8c0d64f0a9e3bea13f2c3aeafc670e62aaf396ba114c463c97e272464b4d8efb

Analysis

max time kernel
126s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c74d2.msi
Size

856KB
MD5

7df20d9d562dd9cac2d6cdc5fa7208f7
SHA1

49d3188918876c11a83631058dcd5e46890e499c
SHA256

52a756d1a43ddfb7eda39715a2cfa37bb474a1f24556b0d905fc73ca93122fdc
SHA512

78c9a31e58e6191785d1a73852b2e1d681778baa9052a81026b40bbb5d1fa8b9130e1fbbfab51560f17e69bc186ed68e63ac37588feccea7059ffa6f20c24600
SSDEEP

12288:T7xeimPfdJ+oZqU8VKIvZUlkj/cBhZeK4lu/XdmYwk:vxeNPLNHWvZgkjcDefMFmi

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\host\fxr\6.0.31\hostfxr.dll	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e599b9a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA167.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e599b9a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9992D04E-553E-4BC2-B0EC-4A394DD19986}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E88.tmp	msiexec.exe
File created	C:\Windows\Installer\e599b9c.msi	msiexec.exe

Loads dropped DLL 3 IoCs

pid	Process
4760	MsiExec.exe
4760	MsiExec.exe
3136	MsiExec.exe

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

pid	Process
2360	msiexec.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.124.15198_x64\Version = "48.124.15198"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.124.15198_x64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E40D2999E3552CB40BCEA493D41D9968\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.124.15198_x64\DisplayName = "Microsoft .NET Host FX Resolver - 6.0.31 (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2A7D1D492985F0B405E96BB67F1C7054	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2A7D1D492985F0B405E96BB67F1C7054\E40D2999E3552CB40BCEA493D41D9968	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.124.15198_x64\ = "{9992D04E-553E-4BC2-B0EC-4A394DD19986}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\Version = "813448030"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E40D2999E3552CB40BCEA493D41D9968	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E40D2999E3552CB40BCEA493D41D9968\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\ProductName = "Microsoft .NET Host FX Resolver - 6.0.31 (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\PackageCode = "938C74AD3371D51438DD0A530BD735B9"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\SourceList\PackageName = "9c74d2.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E40D2999E3552CB40BCEA493D41D9968\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2392	msiexec.exe
2392	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2360	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2360	msiexec.exe
Token: SeSecurityPrivilege	2392	msiexec.exe
Token: SeCreateTokenPrivilege	2360	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2360	msiexec.exe
Token: SeLockMemoryPrivilege	2360	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2360	msiexec.exe
Token: SeMachineAccountPrivilege	2360	msiexec.exe
Token: SeTcbPrivilege	2360	msiexec.exe
Token: SeSecurityPrivilege	2360	msiexec.exe
Token: SeTakeOwnershipPrivilege	2360	msiexec.exe
Token: SeLoadDriverPrivilege	2360	msiexec.exe
Token: SeSystemProfilePrivilege	2360	msiexec.exe
Token: SeSystemtimePrivilege	2360	msiexec.exe
Token: SeProfSingleProcessPrivilege	2360	msiexec.exe
Token: SeIncBasePriorityPrivilege	2360	msiexec.exe
Token: SeCreatePagefilePrivilege	2360	msiexec.exe
Token: SeCreatePermanentPrivilege	2360	msiexec.exe
Token: SeBackupPrivilege	2360	msiexec.exe
Token: SeRestorePrivilege	2360	msiexec.exe
Token: SeShutdownPrivilege	2360	msiexec.exe
Token: SeDebugPrivilege	2360	msiexec.exe
Token: SeAuditPrivilege	2360	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2360	msiexec.exe
Token: SeChangeNotifyPrivilege	2360	msiexec.exe
Token: SeRemoteShutdownPrivilege	2360	msiexec.exe
Token: SeUndockPrivilege	2360	msiexec.exe
Token: SeSyncAgentPrivilege	2360	msiexec.exe
Token: SeEnableDelegationPrivilege	2360	msiexec.exe
Token: SeManageVolumePrivilege	2360	msiexec.exe
Token: SeImpersonatePrivilege	2360	msiexec.exe
Token: SeCreateGlobalPrivilege	2360	msiexec.exe
Token: SeCreateTokenPrivilege	2360	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2360	msiexec.exe
Token: SeLockMemoryPrivilege	2360	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2360	msiexec.exe
Token: SeMachineAccountPrivilege	2360	msiexec.exe
Token: SeTcbPrivilege	2360	msiexec.exe
Token: SeSecurityPrivilege	2360	msiexec.exe
Token: SeTakeOwnershipPrivilege	2360	msiexec.exe
Token: SeLoadDriverPrivilege	2360	msiexec.exe
Token: SeSystemProfilePrivilege	2360	msiexec.exe
Token: SeSystemtimePrivilege	2360	msiexec.exe
Token: SeProfSingleProcessPrivilege	2360	msiexec.exe
Token: SeIncBasePriorityPrivilege	2360	msiexec.exe
Token: SeCreatePagefilePrivilege	2360	msiexec.exe
Token: SeCreatePermanentPrivilege	2360	msiexec.exe
Token: SeBackupPrivilege	2360	msiexec.exe
Token: SeRestorePrivilege	2360	msiexec.exe
Token: SeShutdownPrivilege	2360	msiexec.exe
Token: SeDebugPrivilege	2360	msiexec.exe
Token: SeAuditPrivilege	2360	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2360	msiexec.exe
Token: SeChangeNotifyPrivilege	2360	msiexec.exe
Token: SeRemoteShutdownPrivilege	2360	msiexec.exe
Token: SeUndockPrivilege	2360	msiexec.exe
Token: SeSyncAgentPrivilege	2360	msiexec.exe
Token: SeEnableDelegationPrivilege	2360	msiexec.exe
Token: SeManageVolumePrivilege	2360	msiexec.exe
Token: SeImpersonatePrivilege	2360	msiexec.exe
Token: SeCreateGlobalPrivilege	2360	msiexec.exe
Token: SeCreateTokenPrivilege	2360	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2360	msiexec.exe
Token: SeLockMemoryPrivilege	2360	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2360	msiexec.exe
2360	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 4760	2392	msiexec.exe	85
PID 2392 wrote to memory of 4760	2392	msiexec.exe	85
PID 2392 wrote to memory of 4760	2392	msiexec.exe	85
PID 2392 wrote to memory of 3136	2392	msiexec.exe	90
PID 2392 wrote to memory of 3136	2392	msiexec.exe	90
PID 2392 wrote to memory of 3136	2392	msiexec.exe	90

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9c74d2.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2360

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 47F8F8E043D9AE5A4AB4649834B2392C C
  2⤵
  - Loads dropped DLL
  PID:4760
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E146B0F8CB803B3B80CA2D56540D1DA0
  2⤵
  - Loads dropped DLL
  PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e599b9b.rbs

Filesize
8KB

MD5
6dbaad1ccd7e5bee07d362c41be71794

SHA1
6c731cf84610fa261dd375cf147e939a85fa95cd

SHA256
fc82f00de39c8e6b2fd39d805002fd7e59b4295bfacc7b33ec36706150743d7a

SHA512
c240a1f5ec9952c784f9914648a99f157364dc1781ac83d968c5352f61f218ada2a112d22eee5e7a96112f3d0268ef2204075f74e3e084e0d26b1083d9376418

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2D93.tmp

Filesize
244KB

MD5
60e8c139e673b9eb49dc83718278bc88

SHA1
00a3a9cd6d3a9f52628ea09c2e645fe56ee7cd56

SHA256
b181b6b4d69a53143a97a306919ba1adbc0b036a48b6d1d41ae7a01e8ef286cb

SHA512
ac7cb86dbf3b86f00da7b8a246a6c7ef65a6f1c8705ea07f9b90e494b6239fb9626b55ee872a9b7f16575a60c82e767af228b8f018d4d7b9f783efaccca2b103

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI94D5.tmp

Filesize
142KB

MD5
2c2251fddbe9ebc6ed99ee27372babbf

SHA1
d2a6e7dc123e5e7561cb940bfe3bcd312f644ccf

SHA256
1cf779325e52a44b0e23edc1d1416da0e6be09d739c6d9c70b9d05f14585b502

SHA512
d3632c363296b772c0771cf126798148d1efe03caee52d025b85902484af19f4ad0973ee0907d0512c565aa7ab6b07a32b5879b6ecd79c8bc3502235d7ac84b6

Download Submit
C:\Windows\Installer\e599b9a.msi

Filesize
856KB

MD5
7df20d9d562dd9cac2d6cdc5fa7208f7

SHA1
49d3188918876c11a83631058dcd5e46890e499c

SHA256
52a756d1a43ddfb7eda39715a2cfa37bb474a1f24556b0d905fc73ca93122fdc

SHA512
78c9a31e58e6191785d1a73852b2e1d681778baa9052a81026b40bbb5d1fa8b9130e1fbbfab51560f17e69bc186ed68e63ac37588feccea7059ffa6f20c24600

Download Submit