abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b

General

Target

abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b.msi
Size

7.8MB
MD5

ffa79d6b5eb84e8a714f185eb55278e4
SHA1

d9841949fc96bb4f72c1cf377333d12fae0f8c5a
SHA256

abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b
SHA512

667b0a6025b629f02a096c245842117782de12c10216be2acbaf3205f8fb19578985b1306b0d10555e532d708f93268861175de7a72abb02fc7beb6e15e99a49
SSDEEP

196608:F9YuWsRVjVJFAoGgSWhGGO9AaLF+AXvkmxxrRq:F99WsRVj7esoqax+g9Fq

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

MsiExec.exe

flow pid process

3 2172 MsiExec.exe
4 2172 MsiExec.exe
7 2172 MsiExec.exe

flow	pid	process
3	2172	MsiExec.exe
4	2172	MsiExec.exe
7	2172	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f763a52.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B8B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F97.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f763a52.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BFA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3E1D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BCA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F38.tmp	msiexec.exe
File created	C:\Windows\Installer\f763a55.ipi	msiexec.exe
File created	C:\Windows\Installer\f763a57.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B4E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3AB0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3E9B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI412D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f763a55.ipi	msiexec.exe

Loads dropped DLL 9 IoCs

Processes:

MsiExec.exe

pid process

2172 MsiExec.exe
2172 MsiExec.exe
2172 MsiExec.exe
2172 MsiExec.exe
2172 MsiExec.exe
2172 MsiExec.exe
2172 MsiExec.exe
2172 MsiExec.exe
2172 MsiExec.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

MsiExec.exemsiexec.exe

pid process

2172 MsiExec.exe
1312 msiexec.exe
1312 msiexec.exe

pid	process
2172	MsiExec.exe
2172	MsiExec.exe
2172	MsiExec.exe
2172	MsiExec.exe
2172	MsiExec.exe
2172	MsiExec.exe
2172	MsiExec.exe
2172	MsiExec.exe
2172	MsiExec.exe

pid	process
2172	MsiExec.exe
1312	msiexec.exe
1312	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe
Token: SeSecurityPrivilege	1312	msiexec.exe
Token: SeCreateTokenPrivilege	2040	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2040	msiexec.exe
Token: SeLockMemoryPrivilege	2040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2040	msiexec.exe
Token: SeMachineAccountPrivilege	2040	msiexec.exe
Token: SeTcbPrivilege	2040	msiexec.exe
Token: SeSecurityPrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeLoadDriverPrivilege	2040	msiexec.exe
Token: SeSystemProfilePrivilege	2040	msiexec.exe
Token: SeSystemtimePrivilege	2040	msiexec.exe
Token: SeProfSingleProcessPrivilege	2040	msiexec.exe
Token: SeIncBasePriorityPrivilege	2040	msiexec.exe
Token: SeCreatePagefilePrivilege	2040	msiexec.exe
Token: SeCreatePermanentPrivilege	2040	msiexec.exe
Token: SeBackupPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeShutdownPrivilege	2040	msiexec.exe
Token: SeDebugPrivilege	2040	msiexec.exe
Token: SeAuditPrivilege	2040	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2040	msiexec.exe
Token: SeChangeNotifyPrivilege	2040	msiexec.exe
Token: SeRemoteShutdownPrivilege	2040	msiexec.exe
Token: SeUndockPrivilege	2040	msiexec.exe
Token: SeSyncAgentPrivilege	2040	msiexec.exe
Token: SeEnableDelegationPrivilege	2040	msiexec.exe
Token: SeManageVolumePrivilege	2040	msiexec.exe
Token: SeImpersonatePrivilege	2040	msiexec.exe
Token: SeCreateGlobalPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe
Token: SeRestorePrivilege	1312	msiexec.exe
Token: SeTakeOwnershipPrivilege	1312	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2040 msiexec.exe
2040 msiexec.exe

pid	process
2040	msiexec.exe
2040	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1312 wrote to memory of 2172	1312	msiexec.exe	MsiExec.exe
PID 1312 wrote to memory of 2172	1312	msiexec.exe	MsiExec.exe
PID 1312 wrote to memory of 2172	1312	msiexec.exe	MsiExec.exe
PID 1312 wrote to memory of 2172	1312	msiexec.exe	MsiExec.exe
PID 1312 wrote to memory of 2172	1312	msiexec.exe	MsiExec.exe
PID 1312 wrote to memory of 2172	1312	msiexec.exe	MsiExec.exe
PID 1312 wrote to memory of 2172	1312	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding ADAA12C1CEA57D8524F4D9038EC42985
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f763a56.rbs

Filesize
8KB

MD5
42460718bbf552e6528f426bc359025b

SHA1
7b97bf0fbe19f59f4cb4b92945a67d2153b7d8a6

SHA256
1e2cb0d33dcfd03d1922f4735d41b0eb2f7e91219bf887a2a255c2d3c68c0c7e

SHA512
12a04ccd8845803f62c6c95d1ad565f30c6f82e2810406ac0ba591bb96c3a22a526a2421cd716779a664be9ed3c3a56634cbdd900fbc61856e0f1f12e0dec816

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6644d99620a59ade4c23836a\7.6.8.4\tracking.ini

Filesize
84B

MD5
f99165ae9d868c64e7f96d5333bc00d7

SHA1
cd44ccdb640a335fb72a2e8a1a7ffd7000b21f60

SHA256
243841948a948f265161edd3e3117cee5fcd07575200a25ed9df9abda2a0d52c

SHA512
0a5dacc287d3e7f256f459ee45fff998a85fb0be8384e60a787a281dd96ec2fb114acf207ad33eaa76de6342b3019cdc7417c12348e5d6f474c80b749c409e68

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6644d99620a59ade4c23836a\7.6.8.4\{334E0302-F4EE-4EF9-ACBF-DEF2BE3D5F70}.session

Filesize
18KB

MD5
5a632498a0ba1b3dad919b07f84f0b62

SHA1
a5f392f632a46ed852920f9ef48cb2241e888c7b

SHA256
be126b569eb3aaffa81ad26afe371cc1c0e858054b8760561b460e1c95677aff

SHA512
2f9c35c0f8f4dab9fcb5add0d3844a6e8aa8dd4b755c61be1dfe5b1a40f6632ac5d033e27e273f6496094674b38a33c1e9c232ca1a48c95e8dcbeb5ce51c5094

Download Submit
C:\Windows\Installer\MSI3B8B.tmp

Filesize
378KB

MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Windows\Installer\MSI3BFA.tmp

Filesize
857KB

MD5
d51a7e3bce34c74638e89366deee2aab

SHA1
0e68022b52c288e8cdffe85739de1194253a7ef0

SHA256
7c6bdf16a0992db092b7f94c374b21de5d53e3043f5717a6eecae614432e0df5

SHA512
8ed246747cdd05cac352919d7ded3f14b1e523ccc1f7f172db85eed800b0c5d24475c270b34a7c25e7934467ace7e363542a586cdeb156bfc484f7417c3a4ab0

Download Submit
\Windows\Installer\MSI3AB0.tmp

Filesize
762KB

MD5
573f5e653258bf622ae1c0ad118880a2

SHA1
e243c761983908d14baf6c7c0879301c8437415d

SHA256
371d1346ec9ca236b257fed5b5a5c260114e56dff009f515fa543e11c4bb81f7

SHA512
dfff15345dbf62307c3e6a4c0b363c133d1a0b8b368492f1200273407c2520b33acb20bff90feac356305990492f800844d849ee454e7124395f945de39f39ea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads