6ee98db32852a2ff31a969d918bb7c730950bb15f24ea1baf996697cebc8b9fa

Analysis

max time kernel
422s
max time network
1146s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 20:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

hamachi.msi
Size

13.7MB
MD5

909db4061c32f798e94d746717782444
SHA1

10f5ffff17d2dd4476686a941a7bcc5f9b83b1b8
SHA256

6ee98db32852a2ff31a969d918bb7c730950bb15f24ea1baf996697cebc8b9fa
SHA512

44e7f97b27aef2e4cb62a6a0ebab5033b99e1ec940f231eda416f3b68d83df81d10950a8ced2ca528024adecd1dea7e1d4427e78b111edbc0124d7ffd6c1232d
SSDEEP

196608:cp/8gF8Li2aauOgsgJ9RSfD3G43O+WFoy1jNDVxJBQHhIO4E46uVwOXsHoHybhLf:O/382agT9RK73O+kN3JSHuy46inqUMC

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	4416	msiexec.exe
7	4416	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
1784	MsiExec.exe
1784	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4416	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4416	msiexec.exe
Token: SeSecurityPrivilege	536	msiexec.exe
Token: SeCreateTokenPrivilege	4416	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4416	msiexec.exe
Token: SeLockMemoryPrivilege	4416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4416	msiexec.exe
Token: SeMachineAccountPrivilege	4416	msiexec.exe
Token: SeTcbPrivilege	4416	msiexec.exe
Token: SeSecurityPrivilege	4416	msiexec.exe
Token: SeTakeOwnershipPrivilege	4416	msiexec.exe
Token: SeLoadDriverPrivilege	4416	msiexec.exe
Token: SeSystemProfilePrivilege	4416	msiexec.exe
Token: SeSystemtimePrivilege	4416	msiexec.exe
Token: SeProfSingleProcessPrivilege	4416	msiexec.exe
Token: SeIncBasePriorityPrivilege	4416	msiexec.exe
Token: SeCreatePagefilePrivilege	4416	msiexec.exe
Token: SeCreatePermanentPrivilege	4416	msiexec.exe
Token: SeBackupPrivilege	4416	msiexec.exe
Token: SeRestorePrivilege	4416	msiexec.exe
Token: SeShutdownPrivilege	4416	msiexec.exe
Token: SeDebugPrivilege	4416	msiexec.exe
Token: SeAuditPrivilege	4416	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4416	msiexec.exe
Token: SeChangeNotifyPrivilege	4416	msiexec.exe
Token: SeRemoteShutdownPrivilege	4416	msiexec.exe
Token: SeUndockPrivilege	4416	msiexec.exe
Token: SeSyncAgentPrivilege	4416	msiexec.exe
Token: SeEnableDelegationPrivilege	4416	msiexec.exe
Token: SeManageVolumePrivilege	4416	msiexec.exe
Token: SeImpersonatePrivilege	4416	msiexec.exe
Token: SeCreateGlobalPrivilege	4416	msiexec.exe
Token: SeCreateTokenPrivilege	4416	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4416	msiexec.exe
Token: SeLockMemoryPrivilege	4416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4416	msiexec.exe
Token: SeMachineAccountPrivilege	4416	msiexec.exe
Token: SeTcbPrivilege	4416	msiexec.exe
Token: SeSecurityPrivilege	4416	msiexec.exe
Token: SeTakeOwnershipPrivilege	4416	msiexec.exe
Token: SeLoadDriverPrivilege	4416	msiexec.exe
Token: SeSystemProfilePrivilege	4416	msiexec.exe
Token: SeSystemtimePrivilege	4416	msiexec.exe
Token: SeProfSingleProcessPrivilege	4416	msiexec.exe
Token: SeIncBasePriorityPrivilege	4416	msiexec.exe
Token: SeCreatePagefilePrivilege	4416	msiexec.exe
Token: SeCreatePermanentPrivilege	4416	msiexec.exe
Token: SeBackupPrivilege	4416	msiexec.exe
Token: SeRestorePrivilege	4416	msiexec.exe
Token: SeShutdownPrivilege	4416	msiexec.exe
Token: SeDebugPrivilege	4416	msiexec.exe
Token: SeAuditPrivilege	4416	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4416	msiexec.exe
Token: SeChangeNotifyPrivilege	4416	msiexec.exe
Token: SeRemoteShutdownPrivilege	4416	msiexec.exe
Token: SeUndockPrivilege	4416	msiexec.exe
Token: SeSyncAgentPrivilege	4416	msiexec.exe
Token: SeEnableDelegationPrivilege	4416	msiexec.exe
Token: SeManageVolumePrivilege	4416	msiexec.exe
Token: SeImpersonatePrivilege	4416	msiexec.exe
Token: SeCreateGlobalPrivilege	4416	msiexec.exe
Token: SeCreateTokenPrivilege	4416	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4416	msiexec.exe
Token: SeLockMemoryPrivilege	4416	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4416	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1784	536	msiexec.exe	90
PID 536 wrote to memory of 1784	536	msiexec.exe	90
PID 536 wrote to memory of 1784	536	msiexec.exe	90

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\hamachi.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4416

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 27CE3E353EF6DEB849FD4DC8D52A6BF9 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HamachiSetup.log

Filesize
387B

MD5
364f992b68489ed6c3cb16ccaafe3fe9

SHA1
fe329ff3041d4448fa30cdafeb097d7d81d8cf98

SHA256
0fc2abd6d8bf89132484242fe3f38eef20c7ffa9fe1923607cae1c8180ff6d53

SHA512
156439accb55c574c8edb59117907d6dc6b90b46008521501fe575064a6be5ef08fde229fe8611644ffa30294a474d9a1ee0bc6d992c87673980127ed1e07c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\HamachiSetup.log

Filesize
584B

MD5
5bdabf2649d35aa94a2a32a1e9322412

SHA1
6569a9a3cfe1bb2c0fa4174ae078115cd3cb3284

SHA256
6c586e8a574607c8f3e5e194cbd36923dce108ba95224649ac8aace78c47c968

SHA512
1959b475303602de5f07b775426e7dbed88731fa63d592715a3e5e0b8d832a3af191ca1a5450f7329627fbaea185df373a6d40e7eb43c8e8a8a572ccf8f2d607

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC0CF.tmp

Filesize
2.3MB

MD5
3bc82080d6356dae779eed5135fabf66

SHA1
022c84f9cc59ec45315d78979497cd061658aba3

SHA256
b076c9b888b130fb2fb5a74542c9a73322e78ed1f3f8476be7a8209a20e56f7b

SHA512
041cd3945a22dcec792f45abc7f95b9fb7e68254948f0bfeb49de6b3501a0e13525454aa222dc4b903b3c9bafd4e0ffc2e5a99bd140238e845d3fcb7c496afbd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads