Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b.msi
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b.msi
Resource
win10v2004-20240426-en
General
-
Target
abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b.msi
-
Size
7.8MB
-
MD5
ffa79d6b5eb84e8a714f185eb55278e4
-
SHA1
d9841949fc96bb4f72c1cf377333d12fae0f8c5a
-
SHA256
abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b
-
SHA512
667b0a6025b629f02a096c245842117782de12c10216be2acbaf3205f8fb19578985b1306b0d10555e532d708f93268861175de7a72abb02fc7beb6e15e99a49
-
SSDEEP
196608:F9YuWsRVjVJFAoGgSWhGGO9AaLF+AXvkmxxrRq:F99WsRVj7esoqax+g9Fq
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
MsiExec.exeflow pid process 3 2172 MsiExec.exe 4 2172 MsiExec.exe 7 2172 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Windows directory 16 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\f763a52.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3B8B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3F97.tmp msiexec.exe File opened for modification C:\Windows\Installer\f763a52.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3BFA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3E1D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3BCA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3F38.tmp msiexec.exe File created C:\Windows\Installer\f763a55.ipi msiexec.exe File created C:\Windows\Installer\f763a57.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4B4E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3AB0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3E9B.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI412D.tmp msiexec.exe File opened for modification C:\Windows\Installer\f763a55.ipi msiexec.exe -
Loads dropped DLL 9 IoCs
Processes:
MsiExec.exepid process 2172 MsiExec.exe 2172 MsiExec.exe 2172 MsiExec.exe 2172 MsiExec.exe 2172 MsiExec.exe 2172 MsiExec.exe 2172 MsiExec.exe 2172 MsiExec.exe 2172 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
MsiExec.exemsiexec.exepid process 2172 MsiExec.exe 1312 msiexec.exe 1312 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2040 msiexec.exe Token: SeIncreaseQuotaPrivilege 2040 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe Token: SeSecurityPrivilege 1312 msiexec.exe Token: SeCreateTokenPrivilege 2040 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2040 msiexec.exe Token: SeLockMemoryPrivilege 2040 msiexec.exe Token: SeIncreaseQuotaPrivilege 2040 msiexec.exe Token: SeMachineAccountPrivilege 2040 msiexec.exe Token: SeTcbPrivilege 2040 msiexec.exe Token: SeSecurityPrivilege 2040 msiexec.exe Token: SeTakeOwnershipPrivilege 2040 msiexec.exe Token: SeLoadDriverPrivilege 2040 msiexec.exe Token: SeSystemProfilePrivilege 2040 msiexec.exe Token: SeSystemtimePrivilege 2040 msiexec.exe Token: SeProfSingleProcessPrivilege 2040 msiexec.exe Token: SeIncBasePriorityPrivilege 2040 msiexec.exe Token: SeCreatePagefilePrivilege 2040 msiexec.exe Token: SeCreatePermanentPrivilege 2040 msiexec.exe Token: SeBackupPrivilege 2040 msiexec.exe Token: SeRestorePrivilege 2040 msiexec.exe Token: SeShutdownPrivilege 2040 msiexec.exe Token: SeDebugPrivilege 2040 msiexec.exe Token: SeAuditPrivilege 2040 msiexec.exe Token: SeSystemEnvironmentPrivilege 2040 msiexec.exe Token: SeChangeNotifyPrivilege 2040 msiexec.exe Token: SeRemoteShutdownPrivilege 2040 msiexec.exe Token: SeUndockPrivilege 2040 msiexec.exe Token: SeSyncAgentPrivilege 2040 msiexec.exe Token: SeEnableDelegationPrivilege 2040 msiexec.exe Token: SeManageVolumePrivilege 2040 msiexec.exe Token: SeImpersonatePrivilege 2040 msiexec.exe Token: SeCreateGlobalPrivilege 2040 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe Token: SeRestorePrivilege 1312 msiexec.exe Token: SeTakeOwnershipPrivilege 1312 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2040 msiexec.exe 2040 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
msiexec.exedescription pid process target process PID 1312 wrote to memory of 2172 1312 msiexec.exe MsiExec.exe PID 1312 wrote to memory of 2172 1312 msiexec.exe MsiExec.exe PID 1312 wrote to memory of 2172 1312 msiexec.exe MsiExec.exe PID 1312 wrote to memory of 2172 1312 msiexec.exe MsiExec.exe PID 1312 wrote to memory of 2172 1312 msiexec.exe MsiExec.exe PID 1312 wrote to memory of 2172 1312 msiexec.exe MsiExec.exe PID 1312 wrote to memory of 2172 1312 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2040
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ADAA12C1CEA57D8524F4D9038EC429852⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD542460718bbf552e6528f426bc359025b
SHA17b97bf0fbe19f59f4cb4b92945a67d2153b7d8a6
SHA2561e2cb0d33dcfd03d1922f4735d41b0eb2f7e91219bf887a2a255c2d3c68c0c7e
SHA51212a04ccd8845803f62c6c95d1ad565f30c6f82e2810406ac0ba591bb96c3a22a526a2421cd716779a664be9ed3c3a56634cbdd900fbc61856e0f1f12e0dec816
-
Filesize
84B
MD5f99165ae9d868c64e7f96d5333bc00d7
SHA1cd44ccdb640a335fb72a2e8a1a7ffd7000b21f60
SHA256243841948a948f265161edd3e3117cee5fcd07575200a25ed9df9abda2a0d52c
SHA5120a5dacc287d3e7f256f459ee45fff998a85fb0be8384e60a787a281dd96ec2fb114acf207ad33eaa76de6342b3019cdc7417c12348e5d6f474c80b749c409e68
-
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6644d99620a59ade4c23836a\7.6.8.4\{334E0302-F4EE-4EF9-ACBF-DEF2BE3D5F70}.session
Filesize18KB
MD55a632498a0ba1b3dad919b07f84f0b62
SHA1a5f392f632a46ed852920f9ef48cb2241e888c7b
SHA256be126b569eb3aaffa81ad26afe371cc1c0e858054b8760561b460e1c95677aff
SHA5122f9c35c0f8f4dab9fcb5add0d3844a6e8aa8dd4b755c61be1dfe5b1a40f6632ac5d033e27e273f6496094674b38a33c1e9c232ca1a48c95e8dcbeb5ce51c5094
-
Filesize
378KB
MD520c782eb64c81ac14c83a853546a8924
SHA1a1506933d294de07a7a2ae1fbc6be468f51371d6
SHA2560ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1
SHA512aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9
-
Filesize
857KB
MD5d51a7e3bce34c74638e89366deee2aab
SHA10e68022b52c288e8cdffe85739de1194253a7ef0
SHA2567c6bdf16a0992db092b7f94c374b21de5d53e3043f5717a6eecae614432e0df5
SHA5128ed246747cdd05cac352919d7ded3f14b1e523ccc1f7f172db85eed800b0c5d24475c270b34a7c25e7934467ace7e363542a586cdeb156bfc484f7417c3a4ab0
-
Filesize
762KB
MD5573f5e653258bf622ae1c0ad118880a2
SHA1e243c761983908d14baf6c7c0879301c8437415d
SHA256371d1346ec9ca236b257fed5b5a5c260114e56dff009f515fa543e11c4bb81f7
SHA512dfff15345dbf62307c3e6a4c0b363c133d1a0b8b368492f1200273407c2520b33acb20bff90feac356305990492f800844d849ee454e7124395f945de39f39ea