Analysis
-
max time kernel
136s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 23:20
Static task
static1
Behavioral task
behavioral1
Sample
560ed7c0690709054230841c407078e23d4d9fda6010532c67c9e770ac738a0e.msi
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
560ed7c0690709054230841c407078e23d4d9fda6010532c67c9e770ac738a0e.msi
Resource
win10v2004-20240426-en
General
-
Target
560ed7c0690709054230841c407078e23d4d9fda6010532c67c9e770ac738a0e.msi
-
Size
3.4MB
-
MD5
7203ef46aaf6025241c97992a7c29060
-
SHA1
0fe541ba136b560b88af8acd0b01b2b797ecaf6b
-
SHA256
560ed7c0690709054230841c407078e23d4d9fda6010532c67c9e770ac738a0e
-
SHA512
62b736cd397748c2c94f2be5b4d301a1002331c364c03226ade301100e66636d8b2a9d342537804bb9852aa8de9bab0c232e64ca26d034009af4f5a8c0f942fa
-
SSDEEP
24576:OwwSmUoTZoSCYyPF4Zj4BIQQWVPr3gFp+lg5G0TmFfOvEIqLdrf1NKcRNHYyT31E:Ow+U/NP73W+lKGdFa8LJ1NKwYyj1E
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exepid process 4120 MsiExec.exe 4120 MsiExec.exe 4120 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 3432 msiexec.exe Token: SeIncreaseQuotaPrivilege 3432 msiexec.exe Token: SeSecurityPrivilege 4540 msiexec.exe Token: SeCreateTokenPrivilege 3432 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3432 msiexec.exe Token: SeLockMemoryPrivilege 3432 msiexec.exe Token: SeIncreaseQuotaPrivilege 3432 msiexec.exe Token: SeMachineAccountPrivilege 3432 msiexec.exe Token: SeTcbPrivilege 3432 msiexec.exe Token: SeSecurityPrivilege 3432 msiexec.exe Token: SeTakeOwnershipPrivilege 3432 msiexec.exe Token: SeLoadDriverPrivilege 3432 msiexec.exe Token: SeSystemProfilePrivilege 3432 msiexec.exe Token: SeSystemtimePrivilege 3432 msiexec.exe Token: SeProfSingleProcessPrivilege 3432 msiexec.exe Token: SeIncBasePriorityPrivilege 3432 msiexec.exe Token: SeCreatePagefilePrivilege 3432 msiexec.exe Token: SeCreatePermanentPrivilege 3432 msiexec.exe Token: SeBackupPrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe Token: SeShutdownPrivilege 3432 msiexec.exe Token: SeDebugPrivilege 3432 msiexec.exe Token: SeAuditPrivilege 3432 msiexec.exe Token: SeSystemEnvironmentPrivilege 3432 msiexec.exe Token: SeChangeNotifyPrivilege 3432 msiexec.exe Token: SeRemoteShutdownPrivilege 3432 msiexec.exe Token: SeUndockPrivilege 3432 msiexec.exe Token: SeSyncAgentPrivilege 3432 msiexec.exe Token: SeEnableDelegationPrivilege 3432 msiexec.exe Token: SeManageVolumePrivilege 3432 msiexec.exe Token: SeImpersonatePrivilege 3432 msiexec.exe Token: SeCreateGlobalPrivilege 3432 msiexec.exe Token: SeCreateTokenPrivilege 3432 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3432 msiexec.exe Token: SeLockMemoryPrivilege 3432 msiexec.exe Token: SeIncreaseQuotaPrivilege 3432 msiexec.exe Token: SeMachineAccountPrivilege 3432 msiexec.exe Token: SeTcbPrivilege 3432 msiexec.exe Token: SeSecurityPrivilege 3432 msiexec.exe Token: SeTakeOwnershipPrivilege 3432 msiexec.exe Token: SeLoadDriverPrivilege 3432 msiexec.exe Token: SeSystemProfilePrivilege 3432 msiexec.exe Token: SeSystemtimePrivilege 3432 msiexec.exe Token: SeProfSingleProcessPrivilege 3432 msiexec.exe Token: SeIncBasePriorityPrivilege 3432 msiexec.exe Token: SeCreatePagefilePrivilege 3432 msiexec.exe Token: SeCreatePermanentPrivilege 3432 msiexec.exe Token: SeBackupPrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe Token: SeShutdownPrivilege 3432 msiexec.exe Token: SeDebugPrivilege 3432 msiexec.exe Token: SeAuditPrivilege 3432 msiexec.exe Token: SeSystemEnvironmentPrivilege 3432 msiexec.exe Token: SeChangeNotifyPrivilege 3432 msiexec.exe Token: SeRemoteShutdownPrivilege 3432 msiexec.exe Token: SeUndockPrivilege 3432 msiexec.exe Token: SeSyncAgentPrivilege 3432 msiexec.exe Token: SeEnableDelegationPrivilege 3432 msiexec.exe Token: SeManageVolumePrivilege 3432 msiexec.exe Token: SeImpersonatePrivilege 3432 msiexec.exe Token: SeCreateGlobalPrivilege 3432 msiexec.exe Token: SeCreateTokenPrivilege 3432 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3432 msiexec.exe Token: SeLockMemoryPrivilege 3432 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 3432 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
msiexec.exedescription pid process target process PID 4540 wrote to memory of 4120 4540 msiexec.exe MsiExec.exe PID 4540 wrote to memory of 4120 4540 msiexec.exe MsiExec.exe PID 4540 wrote to memory of 4120 4540 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\560ed7c0690709054230841c407078e23d4d9fda6010532c67c9e770ac738a0e.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9564D4DEED5D15A208A91BD4C662200B C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI7C92.tmpFilesize
108KB
MD55fce93d0616d1b8fd39b1370ec531352
SHA1ad56511714690ddcd657ea090c06210c1a5ddd4b
SHA2566ae9276ffe699f58cde70664bc3773f21f3e97e554593d0430f4e28dd9a29a3d
SHA512a04e717eb88f29d7fb26f124b378397533b9d8d0934c6ec0690b71bb17d095bb395a312366ee40f8b4c25f63e2765ce761d0ac00d4f872725c9435c23d20a4ef
-
memory/4120-9-0x00000000030B0000-0x00000000030CD000-memory.dmpFilesize
116KB