4299b542be0fbc40cecc010755783f855a1548f99d870dd21a33ec22a60a5f71

Analysis

max time kernel
125s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nextware_V033048.msi
Size

9.8MB
MD5

e67579e51e9a5853c34c08565ac6d37a
SHA1

8419a63958537c050f84694faa9f92098dd07180
SHA256

e2ae290e8a74a1864369730e469f2245c223149ad392a82b8a23314940c316a2
SHA512

d9ba71bb9a707b3e01c173c261a0e5fad5df26593645d167be6bb2fa07a9de05c3c653112a67426055858c7b71c2e454e20696e008e71a7191abc0548deeb6a3
SSDEEP

196608:kigrI6bi4oCCq+H882wIxyB0alAGWBo9AEMQU2sewQPWNG:k/i5ge882IllA1Bo9AEMQUO5

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Executes dropped EXE 10 IoCs

pid	Process
1376	ISBEW64.exe
728	ISBEW64.exe
2072	ISBEW64.exe
4580	ISBEW64.exe
1780	ISBEW64.exe
2724	ISBEW64.exe
2168	ISBEW64.exe
804	ISBEW64.exe
3436	ISBEW64.exe
3688	ISBEW64.exe

Loads dropped DLL 4 IoCs

pid	Process
4356	MsiExec.exe
4356	MsiExec.exe
4356	MsiExec.exe
4356	MsiExec.exe

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

pid	Process
3808	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3808	msiexec.exe
Token: SeSecurityPrivilege	2736	msiexec.exe
Token: SeCreateTokenPrivilege	3808	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3808	msiexec.exe
Token: SeLockMemoryPrivilege	3808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3808	msiexec.exe
Token: SeMachineAccountPrivilege	3808	msiexec.exe
Token: SeTcbPrivilege	3808	msiexec.exe
Token: SeSecurityPrivilege	3808	msiexec.exe
Token: SeTakeOwnershipPrivilege	3808	msiexec.exe
Token: SeLoadDriverPrivilege	3808	msiexec.exe
Token: SeSystemProfilePrivilege	3808	msiexec.exe
Token: SeSystemtimePrivilege	3808	msiexec.exe
Token: SeProfSingleProcessPrivilege	3808	msiexec.exe
Token: SeIncBasePriorityPrivilege	3808	msiexec.exe
Token: SeCreatePagefilePrivilege	3808	msiexec.exe
Token: SeCreatePermanentPrivilege	3808	msiexec.exe
Token: SeBackupPrivilege	3808	msiexec.exe
Token: SeRestorePrivilege	3808	msiexec.exe
Token: SeShutdownPrivilege	3808	msiexec.exe
Token: SeDebugPrivilege	3808	msiexec.exe
Token: SeAuditPrivilege	3808	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3808	msiexec.exe
Token: SeChangeNotifyPrivilege	3808	msiexec.exe
Token: SeRemoteShutdownPrivilege	3808	msiexec.exe
Token: SeUndockPrivilege	3808	msiexec.exe
Token: SeSyncAgentPrivilege	3808	msiexec.exe
Token: SeEnableDelegationPrivilege	3808	msiexec.exe
Token: SeManageVolumePrivilege	3808	msiexec.exe
Token: SeImpersonatePrivilege	3808	msiexec.exe
Token: SeCreateGlobalPrivilege	3808	msiexec.exe
Token: SeCreateTokenPrivilege	3808	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3808	msiexec.exe
Token: SeLockMemoryPrivilege	3808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3808	msiexec.exe
Token: SeMachineAccountPrivilege	3808	msiexec.exe
Token: SeTcbPrivilege	3808	msiexec.exe
Token: SeSecurityPrivilege	3808	msiexec.exe
Token: SeTakeOwnershipPrivilege	3808	msiexec.exe
Token: SeLoadDriverPrivilege	3808	msiexec.exe
Token: SeSystemProfilePrivilege	3808	msiexec.exe
Token: SeSystemtimePrivilege	3808	msiexec.exe
Token: SeProfSingleProcessPrivilege	3808	msiexec.exe
Token: SeIncBasePriorityPrivilege	3808	msiexec.exe
Token: SeCreatePagefilePrivilege	3808	msiexec.exe
Token: SeCreatePermanentPrivilege	3808	msiexec.exe
Token: SeBackupPrivilege	3808	msiexec.exe
Token: SeRestorePrivilege	3808	msiexec.exe
Token: SeShutdownPrivilege	3808	msiexec.exe
Token: SeDebugPrivilege	3808	msiexec.exe
Token: SeAuditPrivilege	3808	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3808	msiexec.exe
Token: SeChangeNotifyPrivilege	3808	msiexec.exe
Token: SeRemoteShutdownPrivilege	3808	msiexec.exe
Token: SeUndockPrivilege	3808	msiexec.exe
Token: SeSyncAgentPrivilege	3808	msiexec.exe
Token: SeEnableDelegationPrivilege	3808	msiexec.exe
Token: SeManageVolumePrivilege	3808	msiexec.exe
Token: SeImpersonatePrivilege	3808	msiexec.exe
Token: SeCreateGlobalPrivilege	3808	msiexec.exe
Token: SeCreateTokenPrivilege	3808	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3808	msiexec.exe
Token: SeLockMemoryPrivilege	3808	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3808	msiexec.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 4356	2736	msiexec.exe	90
PID 2736 wrote to memory of 4356	2736	msiexec.exe	90
PID 2736 wrote to memory of 4356	2736	msiexec.exe	90
PID 4356 wrote to memory of 1376	4356	MsiExec.exe	91
PID 4356 wrote to memory of 1376	4356	MsiExec.exe	91
PID 4356 wrote to memory of 728	4356	MsiExec.exe	92
PID 4356 wrote to memory of 728	4356	MsiExec.exe	92
PID 4356 wrote to memory of 2072	4356	MsiExec.exe	93
PID 4356 wrote to memory of 2072	4356	MsiExec.exe	93
PID 4356 wrote to memory of 4580	4356	MsiExec.exe	94
PID 4356 wrote to memory of 4580	4356	MsiExec.exe	94
PID 4356 wrote to memory of 1780	4356	MsiExec.exe	95
PID 4356 wrote to memory of 1780	4356	MsiExec.exe	95
PID 4356 wrote to memory of 2724	4356	MsiExec.exe	96
PID 4356 wrote to memory of 2724	4356	MsiExec.exe	96
PID 4356 wrote to memory of 2168	4356	MsiExec.exe	97
PID 4356 wrote to memory of 2168	4356	MsiExec.exe	97
PID 4356 wrote to memory of 804	4356	MsiExec.exe	98
PID 4356 wrote to memory of 804	4356	MsiExec.exe	98
PID 4356 wrote to memory of 3436	4356	MsiExec.exe	99
PID 4356 wrote to memory of 3436	4356	MsiExec.exe	99
PID 4356 wrote to memory of 3688	4356	MsiExec.exe	100
PID 4356 wrote to memory of 3688	4356	MsiExec.exe	100

