Analysis
-
max time kernel
124s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 13:02
Static task
static1
Behavioral task
behavioral1
Sample
setup.msi
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
setup.msi
Resource
win10v2004-20240226-en
General
-
Target
setup.msi
-
Size
25.2MB
-
MD5
9e10d740b32cd15a4fb9a947f911b924
-
SHA1
6ed60f2f79f986cbf4cc6ab1076522b9c762c272
-
SHA256
ce35819b8e52f92738534f2b0c0d468bdade96eba64a41915618ab11c04c994a
-
SHA512
d793f50e6a417a8c75da3a3e809c9cb2d2724d92600e994a90c4198f47937ad462d1682a5277fcb3f0d6648fee2511a2b43c96ff96e8e6a7bec4e461b6bd7a08
-
SSDEEP
393216:o+OBUMu/xfGNU/6EiKJ5q7cPYALEUEZZ5XXMHjmPaKshz8Rk3KRrREZ78t0N:o+FMSuNCXFYHnbBXHaJ8a3wrREit0
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in Windows directory 11 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\f76258a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2760.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI27DE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI407E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI40DC.tmp msiexec.exe File created C:\Windows\Installer\f76258d.ipi msiexec.exe File opened for modification C:\Windows\Installer\f76258a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2607.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2721.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI7A25.tmp msiexec.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exepid process 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe -
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 2952 msiexec.exe 2952 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid process 1484 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1484 msiexec.exe Token: SeIncreaseQuotaPrivilege 1484 msiexec.exe Token: SeRestorePrivilege 2952 msiexec.exe Token: SeTakeOwnershipPrivilege 2952 msiexec.exe Token: SeSecurityPrivilege 2952 msiexec.exe Token: SeCreateTokenPrivilege 1484 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1484 msiexec.exe Token: SeLockMemoryPrivilege 1484 msiexec.exe Token: SeIncreaseQuotaPrivilege 1484 msiexec.exe Token: SeMachineAccountPrivilege 1484 msiexec.exe Token: SeTcbPrivilege 1484 msiexec.exe Token: SeSecurityPrivilege 1484 msiexec.exe Token: SeTakeOwnershipPrivilege 1484 msiexec.exe Token: SeLoadDriverPrivilege 1484 msiexec.exe Token: SeSystemProfilePrivilege 1484 msiexec.exe Token: SeSystemtimePrivilege 1484 msiexec.exe Token: SeProfSingleProcessPrivilege 1484 msiexec.exe Token: SeIncBasePriorityPrivilege 1484 msiexec.exe Token: SeCreatePagefilePrivilege 1484 msiexec.exe Token: SeCreatePermanentPrivilege 1484 msiexec.exe Token: SeBackupPrivilege 1484 msiexec.exe Token: SeRestorePrivilege 1484 msiexec.exe Token: SeShutdownPrivilege 1484 msiexec.exe Token: SeDebugPrivilege 1484 msiexec.exe Token: SeAuditPrivilege 1484 msiexec.exe Token: SeSystemEnvironmentPrivilege 1484 msiexec.exe Token: SeChangeNotifyPrivilege 1484 msiexec.exe Token: SeRemoteShutdownPrivilege 1484 msiexec.exe Token: SeUndockPrivilege 1484 msiexec.exe Token: SeSyncAgentPrivilege 1484 msiexec.exe Token: SeEnableDelegationPrivilege 1484 msiexec.exe Token: SeManageVolumePrivilege 1484 msiexec.exe Token: SeImpersonatePrivilege 1484 msiexec.exe Token: SeCreateGlobalPrivilege 1484 msiexec.exe Token: SeRestorePrivilege 2952 msiexec.exe Token: SeTakeOwnershipPrivilege 2952 msiexec.exe Token: SeRestorePrivilege 2952 msiexec.exe Token: SeTakeOwnershipPrivilege 2952 msiexec.exe Token: SeRestorePrivilege 2952 msiexec.exe Token: SeTakeOwnershipPrivilege 2952 msiexec.exe Token: SeRestorePrivilege 2952 msiexec.exe Token: SeTakeOwnershipPrivilege 2952 msiexec.exe Token: SeRestorePrivilege 2952 msiexec.exe Token: SeTakeOwnershipPrivilege 2952 msiexec.exe Token: SeRestorePrivilege 2952 msiexec.exe Token: SeTakeOwnershipPrivilege 2952 msiexec.exe Token: SeRestorePrivilege 2952 msiexec.exe Token: SeTakeOwnershipPrivilege 2952 msiexec.exe Token: SeRestorePrivilege 2952 msiexec.exe Token: SeTakeOwnershipPrivilege 2952 msiexec.exe Token: SeRestorePrivilege 2952 msiexec.exe Token: SeTakeOwnershipPrivilege 2952 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1484 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
msiexec.exedescription pid process target process PID 2952 wrote to memory of 3020 2952 msiexec.exe MsiExec.exe PID 2952 wrote to memory of 3020 2952 msiexec.exe MsiExec.exe PID 2952 wrote to memory of 3020 2952 msiexec.exe MsiExec.exe PID 2952 wrote to memory of 3020 2952 msiexec.exe MsiExec.exe PID 2952 wrote to memory of 3020 2952 msiexec.exe MsiExec.exe PID 2952 wrote to memory of 3020 2952 msiexec.exe MsiExec.exe PID 2952 wrote to memory of 3020 2952 msiexec.exe MsiExec.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1484
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 71AAC0C1DB76D91538295E12F303BBA12⤵
- Loads dropped DLL
PID:3020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
Filesize
1.1MB
MD51a2b237796742c26b11a008d0b175e29
SHA1cfd5affcfb3b6fd407e58dfc7187fad4f186ea18
SHA25681e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730
SHA5123135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5
-
Filesize
364KB
MD554d74546c6afe67b3d118c3c477c159a
SHA1957f08beb7e27e657cd83d8ee50388b887935fae
SHA256f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f