8b9147aeca757bc36f30e98c7481ec302d2be6de1b893a6f2ad80864f1106fb3

Resubmissions

03-08-2024 19:46

240803-yg8nestbqr 10

03-08-2024 19:44

240803-ygbcxsxhld 6

03-08-2024 19:41

240803-yd6pnaxgpa 6

Analysis

max time kernel
132s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03-08-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

win-airplay/Bonjour64.msi
Size

2.6MB
MD5

8dcf5c9eaacdaf4568220d103f393dea
SHA1

27f68596398b68ba048f95752b4eeb4aa013c23f
SHA256

53be81cc6e2dc95a1041e8f3d8f500fad4259ab20a1aac151b5fc7a64d354a93
SHA512

10f8ffb6fa5e7163f0a83190ddf211479f12e16635389b49ac041eceafd7f04c040d830065adc89b1003f38d8381851c09150a5bc8edced6ecae8ee5ae801088
SSDEEP

49152:aXMDiLYLW8Rv5GYCRL69MXeixEEgj8HyvftiZikCTcRi3/jP/N/v08Masv8Qo2/:wwPR8YCRLVm

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

2 2152 msiexec.exe
3 2152 msiexec.exe
9 2152 msiexec.exe

flow	pid	process
2	2152	msiexec.exe
3	2152	msiexec.exe
9	2152	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

4052 MsiExec.exe
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

2152 msiexec.exe

pid	process
4052	MsiExec.exe

pid	process
2152	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2152	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2152	msiexec.exe
Token: SeSecurityPrivilege	2504	msiexec.exe
Token: SeCreateTokenPrivilege	2152	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2152	msiexec.exe
Token: SeLockMemoryPrivilege	2152	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2152	msiexec.exe
Token: SeMachineAccountPrivilege	2152	msiexec.exe
Token: SeTcbPrivilege	2152	msiexec.exe
Token: SeSecurityPrivilege	2152	msiexec.exe
Token: SeTakeOwnershipPrivilege	2152	msiexec.exe
Token: SeLoadDriverPrivilege	2152	msiexec.exe
Token: SeSystemProfilePrivilege	2152	msiexec.exe
Token: SeSystemtimePrivilege	2152	msiexec.exe
Token: SeProfSingleProcessPrivilege	2152	msiexec.exe
Token: SeIncBasePriorityPrivilege	2152	msiexec.exe
Token: SeCreatePagefilePrivilege	2152	msiexec.exe
Token: SeCreatePermanentPrivilege	2152	msiexec.exe
Token: SeBackupPrivilege	2152	msiexec.exe
Token: SeRestorePrivilege	2152	msiexec.exe
Token: SeShutdownPrivilege	2152	msiexec.exe
Token: SeDebugPrivilege	2152	msiexec.exe
Token: SeAuditPrivilege	2152	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2152	msiexec.exe
Token: SeChangeNotifyPrivilege	2152	msiexec.exe
Token: SeRemoteShutdownPrivilege	2152	msiexec.exe
Token: SeUndockPrivilege	2152	msiexec.exe
Token: SeSyncAgentPrivilege	2152	msiexec.exe
Token: SeEnableDelegationPrivilege	2152	msiexec.exe
Token: SeManageVolumePrivilege	2152	msiexec.exe
Token: SeImpersonatePrivilege	2152	msiexec.exe
Token: SeCreateGlobalPrivilege	2152	msiexec.exe
Token: SeCreateTokenPrivilege	2152	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2152	msiexec.exe
Token: SeLockMemoryPrivilege	2152	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2152	msiexec.exe
Token: SeMachineAccountPrivilege	2152	msiexec.exe
Token: SeTcbPrivilege	2152	msiexec.exe
Token: SeSecurityPrivilege	2152	msiexec.exe
Token: SeTakeOwnershipPrivilege	2152	msiexec.exe
Token: SeLoadDriverPrivilege	2152	msiexec.exe
Token: SeSystemProfilePrivilege	2152	msiexec.exe
Token: SeSystemtimePrivilege	2152	msiexec.exe
Token: SeProfSingleProcessPrivilege	2152	msiexec.exe
Token: SeIncBasePriorityPrivilege	2152	msiexec.exe
Token: SeCreatePagefilePrivilege	2152	msiexec.exe
Token: SeCreatePermanentPrivilege	2152	msiexec.exe
Token: SeBackupPrivilege	2152	msiexec.exe
Token: SeRestorePrivilege	2152	msiexec.exe
Token: SeShutdownPrivilege	2152	msiexec.exe
Token: SeDebugPrivilege	2152	msiexec.exe
Token: SeAuditPrivilege	2152	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2152	msiexec.exe
Token: SeChangeNotifyPrivilege	2152	msiexec.exe
Token: SeRemoteShutdownPrivilege	2152	msiexec.exe
Token: SeUndockPrivilege	2152	msiexec.exe
Token: SeSyncAgentPrivilege	2152	msiexec.exe
Token: SeEnableDelegationPrivilege	2152	msiexec.exe
Token: SeManageVolumePrivilege	2152	msiexec.exe
Token: SeImpersonatePrivilege	2152	msiexec.exe
Token: SeCreateGlobalPrivilege	2152	msiexec.exe
Token: SeCreateTokenPrivilege	2152	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2152	msiexec.exe
Token: SeLockMemoryPrivilege	2152	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2152 msiexec.exe

pid	process
2152	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2504 wrote to memory of 4052	2504	msiexec.exe	MsiExec.exe
PID 2504 wrote to memory of 4052	2504	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\win-airplay\Bonjour64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2152

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 16BCE6AE88DEB00C2FB8DF5C32462429 C
2⤵
- Loads dropped DLL
PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI84B1.tmp

Filesize
75KB

MD5
08c031fa82a09aae1079378669678fe6

SHA1
b109251d2fef08bd446be0c92369e6f11eb67093

SHA256
8764d060558a9d4ef24adb43201d5178033171a649ad497f79ce3b6cc8eda98a

SHA512
d133a7c02ee8e6e4a971ed4a6537c11cb58516a5ac0501672169805f7b97591d7cffd3a72133bd1df4b8d8a4f4965ddf324a83cd9be0d8af15e646a121e2ea4c

Download Submit