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Nextware_V033048.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DBFE0C17A117B8F47B55CEDCDD239AE5 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F533EC3F-4B91-41E2-A44C-DA6397965747}
    3⤵
    - Executes dropped EXE
    PID:1376
- - C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9CC8F64A-7CD4-4B9F-ADFC-79BA051927C8}
    3⤵
    - Executes dropped EXE
    PID:728
- - C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C4ECB2B-342A-4EC9-B40D-DA063508B84D}
    3⤵
    - Executes dropped EXE
    PID:2072
- - C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{46C8631C-CF3D-48A2-A81E-2EC6884F6BBA}
    3⤵
    - Executes dropped EXE
    PID:4580
- - C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B86D109D-5390-422F-B02B-7FB69E23A17E}
    3⤵
    - Executes dropped EXE
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A5919A9C-9DA2-4E8F-B8FD-0870CBCA7B72}
    3⤵
    - Executes dropped EXE
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B53102F9-1E5C-4B02-BE6B-0DF8FD39624C}
    3⤵
    - Executes dropped EXE
    PID:2168
- - C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DCF42FF7-DFC6-441C-A6A3-713A6D3FC97E}
    3⤵
    - Executes dropped EXE
    PID:804
- - C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CD0CE937-F8CC-4529-93D7-3E24E27BE22A}
    3⤵
    - Executes dropped EXE
    PID:3436
- - C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{667010CA-4C1C-4140-9655-AA778590745C}
    3⤵
    - Executes dropped EXE
    PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4184,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4696 /prefetch:8
1⤵
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI3A5.tmp

Filesize
2.5MB

MD5
a050535fc7f71f6f92ae4a989b737ad1

SHA1
c5ba2b9178187e033f1cf27781000605e74d343f

SHA256
399aed01b905ef1a5b2f8def5d1b2f2c258b7ccc0be2fa90853f63a39d7bd3c3

SHA512
7480f330670e955eca6e93a951e4bfab69dc137ff5e29c1c36bf6f045db163a0c8ec2800a86317558604366576a9229259ae35ed834965bf624add81cccd0261

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISBEW64.exe

Filesize
177KB

MD5
7eb57876ff781f17adce41ffc70d1f31

SHA1
3a358773608e315d8e1ec97476e670802e9f1ec6

SHA256
1f0d8dfbd8b2b9c0ceb8a827ffdd1559d1fb26e86836a9080dfd168759c03bbe

SHA512
d967395f5ddb5df40949a737ec9b4c5e675c0355733938d9a17801f98aad9af2fd2e6660786c13ebb2f2a66fcb76fc99ee064acd87796a7931e21a973772576e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\ISRT.dll

Filesize
422KB

MD5
77f4ad122b04f2e11d3841b611596785

SHA1
133d1935811929e5aa5bc0c97c826d0fe7c6b4fb

SHA256
eefcb7fb1ce56e30a8b6c82ba8afc4ecbbaaa50028104e5873de620fc3803982

SHA512
a4c10caa98887b158bd7513c6115ded655602bf5f129c2738c3428444a73a650fda69193c3e76d76c6a684d6c5977a7e0f69bbf3cc08d078b96fb4531d8ae901

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FA9DE794-1241-4222-AD03-F449A0C29CC7}\_isres_0x0409.dll

Filesize
1.8MB

MD5
16113c70b9d149484530e8e71096d454

SHA1
bc04da8a76927ac88a77b6eafdfdbd0e8371f8d0

SHA256
a948907b44d23cf4797f984a875f7eecd3b8c4a81218d7b124708ec8d0f26062

SHA512
1d69d1342ef27c1508f8cf84750178037a17c00b6392be006fb2bb107420c32173dfc500047ef921158ccd0452daad7158a2641eae89925a85389b681c1a194a

Download Submit
memory/4356-24-0x0000000010000000-0x0000000010112000-memory.dmp

Filesize
1.1MB

Download
memory/4356-29-0x0000000003340000-0x0000000003507000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads