeImpersonatePrivilege 3576 msiexec.exe Token: SeCreateGlobalPrivilege 3576 msiexec.exe Token: SeCreateTokenPrivilege 3576 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3576 msiexec.exe Token: SeLockMemoryPrivilege 3576 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 3576 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
msiexec.exedescription pid process target process PID 2244 wrote to memory of 2120 2244 msiexec.exe MsiExec.exe PID 2244 wrote to memory of 2120 2244 msiexec.exe MsiExec.exe PID 2244 wrote to memory of 2120 2244 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\EpicInstaller-15.17.1 (1).msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3265D7E04C9D2168AFAEB14CAD5BE1F4 C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI5832.tmpFilesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0