Analysis
-
max time kernel
131s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b.msi
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b.msi
Resource
win10v2004-20240426-en
General
-
Target
abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b.msi
-
Size
7.8MB
-
MD5
ffa79d6b5eb84e8a714f185eb55278e4
-
SHA1
d9841949fc96bb4f72c1cf377333d12fae0f8c5a
-
SHA256
abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b
-
SHA512
667b0a6025b629f02a096c245842117782de12c10216be2acbaf3205f8fb19578985b1306b0d10555e532d708f93268861175de7a72abb02fc7beb6e15e99a49
-
SSDEEP
196608:F9YuWsRVjVJFAoGgSWhGGO9AaLF+AXvkmxxrRq:F99WsRVj7esoqax+g9Fq
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
MsiExec.exeflow pid process 14 2364 MsiExec.exe 20 2364 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Drops file in Windows directory 18 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI5160.tmp msiexec.exe File created C:\Windows\Installer\e574f7c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI61F0.tmp msiexec.exe File opened for modification C:\Windows\Installer\e574f78.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5004.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI50F0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI54CE.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI5647.tmp msiexec.exe File created C:\Windows\Installer\e574f78.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI5355.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI556B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI53C3.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{4F8A97A7-22E3-4751-BCDE-A81270EE5EA8} msiexec.exe File opened for modification C:\Windows\Installer\MSI511F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5140.tmp msiexec.exe -
Loads dropped DLL 10 IoCs
Processes:
MsiExec.exepid process 2364 MsiExec.exe 2364 MsiExec.exe 2364 MsiExec.exe 2364 MsiExec.exe 2364 MsiExec.exe 2364 MsiExec.exe 2364 MsiExec.exe 2364 MsiExec.exe 2364 MsiExec.exe 2364 MsiExec.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
MsiExec.exemsiexec.exepid process 2364 MsiExec.exe 2364 MsiExec.exe 3400 msiexec.exe 3400 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1648 msiexec.exe Token: SeIncreaseQuotaPrivilege 1648 msiexec.exe Token: SeSecurityPrivilege 3400 msiexec.exe Token: SeCreateTokenPrivilege 1648 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1648 msiexec.exe Token: SeLockMemoryPrivilege 1648 msiexec.exe Token: SeIncreaseQuotaPrivilege 1648 msiexec.exe Token: SeMachineAccountPrivilege 1648 msiexec.exe Token: SeTcbPrivilege 1648 msiexec.exe Token: SeSecurityPrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeLoadDriverPrivilege 1648 msiexec.exe Token: SeSystemProfilePrivilege 1648 msiexec.exe Token: SeSystemtimePrivilege 1648 msiexec.exe Token: SeProfSingleProcessPrivilege 1648 msiexec.exe Token: SeIncBasePriorityPrivilege 1648 msiexec.exe Token: SeCreatePagefilePrivilege 1648 msiexec.exe Token: SeCreatePermanentPrivilege 1648 msiexec.exe Token: SeBackupPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeShutdownPrivilege 1648 msiexec.exe Token: SeDebugPrivilege 1648 msiexec.exe Token: SeAuditPrivilege 1648 msiexec.exe Token: SeSystemEnvironmentPrivilege 1648 msiexec.exe Token: SeChangeNotifyPrivilege 1648 msiexec.exe Token: SeRemoteShutdownPrivilege 1648 msiexec.exe Token: SeUndockPrivilege 1648 msiexec.exe Token: SeSyncAgentPrivilege 1648 msiexec.exe Token: SeEnableDelegationPrivilege 1648 msiexec.exe Token: SeManageVolumePrivilege 1648 msiexec.exe Token: SeImpersonatePrivilege 1648 msiexec.exe Token: SeCreateGlobalPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 3400 msiexec.exe Token: SeTakeOwnershipPrivilege 3400 msiexec.exe Token: SeRestorePrivilege 3400 msiexec.exe Token: SeTakeOwnershipPrivilege 3400 msiexec.exe Token: SeRestorePrivilege 3400 msiexec.exe Token: SeTakeOwnershipPrivilege 3400 msiexec.exe Token: SeRestorePrivilege 3400 msiexec.exe Token: SeTakeOwnershipPrivilege 3400 msiexec.exe Token: SeRestorePrivilege 3400 msiexec.exe Token: SeTakeOwnershipPrivilege 3400 msiexec.exe Token: SeRestorePrivilege 3400 msiexec.exe Token: SeTakeOwnershipPrivilege 3400 msiexec.exe Token: SeRestorePrivilege 3400 msiexec.exe Token: