Overview

overview

6

Static

static

1

abc72097f5...2b.msi

windows7-x64

6

abc72097f5...2b.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    131s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b.msi

  • Size

    7.8MB

  • MD5

    ffa79d6b5eb84e8a714f185eb55278e4

  • SHA1

    d9841949fc96bb4f72c1cf377333d12fae0f8c5a

  • SHA256

    abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b

  • SHA512

    667b0a6025b629f02a096c245842117782de12c10216be2acbaf3205f8fb19578985b1306b0d10555e532d708f93268861175de7a72abb02fc7beb6e15e99a49

  • SSDEEP

    196608:F9YuWsRVjVJFAoGgSWhGGO9AaLF+AXvkmxxrRq:F99WsRVj7esoqax+g9Fq

Score
6/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 18 IoCs
  • Loads dropped DLL 10 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\abc72097f51360b0d2ec6cee38f61f2416177e6b4bf55f48ff3221ce58e5ce2b.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1648
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3400
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5DADD144E7E627A2B07C85D65E8375B3
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:2364

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e574f7b.rbs
    Filesize

    9KB

    MD5

    bf4a410a1d76aef4dcf7b9c82808639c

    SHA1

    4b10a12269b0d85abae4d268ce09754b909c9f30

    SHA256

    0868a725be8df826255172f24e1de297c67425d4b15a6f7d1f5a1c5c17d83bed

    SHA512

    a43b8b5b676471e7400dcca8179e676798fe76e1d3b77f0e7706cd256adfeceae0f02a5c2431e396d9867873b0cc68f3af7a46f8db8dfb9fb0818f4ddbc1e65f

    Download Submit
  • C:\Users\Admin\AppData\Local\AdvinstAnalytics\6644d99620a59ade4c23836a\7.6.8.4\tracking.ini
    Filesize

    84B

    MD5

    7e6492f280bfcdff920def0259ddd706

    SHA1

    21ce0475d2ee8563749e33a68b829efd24397345

    SHA256

    8f68cedff327058efde296c84ac150d4ab18b483ee2a4297797b4cecc22d3e60

    SHA512

    e6d45d1f17501a87b4256bb91042b24518baef1ed2eef37687f156b0b54489cfad73d5bd640f4084d31c863c8dd86cc0746675b4f6f288a83c6727fe181a350a

    Download Submit
  • C:\Users\Admin\AppData\Local\AdvinstAnalytics\6644d99620a59ade4c23836a\7.6.8.4\tracking.ini
    Filesize

    84B

    MD5

    7f5d425c1b82fb1dea3460393e5ff954

    SHA1

    33ebcc3f3c5dd7dbac2ff428a34430d68239aa3a

    SHA256

    ad2e2d4e20195c05aaaa528fe5887be3b7dda3f7b2ccaf1ce3f79324c66c21d0

    SHA512

    d7ee8b1c78b22a020b8df50533d737493b5b07f387d2564b788e83dc5db368e0de45193b9f5898fd8f6cc465ed2eda04f2e156e242131f74eff0372ec06fccc3

    Download Submit
  • C:\Users\Admin\AppData\Local\AdvinstAnalytics\6644d99620a59ade4c23836a\7.6.8.4\{739DDFEE-ED4C-402A-A4AA-86AA63592544}.session
    Filesize

    3KB

    MD5

    b0f50b6a11d169fadf107bc1874efa8a

    SHA1

    850c0116928af56fe7f73cd6c28956511a88fe92

    SHA256

    341083462f0d3f39b7ce4da916e1dcdc12614b61efb8cd36029f76701bfa35af

    SHA512

    e670dfd1a1dd0e800bc53a8818a0c2e2cd26662f59e064f051b2ff111ac3b695c3177ce6f64be2e4dfeb39e839e3b8e4bcc0bce8edbb6c8a1981a73ebe80e3de

    Download Submit
  • C:\Users\Admin\AppData\Local\AdvinstAnalytics\6644d99620a59ade4c23836a\7.6.8.4\{739DDFEE-ED4C-402A-A4AA-86AA63592544}.session
    Filesize

    6KB

    MD5

    7d1089c33473a00b18e5393386544246

    SHA1

    f0e2ac3745876293f8b2951f860a39b62717d0f1

    SHA256

    94dc361caee2cd41508ac3ea439af583f30406f33a766e094a8ff6cdc30a33c1

    SHA512

    aa8cc9c072f0d4f70a3f060cc04d5737601c4a109ec8f5de7225e934286d339b576503bc99f036df99cfab416acb91e00ee2188836b71b923e8575c1b3970672

    Download Submit
  • C:\Windows\Installer\MSI5004.tmp
    Filesize

    762KB

    MD5

    573f5e653258bf622ae1c0ad118880a2

    SHA1

    e243c761983908d14baf6c7c0879301c8437415d

    SHA256

    371d1346ec9ca236b257fed5b5a5c260114e56dff009f515fa543e11c4bb81f7

    SHA512

    dfff15345dbf62307c3e6a4c0b363c133d1a0b8b368492f1200273407c2520b33acb20bff90feac356305990492f800844d849ee454e7124395f945de39f39ea

    Download Submit
  • C:\Windows\Installer\MSI50F0.tmp
    Filesize

    378KB

    MD5

    20c782eb64c81ac14c83a853546a8924

    SHA1

    a1506933d294de07a7a2ae1fbc6be468f51371d6

    SHA256

    0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

    SHA512

    aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

    Download Submit
  • C:\Windows\Installer\MSI5160.tmp
    Filesize

    857KB

    MD5

    d51a7e3bce34c74638e89366deee2aab

    SHA1

    0e68022b52c288e8cdffe85739de1194253a7ef0

    SHA256

    7c6bdf16a0992db092b7f94c374b21de5d53e3043f5717a6eecae614432e0df5

    SHA512

    8ed246747cdd05cac352919d7ded3f14b1e523ccc1f7f172db85eed800b0c5d24475c270b34a7c25e7934467ace7e363542a586cdeb156bfc484f7417c3a4ab0

    Download Submit