ce35819b8e52f92738534f2b0c0d468bdade96eba64a41915618ab11c04c994a

General

Target

setup.msi
Size

25.2MB
MD5

9e10d740b32cd15a4fb9a947f911b924
SHA1

6ed60f2f79f986cbf4cc6ab1076522b9c762c272
SHA256

ce35819b8e52f92738534f2b0c0d468bdade96eba64a41915618ab11c04c994a
SHA512

d793f50e6a417a8c75da3a3e809c9cb2d2724d92600e994a90c4198f47937ad462d1682a5277fcb3f0d6648fee2511a2b43c96ff96e8e6a7bec4e461b6bd7a08
SSDEEP

393216:o+OBUMu/xfGNU/6EiKJ5q7cPYALEUEZZ5XXMHjmPaKshz8Rk3KRrREZ78t0N:o+FMSuNCXFYHnbBXHaJ8a3wrREit0

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f76258a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2760.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI407E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI40DC.tmp	msiexec.exe
File created	C:\Windows\Installer\f76258d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76258a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2607.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2721.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A25.tmp	msiexec.exe

Loads dropped DLL 6 IoCs

Processes:

MsiExec.exe

pid process

3020 MsiExec.exe
3020 MsiExec.exe
3020 MsiExec.exe
3020 MsiExec.exe
3020 MsiExec.exe
3020 MsiExec.exe
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Processes:

msiexec.exe

pid process

1484 msiexec.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2952 msiexec.exe
2952 msiexec.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msiexec.exe

pid process

1484 msiexec.exe

pid	process
3020	MsiExec.exe
3020	MsiExec.exe
3020	MsiExec.exe
3020	MsiExec.exe
3020	MsiExec.exe
3020	MsiExec.exe

pid	process
1484	msiexec.exe

pid	process
2952	msiexec.exe
2952	msiexec.exe

pid	process
1484	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1484	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe
Token: SeSecurityPrivilege	2952	msiexec.exe
Token: SeCreateTokenPrivilege	1484	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1484	msiexec.exe
Token: SeLockMemoryPrivilege	1484	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1484	msiexec.exe
Token: SeMachineAccountPrivilege	1484	msiexec.exe
Token: SeTcbPrivilege	1484	msiexec.exe
Token: SeSecurityPrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe
Token: SeLoadDriverPrivilege	1484	msiexec.exe
Token: SeSystemProfilePrivilege	1484	msiexec.exe
Token: SeSystemtimePrivilege	1484	msiexec.exe
Token: SeProfSingleProcessPrivilege	1484	msiexec.exe
Token: SeIncBasePriorityPrivilege	1484	msiexec.exe
Token: SeCreatePagefilePrivilege	1484	msiexec.exe
Token: SeCreatePermanentPrivilege	1484	msiexec.exe
Token: SeBackupPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeShutdownPrivilege	1484	msiexec.exe
Token: SeDebugPrivilege	1484	msiexec.exe
Token: SeAuditPrivilege	1484	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1484	msiexec.exe
Token: SeChangeNotifyPrivilege	1484	msiexec.exe
Token: SeRemoteShutdownPrivilege	1484	msiexec.exe
Token: SeUndockPrivilege	1484	msiexec.exe
Token: SeSyncAgentPrivilege	1484	msiexec.exe
Token: SeEnableDelegationPrivilege	1484	msiexec.exe
Token: SeManageVolumePrivilege	1484	msiexec.exe
Token: SeImpersonatePrivilege	1484	msiexec.exe
Token: SeCreateGlobalPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe
Token: SeRestorePrivilege	2952	msiexec.exe
Token: SeTakeOwnershipPrivilege	2952	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1484 msiexec.exe

pid	process
1484	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2952 wrote to memory of 3020	2952	msiexec.exe	MsiExec.exe
PID 2952 wrote to memory of 3020	2952	msiexec.exe	MsiExec.exe
PID 2952 wrote to memory of 3020	2952	msiexec.exe	MsiExec.exe
PID 2952 wrote to memory of 3020	2952	msiexec.exe	MsiExec.exe
PID 2952 wrote to memory of 3020	2952	msiexec.exe	MsiExec.exe
PID 2952 wrote to memory of 3020	2952	msiexec.exe	MsiExec.exe
PID 2952 wrote to memory of 3020	2952	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1484

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 71AAC0C1DB76D91538295E12F303BBA1
  2⤵
  - Loads dropped DLL
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Privilege Escalation

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI2607.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSI2760.tmp

Filesize
1.1MB

MD5
1a2b237796742c26b11a008d0b175e29

SHA1
cfd5affcfb3b6fd407e58dfc7187fad4f186ea18

SHA256
81e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730

SHA512
3135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5

Download Submit
\Windows\Installer\MSI40DC.tmp

Filesize
364KB

MD5
54d74546c6afe67b3d118c3c477c159a

SHA1
957f08beb7e27e657cd83d8ee50388b887935fae

SHA256
f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611

SHA512
d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads