Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 01:05

General

  • Target

    abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b.msi

  • Size

    7.8MB

  • MD5

    ffa79d6b5eb84e8a714f185eb55278e4

  • SHA1

    d9841949fc96bb4f72c1cf377333d12fae0f8c5a

  • SHA256

    abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b

  • SHA512

    667b0a6025b629f02a096c245842117782de12c10216be2acbaf3205f8fb19578985b1306b0d10555e532d708f93268861175de7a72abb02fc7beb6e15e99a49

  • SSDEEP

    196608:F9YuWsRVjVJFAoGgSWhGGO9AaLF+AXvkmxxrRq:F99WsRVj7esoqax+g9Fq

Score
6/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 16 IoCs
  • Loads dropped DLL 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2040
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding ADAA12C1CEA57D8524F4D9038EC42985
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:2172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f763a56.rbs

    Filesize

    8KB

    MD5

    42460718bbf552e6528f426bc359025b

    SHA1

    7b97bf0fbe19f59f4cb4b92945a67d2153b7d8a6

    SHA256

    1e2cb0d33dcfd03d1922f4735d41b0eb2f7e91219bf887a2a255c2d3c68c0c7e

    SHA512

    12a04ccd8845803f62c6c95d1ad565f30c6f82e2810406ac0ba591bb96c3a22a526a2421cd716779a664be9ed3c3a56634cbdd900fbc61856e0f1f12e0dec816

  • C:\Users\Admin\AppData\Local\AdvinstAnalytics\6644d99620a59ade4c23836a\7.6.8.4\tracking.ini

    Filesize

    84B

    MD5

    f99165ae9d868c64e7f96d5333bc00d7

    SHA1

    cd44ccdb640a335fb72a2e8a1a7ffd7000b21f60

    SHA256

    243841948a948f265161edd3e3117cee5fcd07575200a25ed9df9abda2a0d52c

    SHA512

    0a5dacc287d3e7f256f459ee45fff998a85fb0be8384e60a787a281dd96ec2fb114acf207ad33eaa76de6342b3019cdc7417c12348e5d6f474c80b749c409e68

  • C:\Users\Admin\AppData\Local\AdvinstAnalytics\6644d99620a59ade4c23836a\7.6.8.4\{334E0302-F4EE-4EF9-ACBF-DEF2BE3D5F70}.session

    Filesize

    18KB

    MD5

    5a632498a0ba1b3dad919b07f84f0b62

    SHA1

    a5f392f632a46ed852920f9ef48cb2241e888c7b

    SHA256

    be126b569eb3aaffa81ad26afe371cc1c0e858054b8760561b460e1c95677aff

    SHA512

    2f9c35c0f8f4dab9fcb5add0d3844a6e8aa8dd4b755c61be1dfe5b1a40f6632ac5d033e27e273f6496094674b38a33c1e9c232ca1a48c95e8dcbeb5ce51c5094

  • C:\Windows\Installer\MSI3B8B.tmp

    Filesize

    378KB

    MD5

    20c782eb64c81ac14c83a853546a8924

    SHA1

    a1506933d294de07a7a2ae1fbc6be468f51371d6

    SHA256

    0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

    SHA512

    aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

  • C:\Windows\Installer\MSI3BFA.tmp

    Filesize

    857KB

    MD5

    d51a7e3bce34c74638e89366deee2aab

    SHA1

    0e68022b52c288e8cdffe85739de1194253a7ef0

    SHA256

    7c6bdf16a0992db092b7f94c374b21de5d53e3043f5717a6eecae614432e0df5

    SHA512

    8ed246747cdd05cac352919d7ded3f14b1e523ccc1f7f172db85eed800b0c5d24475c270b34a7c25e7934467ace7e363542a586cdeb156bfc484f7417c3a4ab0

  • \Windows\Installer\MSI3AB0.tmp

    Filesize

    762KB

    MD5

    573f5e653258bf622ae1c0ad118880a2

    SHA1

    e243c761983908d14baf6c7c0879301c8437415d

    SHA256

    371d1346ec9ca236b257fed5b5a5c260114e56dff009f515fa543e11c4bb81f7

    SHA512

    dfff15345dbf62307c3e6a4c0b363c133d1a0b8b368492f1200273407c2520b33acb20bff90feac356305990492f800844d849ee454e7124395f945de39f39ea