SeTakeOwnershipPrivilege 3400 msiexec.exe Token: SeRestorePrivilege 3400 msiexec.exe Token: SeTakeOwnershipPrivilege 3400 msiexec.exe Token: SeRestorePrivilege 3400 msiexec.exe Token: SeTakeOwnershipPrivilege 3400 msiexec.exe Token: SeRestorePrivilege 3400 msiexec.exe Token: SeTakeOwnershipPrivilege 3400 msiexec.exe Token: SeRestorePrivilege 3400 msiexec.exe Token: SeTakeOwnershipPrivilege 3400 msiexec.exe Token: SeRestorePrivilege 3400 msiexec.exe Token: SeTakeOwnershipPrivilege 3400 msiexec.exe Token: SeRestorePrivilege 3400 msiexec.exe Token: SeTakeOwnershipPrivilege 3400 msiexec.exe Token: SeRestorePrivilege 3400 msiexec.exe Token: SeTakeOwnershipPrivilege 3400 msiexec.exe Token: SeRestorePrivilege 3400 msiexec.exe Token: SeTakeOwnershipPrivilege 3400 msiexec.exe Token: SeRestorePrivilege 3400 msiexec.exe Token: SeTakeOwnershipPrivilege 3400 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1648 msiexec.exe 1648 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
msiexec.exedescription pid process target process PID 3400 wrote to memory of 2364 3400 msiexec.exe MsiExec.exe PID 3400 wrote to memory of 2364 3400 msiexec.exe MsiExec.exe PID 3400 wrote to memory of 2364 3400 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5DADD144E7E627A2B07C85D65E8375B32⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e574f7b.rbsFilesize
9KB
MD5bf4a410a1d76aef4dcf7b9c82808639c
SHA14b10a12269b0d85abae4d268ce09754b909c9f30
SHA2560868a725be8df826255172f24e1de297c67425d4b15a6f7d1f5a1c5c17d83bed
SHA512a43b8b5b676471e7400dcca8179e676798fe76e1d3b77f0e7706cd256adfeceae0f02a5c2431e396d9867873b0cc68f3af7a46f8db8dfb9fb0818f4ddbc1e65f
-
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6644d99620a59ade4c23836a\7.6.8.4\tracking.iniFilesize
84B
MD57e6492f280bfcdff920def0259ddd706
SHA121ce0475d2ee8563749e33a68b829efd24397345
SHA2568f68cedff327058efde296c84ac150d4ab18b483ee2a4297797b4cecc22d3e60
SHA512e6d45d1f17501a87b4256bb91042b24518baef1ed2eef37687f156b0b54489cfad73d5bd640f4084d31c863c8dd86cc0746675b4f6f288a83c6727fe181a350a
-
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6644d99620a59ade4c23836a\7.6.8.4\tracking.iniFilesize
84B
MD57f5d425c1b82fb1dea3460393e5ff954
SHA133ebcc3f3c5dd7dbac2ff428a34430d68239aa3a
SHA256ad2e2d4e20195c05aaaa528fe5887be3b7dda3f7b2ccaf1ce3f79324c66c21d0
SHA512d7ee8b1c78b22a020b8df50533d737493b5b07f387d2564b788e83dc5db368e0de45193b9f5898fd8f6cc465ed2eda04f2e156e242131f74eff0372ec06fccc3
-
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6644d99620a59ade4c23836a\7.6.8.4\{739DDFEE-ED4C-402A-A4AA-86AA63592544}.sessionFilesize
3KB
MD5b0f50b6a11d169fadf107bc1874efa8a
SHA1850c0116928af56fe7f73cd6c28956511a88fe92
SHA256341083462f0d3f39b7ce4da916e1dcdc12614b61efb8cd36029f76701bfa35af
SHA512e670dfd1a1dd0e800bc53a8818a0c2e2cd26662f59e064f051b2ff111ac3b695c3177ce6f64be2e4dfeb39e839e3b8e4bcc0bce8edbb6c8a1981a73ebe80e3de
-
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6644d99620a59ade4c23836a\7.6.8.4\{739DDFEE-ED4C-402A-A4AA-86AA63592544}.sessionFilesize
6KB
MD57d1089c33473a00b18e5393386544246
SHA1f0e2ac3745876293f8b2951f860a39b62717d0f1
SHA25694dc361caee2cd41508ac3ea439af583f30406f33a766e094a8ff6cdc30a33c1
SHA512aa8cc9c072f0d4f70a3f060cc04d5737601c4a109ec8f5de7225e934286d339b576503bc99f036df99cfab416acb91e00ee2188836b71b923e8575c1b3970672
-
C:\Windows\Installer\MSI5004.tmpFilesize
762KB
MD5573f5e653258bf622ae1c0ad118880a2
SHA1e243c761983908d14baf6c7c0879301c8437415d
SHA256371d1346ec9ca236b257fed5b5a5c260114e56dff009f515fa543e11c4bb81f7
SHA512dfff15345dbf62307c3e6a4c0b363c133d1a0b8b368492f1200273407c2520b33acb20bff90feac356305990492f800844d849ee454e7124395f945de39f39ea
-
C:\Windows\Installer\MSI50F0.tmpFilesize
378KB
MD520c782eb64c81ac14c83a853546a8924
SHA1a1506933d294de07a7a2ae1fbc6be468f51371d6
SHA2560ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1
SHA512aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9
-
C:\Windows\Installer\MSI5160.tmpFilesize
857KB
MD5d51a7e3bce34c74638e89366deee2aab
SHA10e68022b52c288e8cdffe85739de1194253a7ef0
SHA2567c6bdf16a0992db092b7f94c374b21de5d53e3043f5717a6eecae614432e0df5
SHA5128ed246747cdd05cac352919d7ded3f14b1e523ccc1f7f172db85eed800b0c5d24475c270b34a7c25e7934467ace7e363542a586cdeb156bfc484f7417c3a4ab0