85517e5a1c0b209ccaee37a5457a7de55f881684db5d4fdb9706a6613284e74f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 11:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Token.msi
Size

3.0MB
MD5

ced40728f99d5a13eb9dad4a5a3f50ea
SHA1

0349174d71ca1aa6f3c2b9b7e18b04bb9f25d8a6
SHA256

85517e5a1c0b209ccaee37a5457a7de55f881684db5d4fdb9706a6613284e74f
SHA512

053c10234d48e0c65e9939c41f13b04709d5e26709ac3b979b9c18c5906c0cb7465165eb381684937eb9f00bc4f2ac316d5369d1b0a61d1a0f796f5eb15c94f7
SSDEEP

98304:ydGdGD0+gX2YuGjrH0f9pWZ/O4ZwWWs1M:E0zm5GHkWZHtWwM

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57d215.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d215.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID36D.tmp	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
644	MsiExec.exe

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

pid	Process
2440	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
396	msiexec.exe
396	msiexec.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2440	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2440	msiexec.exe
Token: SeSecurityPrivilege	396	msiexec.exe
Token: SeCreateTokenPrivilege	2440	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2440	msiexec.exe
Token: SeLockMemoryPrivilege	2440	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2440	msiexec.exe
Token: SeMachineAccountPrivilege	2440	msiexec.exe
Token: SeTcbPrivilege	2440	msiexec.exe
Token: SeSecurityPrivilege	2440	msiexec.exe
Token: SeTakeOwnershipPrivilege	2440	msiexec.exe
Token: SeLoadDriverPrivilege	2440	msiexec.exe
Token: SeSystemProfilePrivilege	2440	msiexec.exe
Token: SeSystemtimePrivilege	2440	msiexec.exe
Token: SeProfSingleProcessPrivilege	2440	msiexec.exe
Token: SeIncBasePriorityPrivilege	2440	msiexec.exe
Token: SeCreatePagefilePrivilege	2440	msiexec.exe
Token: SeCreatePermanentPrivilege	2440	msiexec.exe
Token: SeBackupPrivilege	2440	msiexec.exe
Token: SeRestorePrivilege	2440	msiexec.exe
Token: SeShutdownPrivilege	2440	msiexec.exe
Token: SeDebugPrivilege	2440	msiexec.exe
Token: SeAuditPrivilege	2440	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2440	msiexec.exe
Token: SeChangeNotifyPrivilege	2440	msiexec.exe
Token: SeRemoteShutdownPrivilege	2440	msiexec.exe
Token: SeUndockPrivilege	2440	msiexec.exe
Token: SeSyncAgentPrivilege	2440	msiexec.exe
Token: SeEnableDelegationPrivilege	2440	msiexec.exe
Token: SeManageVolumePrivilege	2440	msiexec.exe
Token: SeImpersonatePrivilege	2440	msiexec.exe
Token: SeCreateGlobalPrivilege	2440	msiexec.exe
Token: SeRestorePrivilege	396	msiexec.exe
Token: SeTakeOwnershipPrivilege	396	msiexec.exe
Token: SeRestorePrivilege	396	msiexec.exe
Token: SeTakeOwnershipPrivilege	396	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2440	msiexec.exe
2440	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 644	396	msiexec.exe	88
PID 396 wrote to memory of 644	396	msiexec.exe	88
PID 396 wrote to memory of 644	396	msiexec.exe	88

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Token.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2440

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9D1AE7A103E434C77225FB8C07EFC4AB
  2⤵
  - Loads dropped DLL
  PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSID36D.tmp

Filesize
3.0MB

MD5
1f53ff2e4c66eb7483f23bf4a04cb5e3

SHA1
2195dd6028e1f195efba5c207cc8e3be4e4522be

SHA256
ebb7deea7082ca767407b5eee10fae7a28634b85c04ac3642a3632a519233f90

SHA512
7d63fdb0ba1d9648c8204dc5516801c039bada486ce462ed3928eb6899389f974b6f5cce63ec91adb46df90120e9cb91f194b485b865cae00adac18e8ad437f6

Download Submit
memory/644-6-0x0000000010000000-0x00000000102FB000-memory.dmp

Filesize
3.0MB

Download
memory/644-8-0x00000000036A0000-0x00000000037AA000-memory.dmp

Filesize
1.0MB

Download
memory/644-9-0x00000000037C0000-0x00000000038B0000-memory.dmp

Filesize
960KB

Download
memory/644-12-0x00000000037C0000-0x00000000038B0000-memory.dmp

Filesize
960KB

Download
memory/644-11-0x00000000037C0000-0x00000000038B0000-memory.dmp

Filesize
960KB

Download
memory/644-13-0x0000000010000000-0x00000000102FB000-memory.dmp

Filesize
3.0MB

Download
memory/644-15-0x00000000037C0000-0x00000000038B0000-memory.dmp

Filesize
960KB

Download
memory/644-16-0x00000000038B0000-0x0000000003F70000-memory.dmp

Filesize
6.8MB

Download
memory/644-17-0x0000000003F70000-0x0000000004052000-memory.dmp

Filesize
904KB

Download
memory/644-18-0x0000000004070000-0x0000000004154000-memory.dmp

Filesize
912KB

Download
memory/644-21-0x0000000004070000-0x0000000004154000-memory.dmp

Filesize
912KB

Download
memory/644-22-0x0000000003280000-0x0000000003282000-memory.dmp

Filesize
8KB

Download
memory/644-23-0x0000000046DF0000-0x0000000046DF4000-memory.dmp

Filesize
16KB

Download